From 954c3c18320d7dcb66c4c15035594cf5e59a496e Mon Sep 17 00:00:00 2001 From: Christiaan Conover Date: Wed, 21 Aug 2019 17:49:04 -0400 Subject: Document how GitLab stores passwords Provide details on how GitLab stores passwords, including hashing, stretching, and salting. This was driven by a customer asking for this information for a security compliance audit report. --- doc/security/README.md | 1 + doc/security/password_storage.md | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 doc/security/password_storage.md (limited to 'doc/security') diff --git a/doc/security/README.md b/doc/security/README.md index 5d498ac7602..e3fb07c69c2 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -5,6 +5,7 @@ type: index # Security +- [Password storage](password_storage.md) - [Password length limits](password_length_limits.md) - [Restrict SSH key technologies and minimum length](ssh_keys_restrictions.md) - [Rate limits](rate_limits.md) diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md new file mode 100644 index 00000000000..a44fafcca14 --- /dev/null +++ b/doc/security/password_storage.md @@ -0,0 +1,13 @@ +--- +type: reference +--- + +# Password Storage + +GitLab stores user passwords in a hashed format, to prevent passwords from being visible. + +GitLab uses the [Devise](https://github.com/plataformatec/devise) authentication library, which handles the hashing of user passwords. Password hashes are created with the following attributes: + +- **Hashing**: the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This is a strong, industry-standard cryptographic hashing function. +- **Stretching**: Password hashes are [stretched](https://en.wikipedia.org/wiki/Key_stretching) to harden against brute-force attacks. GitLab uses a streching factor of 10 by default. +- **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt to further increase security. \ No newline at end of file -- cgit v1.2.1 From b316fb6fd798cac32938560d78349c21d8920ddf Mon Sep 17 00:00:00 2001 From: Christiaan Conover Date: Wed, 21 Aug 2019 18:01:13 -0400 Subject: Fix link syntax typo Fix a missing parentheses in the markdown for a link caused by the URL containing parentheses. --- doc/security/password_storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/security') diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md index a44fafcca14..b5c021bf5de 100644 --- a/doc/security/password_storage.md +++ b/doc/security/password_storage.md @@ -10,4 +10,4 @@ GitLab uses the [Devise](https://github.com/plataformatec/devise) authentication - **Hashing**: the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This is a strong, industry-standard cryptographic hashing function. - **Stretching**: Password hashes are [stretched](https://en.wikipedia.org/wiki/Key_stretching) to harden against brute-force attacks. GitLab uses a streching factor of 10 by default. -- **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt to further increase security. \ No newline at end of file +- **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt to further increase security. \ No newline at end of file -- cgit v1.2.1 From d2cb8f785edb6fbc9ce00c39d485423d45c0c219 Mon Sep 17 00:00:00 2001 From: Marcel Amirault Date: Thu, 22 Aug 2019 08:50:31 +0000 Subject: Update docs to pass new markdownlint Deletes extra spaces and line, makes lists consistent, and fixes links. --- doc/security/rate_limits.md | 1 - 1 file changed, 1 deletion(-) (limited to 'doc/security') diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index c80f2f264b2..80088da77a0 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -30,4 +30,3 @@ similarly mitigated by a rate limit. This method of rate limiting is cumbersome, but has some advantages. It allows throttling of specific paths, and is also integrated into Git and container registry requests. See [Rack Attack initializer](rack_attack.md). - -- cgit v1.2.1 From 2ed065885cbdc5ed5334f1adfbfe2b82895bd146 Mon Sep 17 00:00:00 2001 From: Christiaan Conover Date: Wed, 21 Aug 2019 22:24:12 +0000 Subject: Fix a typo in the section on stretching Correct a typo in the description of how passwords are stretched. --- doc/security/password_storage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc/security') diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md index b5c021bf5de..f54e4022062 100644 --- a/doc/security/password_storage.md +++ b/doc/security/password_storage.md @@ -9,5 +9,5 @@ GitLab stores user passwords in a hashed format, to prevent passwords from being GitLab uses the [Devise](https://github.com/plataformatec/devise) authentication library, which handles the hashing of user passwords. Password hashes are created with the following attributes: - **Hashing**: the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This is a strong, industry-standard cryptographic hashing function. -- **Stretching**: Password hashes are [stretched](https://en.wikipedia.org/wiki/Key_stretching) to harden against brute-force attacks. GitLab uses a streching factor of 10 by default. -- **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt to further increase security. \ No newline at end of file +- **Stretching**: Password hashes are [stretched](https://en.wikipedia.org/wiki/Key_stretching) to harden against brute-force attacks. GitLab uses a stretching factor of 10 by default. +- **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt to further increase security. -- cgit v1.2.1 From a6d04d48697270b61b3a57e15a87c97c0fc6e355 Mon Sep 17 00:00:00 2001 From: Christiaan Conover Date: Thu, 22 Aug 2019 12:07:19 -0400 Subject: Improve readability of salting description Add a comma in the final sentence of the description of salting, to improve the readability of what's being said. --- doc/security/password_storage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/security') diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md index f54e4022062..f4e32f96f7b 100644 --- a/doc/security/password_storage.md +++ b/doc/security/password_storage.md @@ -10,4 +10,4 @@ GitLab uses the [Devise](https://github.com/plataformatec/devise) authentication - **Hashing**: the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This is a strong, industry-standard