Self-signed certificates are not validated correctly
Per this line:
https://gitlab.com/gitlab-org/gitlab-shell/blob/master/lib/gitlab_net.rb#L167
if uri.is_a?(URI::HTTPS)
http.use_ssl = true
http.cert_store = cert_store
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if config.http_settings['self_signed_cert']
end
This renders us vulnerable to man-in-the-middle attacks when self_signed_cert
is truthy, which is unexpected behaviour.
When we're using a self-signed certificate, we should have a copy of that certificate on the gitlab-shell side. When we connect to gitlab-ce, we should verify that the server-presented certificate exactly matches the certificate we have. Instead, we're allowing any certificate to be accepted.
I don't know how much of a problem this is in the wild, I just spotted it in passing.
/cc @rspeicher @kathyw @jritchey
For context: gitlab-shell makes calls to gitlab-ce's internal HTTP(S) API to verify whether actions are permitted or not. If someone could MitM the traffic, they could return "yes" instead of "no" to gain access to things - but managing to MitM it is quite a large barrier in most setups.