You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As discussed in this thread, creating a GitLab trusted publisher validates the input fields (like the namespace and project) against some simple regexes:
These regexes are too permissive: they accept all valid inputs, but don't fail on all invalid inputs. Looking at the GitLab docs, here is a few invalid cases which we don't detect:
Must not contain consecutive special characters.
Cannot start or end with a special character.
Cannot end in .git or .atom.
There are also reserved group, subgroup and project names which we don't detect.
Currently, accepting these invalid inputs does not have security consequences (it only means that the created trusted publisher will never work, since no GitLab project/namespace with that name will exist), but making the validation more accurate would be a UX improvement, preventing users from creating incorrect trusted publishers.
As discussed in this thread, creating a GitLab trusted publisher validates the input fields (like the namespace and project) against some simple regexes:
warehouse/warehouse/oidc/forms/gitlab.py
Lines 21 to 24 in 1036b14
These regexes are too permissive: they accept all valid inputs, but don't fail on all invalid inputs. Looking at the GitLab docs, here is a few invalid cases which we don't detect:
There are also reserved group, subgroup and project names which we don't detect.
Currently, accepting these invalid inputs does not have security consequences (it only means that the created trusted publisher will never work, since no GitLab project/namespace with that name will exist), but making the validation more accurate would be a UX improvement, preventing users from creating incorrect trusted publishers.
cc @di @woodruffw
The text was updated successfully, but these errors were encountered: