Closed GolovkoStepan closed 1 year ago
postmodern
commented
1 year ago @GolovkoStepan what subnet range do you use for your GitLab/VPN? The list of internal IP ranges should include all private ranges, and networks should only use IETF designated private subnets for their intranet or VPNs.
GolovkoStepan
commented
1 year ago Our server has an external IP, but is only accessible via VPN.
postmodern
commented
1 year ago @GolovkoStepan I think you should give your GitLab server an internal IP that is accessible only via VPN, where the VPN has a private subnet. This is what private subnets are designed for, to indicate that the traffic should never be sent to the default route of your routing table which sends the traffic out of the greater network. By assigning an external IP to your GitLab server you risk accidentally connecting to a malicious GitLab server that has the same IP on the internet if someone hasn't yt connected to the VPN. Or just enable https on your GitLab server and using https:// git URIs.
It is currently not possible to skip the gem source security check. Also, there is no way to supplement this set of IP addresses: https://github.com/rubysec/bundler-audit/blob/master/lib/bundler/audit/scanner.rb#L273
The ability to additionally specify in the configuration file IP addresses that we consider safe for further verification in the "internal_ip?" method.
We use our own gitlab, which is deployed on our internal server. It is accessed via VPN without https.. We consider this source to be safe, but cannot exclude it from security check when performing dependency check.