Show warning when using PIP_EXTRA_INDEX_URL
What does this MR do?
This MR updates the gemnasium
git submodule to reflect the changes in Show warning when using PIP_EXTRA_INDEX_URL. Please see the description of that MR for details.
What are the relevant issue numbers?
https://gitlab.com/gitlab-org/gitlab/-/issues/258604
Testing
Tested here:
Successfully downloaded beautifulsoup4 Django django-contrib-comments django-js-asset django-mptt django-tagging django-xmlrpc
mots-vides Pillow pyparsing pytz regex
[WARN] [gemnasium-python] [2021-06-16T12:05:43Z] ▶ Detected PIP_EXTRA_INDEX_URL environment variable configured to 'http://test.com'.
An issue exists in all versions of pip when configuring the PIP_EXTRA_INDEX_URL variable because it installs the version with the
highest version number, even if the user had intended to obtain a private package from a private index. Exploitation requires that
the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version
number). Please see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20225 for more details.
[DEBU] [gemnasium-python] [2021-06-16T12:05:50Z] ▶ /usr/local/bin/pip install --disable-pip-version-check --find-links
./dist --requirement requirements.txt
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Adam Cohen