Add outbound allowlist to allowed endpoints for SSRF filter for generic packages (!199257) · Merge requests · GitLab.org / GitLab

Context

In Enable SSRF protection for dependency proxy for... (!184626 - merged) we've added the SSRF protection for dependency proxy for containers.

After the rollout on gitlab.com the feature flag was enabled and removed in %18.1 Remove FF for SSRF protection for dependency proxy (!192238 - merged).

Recently, there have been several reports of issues when pulling Docker images from Docker Hub https://gitlab.com/gitlab-org/gitlab/-/issues/554440+

The issue was addressed in Add outbound allowlist to allowed endpoints for... (!198742 - merged)

We added similar SSRF protection for the generic package registry, in Enable SSRF for Generic Package Registry (!193902 - merged). This is still behind the feature flag generic_package_registry_ssrf_protection, and the feature flag has not yet been globally enabled.

What does this MR do and why?

We're making this change to prevent customers from encountering a similar issue with the generic package registry.

References

#554440

Screenshots or screen recordings

How to set up and validate locally

See https://gitlab.com/gitlab-org/gitlab/-/issues/520294#note_2583110420 (internal)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #520294

Add outbound allowlist to allowed endpoints for SSRF filter for generic packages