diff options
author | Achilleas Pipinellis <axilleas@axilleas.me> | 2017-02-03 19:26:48 +0100 |
---|---|---|
committer | Achilleas Pipinellis <axilleas@axilleas.me> | 2017-02-03 19:26:48 +0100 |
commit | 8063628b903d4a8498152d4c3c7c22fca2768957 (patch) | |
tree | 11cb172920c069b338fa3718c631b8d6e97a32fa /doc/security | |
parent | 7dc8b6b2045d84ff232731ef92f2cac916732753 (diff) | |
download | gitlab-ce-8063628b903d4a8498152d4c3c7c22fca2768957.tar.gz |
Move webhooks to new a location under Integrations
Diffstat (limited to 'doc/security')
-rw-r--r-- | doc/security/webhooks.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md index bb46aebf4b5..faabc53ce72 100644 --- a/doc/security/webhooks.md +++ b/doc/security/webhooks.md @@ -2,7 +2,7 @@ If you have non-GitLab web services running on your GitLab server or within its local network, these may be vulnerable to exploitation via Webhooks. -With [Webhooks](../web_hooks/web_hooks.md), you and your project masters and owners can set up URLs to be triggered when specific things happen to projects. Normally, these requests are sent to external web services specifically set up for this purpose, that process the request and its attached data in some appropriate way. +With [Webhooks](../user/project/integrations/webhooks.md), you and your project masters and owners can set up URLs to be triggered when specific things happen to projects. Normally, these requests are sent to external web services specifically set up for this purpose, that process the request and its attached data in some appropriate way. Things get hairy, however, when a Webhook is set up with a URL that doesn't point to an external, but to an internal service, that may do something completely unintended when the webhook is triggered and the POST request is sent. @@ -10,4 +10,4 @@ Because Webhook requests are made by the GitLab server itself, these have comple If a web service does not require authentication, Webhooks can be used to trigger destructive commands by getting the GitLab server to make POST requests to endpoints like "http://localhost:123/some-resource/delete". -To prevent this type of exploitation from happening, make sure that you are aware of every web service GitLab could potentially have access to, and that all of these are set up to require authentication for every potentially destructive command. Enabling authentication but leaving a default password is not enough.
\ No newline at end of file +To prevent this type of exploitation from happening, make sure that you are aware of every web service GitLab could potentially have access to, and that all of these are set up to require authentication for every potentially destructive command. Enabling authentication but leaving a default password is not enough. |