The Gitlab FedRAMP High blueprint downloads and pipes a remote script directly into bash during instance startup:
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
There is no checksum validation, GPG signature check, or pinned hash. If packages.gitlab.com were compromised or DNS spoofed (externally or internally with respect to the landing zone network), arbitrary code would run as root on the GitLab server at boot time. This violates SI-7 (Software, Firmware, and Information Integrity).
The script should be downloaded to a file, verified against a known-good SHA-256 hash, and only then executed. This will implicitly version the script, which is also a desired effect so we don't pull unexpected updates, even if they are from a reputable source.
The Gitlab FedRAMP High blueprint downloads and pipes a remote script directly into bash during instance startup:
There is no checksum validation, GPG signature check, or pinned hash. If
packages.gitlab.comwere compromised or DNS spoofed (externally or internally with respect to the landing zone network), arbitrary code would run as root on the GitLab server at boot time. This violates SI-7 (Software, Firmware, and Information Integrity).The script should be downloaded to a file, verified against a known-good SHA-256 hash, and only then executed. This will implicitly version the script, which is also a desired effect so we don't pull unexpected updates, even if they are from a reputable source.