Source: kgb-bot
Version: 1.54-1
Severity: important
User: [email protected]
Usertags: origin-kali

We wanted to use kgb-bot with repositories hosted on gitlab.com but
the "webhook" support in KGB needs a whitelist of the IP that generates
the request. Unfortunately with a large infastructure such as gitlab's
one the number of IP is large and possibly dynamic so this is not
really a good way to authenticate the requests.

Instead you should consider implementing authentication through a secret
token:
https://docs.gitlab.com/ee/user/project/integrations/webhooks.html#secret-token

Ideally that would require https support instead of http to avoid
attacks through network sniffing.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 
'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to