Skip to content

G
gitlab-ce
Commit 44584e0a authored by Gerrit Hannaert's avatar Gerrit Hannaert Committed by Achilleas Pipinellis
Browse files
Options

Update webhooks.md: damn browser or web IDE added 2 new whitespaces when... 

Update webhooks.md: damn browser or web IDE added 2 new whitespaces when fixing wrapping, removed whitespace again
parent e84dcf92
Hide whitespace changes
Inline Side-by-side
Showing with 12 additions and 7 deletions
doc/security/webhooks.md
View file @ 44584e0a
...@@ -9,19 +9,24 @@ local network, these may be vulnerable to exploitation via Webhooks. ...@@ -9,19 +9,24 @@ local network, these may be vulnerable to exploitation via Webhooks.
With [Webhooks](../user/project/integrations/webhooks.md), you and your project With [Webhooks](../user/project/integrations/webhooks.md), you and your project
maintainers and owners can set up URLs to be triggered when specific changes maintainers and owners can set up URLs to be triggered when specific changes
occur in your projects. Normally, these requests are sent to external web services occur in your projects. Normally, these requests are sent to external web
specifically set up for this purpose, that process the request and its attached services specifically set up for this purpose, that process the request and its
data in some appropriate way. attached data in some appropriate way.
Things get hairy, however, when a Webhook is set up with a URL that doesn't Things get hairy, however, when a Webhook is set up with a URL that doesn't
point to an external, but to an internal service, that may do something point to an external, but to an internal service, that may do something
completely unintended when the webhook is triggered and the POST request is completely unintended when the webhook is triggered and the POST request is
sent. sent.
Because Webhook requests are made by the GitLab server itself, these have Webhook requests are made by the GitLab server itself and use a single
complete access to everything running on the server (`http://localhost:123`) or (optional) secret token per hook for authorization (instead of a user or
within the server's local network (`http://192.168.1.12:345`), even if these repo-specific token). As a result, these may have broader access than
services are otherwise protected and inaccessible from the outside world. intended to everything running on the server hosting the webhook (which
may include the GitLab server or API itself, e.g., `http://localhost:123`).
Depending on the called webhook, this may also result in network access
to other servers within that webhook server's local network (e.g.,
`http://192.168.1.12:345`), even if these services are otherwise protected
and inaccessible from the outside world.
If a web service does not require authentication, Webhooks can be used to If a web service does not require authentication, Webhooks can be used to
trigger destructive commands by getting the GitLab server to make POST requests trigger destructive commands by getting the GitLab server to make POST requests
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7