diff options
author | Evan Read <eread@gitlab.com> | 2019-01-24 06:52:33 +0000 |
---|---|---|
committer | Achilleas Pipinellis <axil@gitlab.com> | 2019-01-24 06:52:33 +0000 |
commit | c2c2d04b3a0d7942edd8c8608f6bd25428131fc3 (patch) | |
tree | 361f2da1a8509a669bec9887abe65252afea5ac2 /doc/security | |
parent | 7d11049237cca35307b996dcec683693794c831a (diff) | |
download | gitlab-ce-c2c2d04b3a0d7942edd8c8608f6bd25428131fc3.tar.gz |
Fix most instances of bare URLs in markdown
Diffstat (limited to 'doc/security')
-rw-r--r-- | doc/security/webhooks.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/doc/security/webhooks.md b/doc/security/webhooks.md index fb2b6768f0a..8c26bbac6a7 100644 --- a/doc/security/webhooks.md +++ b/doc/security/webhooks.md @@ -6,9 +6,9 @@ With [Webhooks](../user/project/integrations/webhooks.md), you and your project Things get hairy, however, when a Webhook is set up with a URL that doesn't point to an external, but to an internal service, that may do something completely unintended when the webhook is triggered and the POST request is sent. -Because Webhook requests are made by the GitLab server itself, these have complete access to everything running on the server (http://localhost:123) or within the server's local network (http://192.168.1.12:345), even if these services are otherwise protected and inaccessible from the outside world. +Because Webhook requests are made by the GitLab server itself, these have complete access to everything running on the server (`http://localhost:123`) or within the server's local network (`http://192.168.1.12:345`), even if these services are otherwise protected and inaccessible from the outside world. -If a web service does not require authentication, Webhooks can be used to trigger destructive commands by getting the GitLab server to make POST requests to endpoints like "http://localhost:123/some-resource/delete". +If a web service does not require authentication, Webhooks can be used to trigger destructive commands by getting the GitLab server to make POST requests to endpoints like `http://localhost:123/some-resource/delete`. To prevent this type of exploitation from happening, starting with GitLab 10.6, all Webhook requests to the current GitLab instance server address and/or in a private network will be forbidden by default. That means that all requests made to 127.0.0.1, ::1 and 0.0.0.0, as well as IPv4 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and IPv6 site-local (ffc0::/10) addresses won't be allowed. |