block /webhook/ on irc bot
the irc bot has /webhook/ wide open to the world right now, and without a password. block the /webhook/ route in nginx and restrict it to the gitlab host.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information