cryptographic hashing function. - **Stretching**: Password hashes are [stretched](https://en.wikipedia.org/wiki/Key_stretching) to harden against brute-force attacks. GitLab uses a stretching factor of 10 by default. -- **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt to further increase security. +- **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt, to further increase security. -- cgit v1.2.1 From 8af8da09d0d25d25b5977b7c74da364e6fbec5fa Mon Sep 17 00:00:00 2001 From: Michael Kozono Date: Fri, 23 Aug 2019 12:52:53 -0700 Subject: Note some JWT requests aren't rate limited --- doc/security/rack_attack.md | 2 ++ 1 file changed, 2 insertions(+) (limited to 'doc/security') diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index b99bfb16829..4ad5fd0d16c 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -81,6 +81,8 @@ This limit is reset by requests that authenticate successfully. For example, 29 failed authentication requests followed by 1 successful request, followed by 29 more failed authentication requests would not trigger a ban. +JWT requests authenticated by gitlab-ci-token are excluded from this limit. + No response headers are provided. ## Settings -- cgit v1.2.1 From ad05e488636ebe05b4985dbf3c7d912fd8d56f49 Mon Sep 17 00:00:00 2001 From: Brett Walker Date: Wed, 20 Feb 2019 17:51:55 -0600 Subject: Add support for using a Camo proxy server User images and videos will get proxied through the Camo server in order to keep malicious sites from collecting the IP address of users. --- doc/security/README.md | 1 + doc/security/asset_proxy.md | 28 ++++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 doc/security/asset_proxy.md (limited to 'doc/security') diff --git a/doc/security/README.md b/doc/security/README.md index 5d498ac7602..fa34f07060e 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -17,3 +17,4 @@ type: index - [Enforce Two-factor authentication](two_factor_authentication.md) - [Send email confirmation on sign-up](user_email_confirmation.md) - [Security of running jobs](https://docs.gitlab.com/runner/security/) +- [Proxying images](asset_proxy.md) diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md new file mode 100644 index 00000000000..f25910d3db7 --- /dev/null +++ b/doc/security/asset_proxy.md @@ -0,0 +1,28 @@ +A possible security concern when managing a public facing GitLab instance is +the ability to steal a users IP address by referencing images in issues, comments, etc. + +For example, adding `![Example image](http://example.com/example.png)` to +an issue description will cause the image to be loaded from the external +server in order to be displayed. However this also allows the external server +to log the IP address of the user. + +One way to mitigate this is by proxying any external images to a server you +control. GitLab handles this by allowing you to run the "Camo" server +[cactus/go-camo](https://github.com/cactus/go-camo#how-it-works). +The image request is sent to the Camo server, which then makes the request for +the original image. This way an attacker only ever seems the IP address +of your Camo server. + +Once you have your Camo server up and running, you can configure GitLab to +proxy image requests to it. The following settings are supported: + +| Attribute | Description | +| ------------------------ | ----------- | +| `asset_proxy_enabled` | (**If enabled, requires:** `asset_proxy_url`) Enable proxying of assets. | +| `asset_proxy_secret_key` | Shared secret with the asset proxy server. | +| `asset_proxy_url` | URL of the asset proxy server. | +| `asset_proxy_whitelist` | Assets that match these domain(s) will NOT be proxied. Wildcards allowed. Your GitLab installation URL is automatically whitelisted. | + +These can be set via the [Application setting API](../api/settings.md) + +Note that a GitLab restart is required to apply any changes. -- cgit v1.2.1 From 46f7674733c6289e7ced13fb86f66de792ff5eac Mon Sep 17 00:00:00 2001 From: Evan Read Date: Wed, 28 Aug 2019 15:57:20 +1000 Subject: Edit limit text --- doc/security/rack_attack.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'doc/security') diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md index 4ad5fd0d16c..09d29bf3446 100644 --- a/doc/security/rack_attack.md +++ b/doc/security/rack_attack.md @@ -77,11 +77,12 @@ authentication requests were received in a 3-minute period from a single IP addr This applies only to Git requests and container registry (`/jwt/auth`) requests (combined). -This limit is reset by requests that authenticate successfully. For example, 29 -failed authentication requests followed by 1 successful request, followed by 29 -more failed authentication requests would not trigger a ban. +This limit: -JWT requests authenticated by gitlab-ci-token are excluded from this limit. +- Is reset by requests that authenticate successfully. For example, 29 + failed authentication requests followed by 1 successful request, followed by 29 + more failed authentication requests would not trigger a ban. +- Does not apply to JWT requests authenticated by `gitlab-ci-token`. No response headers are provided. -- cgit v1.2.1 From 1e2f46f864fcb3defb231a52e0eb06de2449366d Mon Sep 17 00:00:00 2001 From: Marcel Amirault Date: Thu, 29 Aug 2019 08:50:59 +0000 Subject: Fix capitalization in more docs Fix capitalization in docs for works like GitLab, Git Omnibus, etc --- doc/security/information_exclusivity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/security') diff --git a/doc/security/information_exclusivity.md b/doc/security/information_exclusivity.md index 749ccf924b5..7c3d7284f25 100644 --- a/doc/security/information_exclusivity.md +++ b/doc/security/information_exclusivity.md @@ -15,7 +15,7 @@ another project that is under their control, or onto another server. Therefore, it is impossible to build access controls that prevent the intentional sharing of source code by users that have access to the source code. -This is an inherent feature of a DVCS. All git management systems have this +This is an inherent feature of a DVCS. All Git management systems have this limitation. You can take steps to prevent unintentional sharing and information -- cgit v1.2.1