An error occurred while fetching pending comments
Update --extra-index-url usage in repository webpages
Merged
requested to merge usdResponsibleDisclosure/gitlab:384253-fix-possible-dependency-confusion-pypi into master
A fix for Issue #384253 (closed).
This MR changes --extra-index-url to --index-url in order to prevent users from using the first command without understanding its security implications. Since using -extra-index-url can lead to dependency confusion (for further details see: https://hackerone.com/reports/1681275), this change increases users' security while using GitLab.
Furthermore, forwarding of requests for unknown packages to pypi.org should be disabled by default. This setting can have dangerous side effects and should not be enabled by default. Administrators that understand the consequences could still enable the feature for their instance. Even though the option to disable "PyPi Forwarding" is described in the documentation, it is a feature that can only be configured with a "Premium" subscription. Users with a "Free" subscription cannot disable "PyPi Forwarding". Therefore to strengthen security, the GitLab Team might consider adding this option to the "Free" tier of GitLab.
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.