GitLab

Created by: harbulot

This is a follow up of #6162 (closed).

Commit 31736266 disabled peer verification when using a webhook with SSL/TLS.

Unfortunately, this makes the connection vulnerable to MITM attacks. The new behaviour of HTTParty was addressing this problem. Re-introducing a potential vulnerability explicitly when it has been fixed by an underlying library doesn't seem great.

Although this has been refactored since, this security vulnerability is still present in the latest code (commit 35729671), in a couple of places in this file at least:

https://github.com/gitlabhq/gitlabhq/blob/master/app/models/hooks/web_hook.rb#L42

Please don't use verify: false, it introduces a security vulnerability.

This isn't an issue that requires a specific code sample and debugging code. Rather, it has to do with making sure HTTPS is used correctly. More background about this general problem can be found here: http://security.stackexchange.com/questions/22965/what-is-the-potential-impact-of-these-ssl-certificate-validation-vulnerabilities