GitLab

Created by: crazyscience

Summary: Basically, you can get into a situation where the Merge Request page shows a diff that's one thing, but upon approval, the merge request could be something completely different, and possibly malicious.

How to reproduce: -Create a project w/some commits -Fork the project -Make a commit on the forked repo -Submit a merge request requesting to merge this new commit into the original repo This will be the diff displayed on the merge request page -Make another commit on the forked repo This will be the commit that is actually going to be merged into the original -Notice that the merge request page does not show this new commit -Approve the merge request -Gasp in horror as unapproved code is merged into the project