debian-mirror-gitlab/doc/security/webhooks.md

107 lines
4.9 KiB
Markdown
Raw Normal View History

2019-09-04 21:01:54 +05:30
---
2021-01-29 00:20:46 +05:30
stage: none
group: unassigned
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
2019-09-04 21:01:54 +05:30
type: concepts, reference, howto
---
2019-09-30 21:07:59 +05:30
2016-06-02 11:05:42 +05:30
# Webhooks and insecure internal web services
2015-04-26 12:48:37 +05:30
2020-04-08 14:13:33 +05:30
NOTE: **Note:**
2020-10-24 23:57:45 +05:30
On GitLab.com, the [maximum number of webhooks and their size](../user/gitlab_com/index.md#webhooks) per project, and per group, is limited.
2020-04-08 14:13:33 +05:30
2019-09-04 21:01:54 +05:30
If you have non-GitLab web services running on your GitLab server or within its
local network, these may be vulnerable to exploitation via Webhooks.
2015-04-26 12:48:37 +05:30
2019-09-04 21:01:54 +05:30
With [Webhooks](../user/project/integrations/webhooks.md), you and your project
maintainers and owners can set up URLs to be triggered when specific changes
2019-12-26 22:10:19 +05:30
occur in your projects. Normally, these requests are sent to external web
services specifically set up for this purpose, that process the request and its
attached data in some appropriate way.
2015-04-26 12:48:37 +05:30
2019-09-04 21:01:54 +05:30
Things get hairy, however, when a Webhook is set up with a URL that doesn't
point to an external, but to an internal service, that may do something
completely unintended when the webhook is triggered and the POST request is
sent.
2015-04-26 12:48:37 +05:30
2019-12-26 22:10:19 +05:30
Webhook requests are made by the GitLab server itself and use a single
(optional) secret token per hook for authorization (instead of a user or
repo-specific token). As a result, these may have broader access than
intended to everything running on the server hosting the webhook (which
may include the GitLab server or API itself, e.g., `http://localhost:123`).
Depending on the called webhook, this may also result in network access
to other servers within that webhook server's local network (e.g.,
`http://192.168.1.12:345`), even if these services are otherwise protected
and inaccessible from the outside world.
2015-04-26 12:48:37 +05:30
2019-09-04 21:01:54 +05:30
If a web service does not require authentication, Webhooks can be used to
trigger destructive commands by getting the GitLab server to make POST requests
to endpoints like `http://localhost:123/some-resource/delete`.
2015-04-26 12:48:37 +05:30
2019-09-04 21:01:54 +05:30
To prevent this type of exploitation from happening, starting with GitLab 10.6,
all Webhook requests to the current GitLab instance server address and/or in a
private network will be forbidden by default. That means that all requests made
2020-03-13 15:44:24 +05:30
to `127.0.0.1`, `::1` and `0.0.0.0`, as well as IPv4 `10.0.0.0/8`, `172.16.0.0/12`,
`192.168.0.0/16` and IPv6 site-local (`ffc0::/10`) addresses won't be allowed.
2018-10-15 14:42:47 +05:30
2019-09-04 21:01:54 +05:30
This behavior can be overridden by enabling the option *"Allow requests to the
2019-10-12 21:52:04 +05:30
local network from web hooks and services"* in the *"Outbound requests"* section
2020-03-13 15:44:24 +05:30
inside the **Admin Area > Settings** (`/admin/application_settings/network`):
2018-10-15 14:42:47 +05:30
2019-10-12 21:52:04 +05:30
![Outbound requests admin settings](img/outbound_requests_section_v12_2.png)
2018-10-15 14:42:47 +05:30
2019-10-12 21:52:04 +05:30
NOTE: **Note:**
*System hooks* are enabled to make requests to local network by default since they are
set up by administrators. However, you can turn this off by disabling the
**Allow requests to the local network from system hooks** option.
2020-06-23 00:09:42 +05:30
## Allowlist for local requests
2019-10-12 21:52:04 +05:30
2020-06-23 00:09:42 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/44496) in GitLab 12.2
2019-10-12 21:52:04 +05:30
You can allow certain domains and IP addresses to be accessible to both *system hooks*
and *webhooks* even when local requests are not allowed by adding them to the
2020-06-23 00:09:42 +05:30
allowlist. Navigate to **Admin Area > Settings > Network** (`/admin/application_settings/network`)
2019-10-12 21:52:04 +05:30
and expand **Outbound requests**:
2020-06-23 00:09:42 +05:30
![Outbound local requests allowlist](img/allowlist_v13_0.png)
2019-10-12 21:52:04 +05:30
2020-06-23 00:09:42 +05:30
The allowed entries can be separated by semicolons, commas or whitespaces
2019-10-12 21:52:04 +05:30
(including newlines) and be in different formats like hostnames, IP addresses and/or
2020-06-23 00:09:42 +05:30
IP ranges. IPv6 is supported. Hostnames that contain Unicode characters should
2019-10-12 21:52:04 +05:30
use IDNA encoding.
2020-06-23 00:09:42 +05:30
The allowlist can hold a maximum of 1000 entries. Each entry can be a maximum of
2019-10-12 21:52:04 +05:30
255 characters.
2020-06-23 00:09:42 +05:30
You can allow a particular port by specifying it in the allowlist entry.
2020-04-08 14:13:33 +05:30
For example `127.0.0.1:8080` will only allow connections to port 8080 on `127.0.0.1`.
2020-06-23 00:09:42 +05:30
If no port is mentioned, all ports on that IP/domain are allowed. An IP range
will allow all ports on all IPs in that range.
2020-04-08 14:13:33 +05:30
2019-10-12 21:52:04 +05:30
Example:
2020-05-24 23:13:21 +05:30
```plaintext
2019-10-12 21:52:04 +05:30
example.com;gitlab.example.com
127.0.0.1,1:0:0:0:0:0:0:1
127.0.0.0/8 1:0:0:0:0:0:0:0/124
2020-04-08 14:13:33 +05:30
[1:0:0:0:0:0:0:1]:8080
127.0.0.1:8080
example.com:8080
2019-10-12 21:52:04 +05:30
```
NOTE: **Note:**
2020-04-08 14:13:33 +05:30
Wildcards (`*.example.com`) are not currently supported.
2019-09-04 21:01:54 +05:30
<!-- ## Troubleshooting
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
one might have when setting this up, or when something is changed, or on upgrading, it's
important to describe those, too. Think of things that may go wrong and include them here.
This is important to minimize requests for support, and to avoid doc comments with
questions that you know someone might ask.
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
If you have none to add when creating a doc, leave this section in place
but commented out to help encourage others to add to it in the future. -->