Allow administrators to provide public security contact information
What does this MR do and why?
Allow administrators to provide public security contact information
Organizations can facilitate the responsible disclosure of security issues by providing public contact information. The standard way to do this is by using a security.txt file.
This MR introduces this feature by adding:
- a new application setting (text, max 2048 chars)
- updated admin UI to configure this instance-level setting
- updated application setting API to configure the setting
- a new controller to render the content when present
- updated documentation describing the feature and how to use it
When present, the content will be available at
https://YOUR_INSTANCE/.well-known/security.txt
.
Authentication is not required to view this file.
When the content is not present it will return a redirect
for unauthenticated users, and a 404 for authenticated users.
This maintains the behaviour of master
to avoid
introducing a new method for fingerprint a GitLab instance's
deployed version.
Resolves Add support for security.txt (#433210 - closed)
Changelog: added
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Observe the current behavior:
- Go to
https://YOUR_INSTANCE/.well-known/security.txt
and see that a302 Redirect
is returned (master
behaviour) - Log in as any user / an admin
- Go to
https://YOUR_INSTANCE/.well-known/security.txt
and see that a404 Not Found
is returned (master
behaviour)
Check out 433210-security-txt
and restart GDK.
- Log in as an admin
- On the left sidebar, select Search or go to.
- Select Admin Area.
- Select Settings > General.
- Expand the Add security contact information section
- Enter your content in the text area
- Select "Save changes"
-
⭐ Go tohttps://YOUR_INSTANCE/.well-known/security.txt
and see that the content is returned (new behavior) - Log out
-
⭐ Go tohttps://YOUR_INSTANCE/.well-known/security.txt
and see that the content is still returned (new behavior) - Log in again as admin
- Delete the security contact information
- Go to
https://YOUR_INSTANCE/.well-known/security.txt
and see that a404 Not Found
is returned (maintainsmaster
behaviour) - Log out
- Go to
https://YOUR_INSTANCE/.well-known/security.txt
and see that a302 Redirect
is returned (maintainsmaster
behaviour) - Modify the setting via the Application Settings API (see below), and observe the changes at
https://YOUR_INSTANCE/.well-known/security.txt
curl -X PUT -H "PRIVATE-TOKEN: $GDK_ADMIN_PAT" "https://gdk.test:3443/api/v4/application/settings?security_txt_content=Contact:%20mailto:security@acme.co%0AExpires:%202024-12-31T23:59Z"
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR. -
You have considered the technical aspects of this change’s impact on GitLab.com hosted customers and self-managed customers. - There should be zero impact; it's opt in and disabled by default. The current behaviour (a
302
or404
depending on authentication) is maintained. - We already use the
/.well-known/*
path for other features, so it won't conflict with a namespace
- There should be zero impact; it's opt in and disabled by default. The current behaviour (a
-
You have tested this MR in all supported browsers, or determined that this testing is not needed. - I don't believe it is warranted. I copy-pasted from sibling templates so there shouldn't be any browser-based difference that doesn't already exist in the other templates
-
This MR is FOSS only -
The UX is copying an existing pattern, so I'm comfortable leaving off a ~ux label. I am happy with its position in the sidebar; the "Security & Compliance" menu item only appears for EE deployments and this feature is for everyone. -
⚠ I am not confident about the performance impact during migration, as this is my first db-touching MR. So I will "ask a reviewer to help assess the performance impact."-
I did follow the guidance for new text columns though 👍
-
-
I have not added any observability to this feature. It simply renders plaintext if present. Existing rails logging will capture standard logs. -
I added changelog: added
-
I added documentation for this feature -
A security review is not needed for this, although it is a security related feature -
⚠ I have decided not to use a feature flag because I don't see why it would be warranted. Happy to take on feedback.
-
Related to #433210 (closed)