summaryrefslogtreecommitdiff
path: root/doc/security
diff options
context:
space:
mode:
authorAchilleas Pipinellis <axilleas@axilleas.me>2017-02-03 19:26:48 +0100
committerAchilleas Pipinellis <axilleas@axilleas.me>2017-02-03 19:26:48 +0100
commit8063628b903d4a8498152d4c3c7c22fca2768957 (patch)
tree11cb172920c069b338fa3718c631b8d6e97a32fa /doc/security
parent7dc8b6b2045d84ff232731ef92f2cac916732753 (diff)
downloadgitlab-ce-8063628b903d4a8498152d4c3c7c22fca2768957.tar.gz
Move webhooks to new a location under Integrations
Diffstat (limited to 'doc/security')
-rw-r--r--doc/security/webhooks.md4
1 files changed, 2 insertions, 2 deletions
diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md
index bb46aebf4b5..faabc53ce72 100644
--- a/doc/security/webhooks.md
+++ b/doc/security/webhooks.md
@@ -2,7 +2,7 @@
If you have non-GitLab web services running on your GitLab server or within its local network, these may be vulnerable to exploitation via Webhooks.
-With [Webhooks](../web_hooks/web_hooks.md), you and your project masters and owners can set up URLs to be triggered when specific things happen to projects. Normally, these requests are sent to external web services specifically set up for this purpose, that process the request and its attached data in some appropriate way.
+With [Webhooks](../user/project/integrations/webhooks.md), you and your project masters and owners can set up URLs to be triggered when specific things happen to projects. Normally, these requests are sent to external web services specifically set up for this purpose, that process the request and its attached data in some appropriate way.
Things get hairy, however, when a Webhook is set up with a URL that doesn't point to an external, but to an internal service, that may do something completely unintended when the webhook is triggered and the POST request is sent.
@@ -10,4 +10,4 @@ Because Webhook requests are made by the GitLab server itself, these have comple
If a web service does not require authentication, Webhooks can be used to trigger destructive commands by getting the GitLab server to make POST requests to endpoints like "http://localhost:123/some-resource/delete".
-To prevent this type of exploitation from happening, make sure that you are aware of every web service GitLab could potentially have access to, and that all of these are set up to require authentication for every potentially destructive command. Enabling authentication but leaving a default password is not enough. \ No newline at end of file
+To prevent this type of exploitation from happening, make sure that you are aware of every web service GitLab could potentially have access to, and that all of these are set up to require authentication for every potentially destructive command. Enabling authentication but leaving a default password is not enough.