Update --extra-index-url usage in repository webpages (!105662) · Merge requests · GitLab.org / GitLab

usdResponsibleDisclosure requested to merge usdResponsibleDisclosure/gitlab:384253-fix-possible-dependency-confusion-pypi into master Dec 01, 2022

What does this MR do and why?

A fix for Issue #384253 (closed).

This MR changes --extra-index-url to --index-url in order to prevent users from using the first command without understanding its security implications. Since using -extra-index-url can lead to dependency confusion (for further details see: https://hackerone.com/reports/1681275), this change increases users' security while using GitLab.

Furthermore, forwarding of requests for unknown packages to pypi.org should be disabled by default. This setting can have dangerous side effects and should not be enabled by default. Administrators that understand the consequences could still enable the feature for their instance. Even though the option to disable "PyPi Forwarding" is described in the documentation, it is a feature that can only be configured with a "Premium" subscription. Users with a "Free" subscription cannot disable "PyPi Forwarding". Therefore to strengthen security, the GitLab Team might consider adding this option to the "Free" tier of GitLab.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Update --extra-index-url usage in repository webpages

What does this MR do and why?

MR acceptance checklist

Merge request reports