gitlab-sandstorm icon indicating copy to clipboard operation
gitlab-sandstorm copied to clipboard
verified publisher icon dwrensha

outdated gitlab version

Open PalinuroSec opened this issue 7 years ago • 9 comments

gitlab-ce 11 is out, while the version in the sandstorm store is the old (and vulnerable) 8.7 which was released more than two years ago. is it possible to have an updated version released?

PalinuroSec avatar Jul 29 '18 22:07 PalinuroSec

@PalinuroSec David isn't currently maintaining the Sandstorm packages under his username, but if anyone is interested in packaging an updated version, we can usually get ahold of the publishing keys, and help get through the process of publishing an updated package. (And usually, updating a package is mostly straightforward, you take the newer version of the app, and make the same Sandstorm-specific modifications.)

As a note though, Sandstorm apps tend to have drastically reduced attack surface, the majority of vulnerabilities apps have are not functionally useful on Sandstorm. Since Sandstorm will not permit a user access to a grain they don't have permission for, for example, Sandstorm grains not shared with anyone are nearly completely secure. For grains you have shared, the greatest potential vulnerability is generally that someone who has access at some level (say, read-only access) to elevate their privilege within that particularly grain.

ocdtrekkie avatar Jul 30 '18 00:07 ocdtrekkie

Hey guys, as I'm using the sandstorm gitlab port a lot, I'm very interested in an updated version too and I will take a look at it. I've done that with other apps too, so I hope I'm capable to update gitlab. I hope to be able to work on this very quickly.

Stay tuned!

JamborJan avatar Jul 31 '18 12:07 JamborJan

This issue was moved to sandstormports/gitlab-sandstorm#1

xet7 avatar Jul 31 '18 19:07 xet7

FYI: I was able to start working on that. I'll hope to make some progress next week. Will let you know asap when there is something ready to test.

JamborJan avatar Sep 11 '18 13:09 JamborJan

FYI: I was able to start working on that. I'll hope to make some progress next week. Will let you know asap when there is something ready to test.

wow. cool dude. please do help. it will be nice. wish i knew how to do all these

yeshegyatso77 avatar Sep 12 '18 06:09 yeshegyatso77

Hi! Any progress?

lucasa avatar Sep 23 '21 16:09 lucasa

Nobody is currently working on this, unfortunately.

ocdtrekkie avatar Sep 23 '21 16:09 ocdtrekkie

This app needs to be removed from the app list, it is legacy & insecure.

fermulator avatar Feb 13 '22 20:02 fermulator

Most security vulnerabilities do not work in Sandstorm apps. Do you have a specific security issue that can be executed against a Sandstorm GitLab grain to allow someone without access to the grain to access it?

ocdtrekkie avatar Feb 13 '22 20:02 ocdtrekkie