Add outbound allowlist to allowed endpoints for SSRF filter (!198742) · Merge requests · GitLab.org / GitLab

Context

In Enable SSRF protection for dependency proxy for... (!184626 - merged) we've added the SSRF protection for dependency proxy for containers.

After the rollout on gitlab.com the feature flag was enabled and removed in %18.1 Remove FF for SSRF protection for dependency proxy (!192238 - merged).

Recently, there have been several reports of issues when pulling Docker images from Docker Hub https://gitlab.com/gitlab-org/gitlab/-/issues/554440+

What does this MR do and why?

Add outbound_local_requests_whitelist from the settings to the list of allowed endpoints for SSRF filter for the dependency proxy for containers.

References

https://gitlab.com/gitlab-org/gitlab/-/issues/554440+

Screenshots or screen recordings

No.

How to set up and validate locally

The steps to reproduce the issue are detailed here.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #554440

Edited Jul 22, 2025 by Dzmitry (Dima) Meshcharakou

Add outbound allowlist to allowed endpoints for SSRF filter