diff options
| author | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2017-02-06 12:08:05 +0100 |
|---|---|---|
| committer | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2017-02-06 12:08:05 +0100 |
| commit | 50aec8dd0df863c6f129edb505218e744c479a4b (patch) | |
| tree | 144f6d95364e9441e71a9fafe028fa5621a61cc4 /doc/security/webhooks.md | |
| parent | 16a72896a21ef065a0b259d32a43dd6554cee1d2 (diff) | |
| parent | 572fb0be9b1d45437b7c0ed1000399657f471ec7 (diff) | |
| download | gitlab-ce-50aec8dd0df863c6f129edb505218e744c479a4b.tar.gz | |
Merge branch 'master' into feature/gb/paginated-environments-api
* master: (295 commits)
Add index to labels for `type` and project_id`
fix rack-proxy dependency in production
Fixed typo
fix failing test
fix Vue warnings for missing element
UX Guide: Button placement in groups
Change window size before visiting page, to get correct scroll position
Fix slash commands spec error
Move project services to new location under Integrations
Move webhooks to new a location under Integrations
Fixed eslint test failure
Fixed adding to list bug
Remove unnecessary queries for .atom and .json in Dashboard::ProjectsController#index
Fixed modal lists dropdown not updating when list is deleted
Fixed remove btn error after creating new issue in list
Removed duplicated test
Removed Masonry, instead uses groups of data
Uses mixins for repeated functions
Fixed up specs
Props use objects with required & type values
...
Diffstat (limited to 'doc/security/webhooks.md')
| -rw-r--r-- | doc/security/webhooks.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md index bb46aebf4b5..faabc53ce72 100644 --- a/doc/security/webhooks.md +++ b/doc/security/webhooks.md @@ -2,7 +2,7 @@ If you have non-GitLab web services running on your GitLab server or within its local network, these may be vulnerable to exploitation via Webhooks. -With [Webhooks](../web_hooks/web_hooks.md), you and your project masters and owners can set up URLs to be triggered when specific things happen to projects. Normally, these requests are sent to external web services specifically set up for this purpose, that process the request and its attached data in some appropriate way. +With [Webhooks](../user/project/integrations/webhooks.md), you and your project masters and owners can set up URLs to be triggered when specific things happen to projects. Normally, these requests are sent to external web services specifically set up for this purpose, that process the request and its attached data in some appropriate way. Things get hairy, however, when a Webhook is set up with a URL that doesn't point to an external, but to an internal service, that may do something completely unintended when the webhook is triggered and the POST request is sent. @@ -10,4 +10,4 @@ Because Webhook requests are made by the GitLab server itself, these have comple If a web service does not require authentication, Webhooks can be used to trigger destructive commands by getting the GitLab server to make POST requests to endpoints like "http://localhost:123/some-resource/delete". -To prevent this type of exploitation from happening, make sure that you are aware of every web service GitLab could potentially have access to, and that all of these are set up to require authentication for every potentially destructive command. Enabling authentication but leaving a default password is not enough.
\ No newline at end of file +To prevent this type of exploitation from happening, make sure that you are aware of every web service GitLab could potentially have access to, and that all of these are set up to require authentication for every potentially destructive command. Enabling authentication but leaving a default password is not enough. |