search

dwrensha / gitlab-sandstorm

GitLab as a Sandstorm app
20 stars 8 forks source link

outdated gitlab version #29

Open PalinuroSec opened 6 years ago

PalinuroSec commented 6 years ago

gitlab-ce 11 is out, while the version in the sandstorm store is the old (and vulnerable) 8.7 which was released more than two years ago. is it possible to have an updated version released?

ocdtrekkie commented 6 years ago

@PalinuroSec David isn't currently maintaining the Sandstorm packages under his username, but if anyone is interested in packaging an updated version, we can usually get ahold of the publishing keys, and help get through the process of publishing an updated package. (And usually, updating a package is mostly straightforward, you take the newer version of the app, and make the same Sandstorm-specific modifications.)

As a note though, Sandstorm apps tend to have drastically reduced attack surface, the majority of vulnerabilities apps have are not functionally useful on Sandstorm. Since Sandstorm will not permit a user access to a grain they don't have permission for, for example, Sandstorm grains not shared with anyone are nearly completely secure. For grains you have shared, the greatest potential vulnerability is generally that someone who has access at some level (say, read-only access) to elevate their privilege within that particularly grain.

JamborJan commented 6 years ago

Hey guys, as I'm using the sandstorm gitlab port a lot, I'm very interested in an updated version too and I will take a look at it. I've done that with other apps too, so I hope I'm capable to update gitlab. I hope to be able to work on this very quickly.

Stay tuned!

xet7 commented 6 years ago

This issue was moved to sandstormports/gitlab-sandstorm#1

JamborJan commented 6 years ago

FYI: I was able to start working on that. I'll hope to make some progress next week. Will let you know asap when there is something ready to test.

yeshegyatso77 commented 6 years ago

FYI: I was able to start working on that. I'll hope to make some progress next week. Will let you know asap when there is something ready to test.

wow. cool dude. please do help. it will be nice. wish i knew how to do all these

lucasa commented 3 years ago

Hi! Any progress?

ocdtrekkie commented 3 years ago

Nobody is currently working on this, unfortunately.

fermulator commented 2 years ago

This app needs to be removed from the app list, it is legacy & insecure.

ocdtrekkie commented 2 years ago

Most security vulnerabilities do not work in Sandstorm apps. Do you have a specific security issue that can be executed against a Sandstorm GitLab grain to allow someone without access to the grain to access it?