Add outbound allowlist to allowed endpoints for SSRF filter for generic packages
Context
In Enable SSRF protection for dependency proxy for... (!184626 - merged) we've added the SSRF protection for dependency proxy for containers.
After the rollout on gitlab.com the feature flag was enabled and removed in %18.1
Remove FF for SSRF protection for dependency proxy (!192238 - merged).
Recently, there have been several reports of issues when pulling Docker images from Docker Hub https://gitlab.com/gitlab-org/gitlab/-/issues/554440+
The issue was addressed in Add outbound allowlist to allowed endpoints for... (!198742 - merged)
We added similar SSRF protection for the generic package registry, in Enable SSRF for Generic Package Registry (!193902 - merged). This is still behind the feature flag generic_package_registry_ssrf_protection
, and the feature flag has not yet been globally enabled.
What does this MR do and why?
We're making this change to prevent customers from encountering a similar issue with the generic package registry.
References
#554440
Screenshots or screen recordings
NA
How to set up and validate locally
See https://gitlab.com/gitlab-org/gitlab/-/issues/520294#note_2583110420 (internal)
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #520294