Feb 21, 2018 - James Ritchey  

GitLab Pages Security Fix Notification

On February 5, we disabled the ability to add custom domains in GitLab Pages due to security concerns. Today, we have re-enabled that ability after deploying a feature that requires GitLab.com users to verify ownership of the domains. Users can now once again configure domains and update TLS certificates.

To learn more about the original issue please view the previous post.

User impact

Upon adding a custom domain to their Pages site, users are now required to verify domain ownership by adding a DNS TXT record containing a token generated by GitLab. This ensures the domain is controlled by that user when GitLab Pages checks for the existence of that TXT record containing the token. When updating DNS records, it may take time for it to fully propagate (sometimes up to 24-48 hours).

Once a custom domain has been added and verified, GitLab Pages will periodically need to re-verify these TXT records. This is handled automatically and is necessary for validating the user maintains ownership of that domain.

Current custom domain users will be required to verify ownership of their existing domain within a 30-day grace period.

Unverified custom domains cannot be claimed by a repository. If previously claimed and unable to be re-verified within 7 days, the custom domain will be relinquished.

Timeline of issues and mitigation

  • 2017-12-11 - HackerOne Researcher bnchandrapal discloses first report, we decide not to fix anything at this time.

  • 2018-02-01 - GitLab and HackerOne Researcher bnchandrapal agree to publicly disclose the first report.

  • 2018-02-04 - HackerOne Researcher edoverflow submits second report.

  • 2018-02-05 - GitLab posts blog post to inform customers of the security issue and current plan.

  • 2018-02-08 - GitLab awards HackerOne researcher edoverflow a high severity bounty for the second report.

  • 2018-02-12 - HackerNews reports on the GitLab blog post.

  • 2018-02-12 - GitLab awards HackerOne researcher bnchandrapal a high severity bounty for the first report.

  • 2018-02-20 - Per blog post, GitLab planned to roll out the domain ownership verification mechanism to mitigate the first report; however, the fix requires additional testing/verification.

  • 2018-02-21 - GitLab makes second report by researcher edoverflow public.

  • 2018-02-21 - GitLab begins phased rollout of domain ownership verification mechanism.

  • 2018-03-01 - Estimated date of completion for the domain ownership verification mechanism rollout.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS, openSUSE, and Raspbian packages or from source

Install GitLab Now

Try GitLab Ultimate risk-free for 30 days.

No credit card required. Have questions? Contact us.