Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regenerate secrets on container startup #1288

Merged
merged 1 commit into from
Jul 23, 2017
Merged

Regenerate secrets on container startup #1288

merged 1 commit into from
Jul 23, 2017

Conversation

MichaelEischer
Copy link
Contributor

The gitlab container includes the files ${GITLAB_INSTALL_DIR}/.gitlab_{shell,workhorse}_secret .
However, these must be kept secret and should therefore not be included in the image.

I've found at least two possible attacks: The internal API intended only for use by the gitlab-shell can be accessed using the shell secret leading to information disclosure and bypass of 2FA.

Fixing this requires deleting both files during the container build process and recreating them on container startup. Although gitlab will also create both files automatically, there seems to be a race condition that from time to time breaks the gitlab-shell on the first startup of the container. The commit therefore calls openssl rand on first start to generate the secrects. The type of secret mirrors that from gitlab.

@solidnerd solidnerd merged commit 04589d2 into sameersbn:master Jul 23, 2017
@solidnerd
Copy link
Collaborator

LGTM !

@MichaelEischer MichaelEischer deleted the regenerate-secrets branch July 23, 2017 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MichaelEischer @solidnerd