Self-signed certificates are not validated correctly
Per this line:
if uri.is_a?(URI::HTTPS) http.use_ssl = true http.cert_store = cert_store http.verify_mode = OpenSSL::SSL::VERIFY_NONE if config.http_settings['self_signed_cert'] end
This renders us vulnerable to man-in-the-middle attacks when
self_signed_cert is truthy, which is unexpected behaviour.
When we're using a self-signed certificate, we should have a copy of that certificate on the gitlab-shell side. When we connect to gitlab-ce, we should verify that the server-presented certificate exactly matches the certificate we have. Instead, we're allowing any certificate to be accepted.
I don't know how much of a problem this is in the wild, I just spotted it in passing.
For context: gitlab-shell makes calls to gitlab-ce's internal HTTP(S) API to verify whether actions are permitted or not. If someone could MitM the traffic, they could return "yes" instead of "no" to gain access to things - but managing to MitM it is quite a large barrier in most setups.