Review the capabilities of the Gitlab slack app
Open, LowPublic
Actions

Assigned To

None

Authored By

	eoghan
	Dec 8 2023, 12:38 AM

Description

The Gitlab Slack app gives you notifications and slash-commands that could be useful. We should look at its features and see if it could be useful.

https://docs.gitlab.com/ee/user/project/integrations/gitlab_slack_application.html

Event Timeline

eoghan created this task.Dec 8 2023, 12:38 AM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 8 2023, 12:38 AM

eoghan added a project: GitLab.Dec 8 2023, 12:39 AM

taavi awarded a token.Dec 8 2023, 12:41 AM

LSobanski subscribed.Dec 8 2023, 11:53 AM

Read-only (e.g. notifications) is straightforward, write operations (slash commands) would require a security review.

LSobanski renamed this task from Install Gitlab slack app to Review the capabilities of the Gitlab slack app.Dec 18 2023, 4:30 PM

LSobanski triaged this task as Low priority.

LSobanski updated the task description. (Show Details)

LSobanski moved this task from Incoming to Backlog on the collaboration-services board.Jan 3 2024, 3:03 PM

The GitLab Slack App had a critical security vulnerability in the most recent security release. See Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user and T354913 which is exactly the concern I had when we discussed this Slack integration internally.

So if we experiment and/or use this integration we should make sure to check if there is a read-only mode and if write commands (slash commands) can be disabled.

brennen moved this task from Inbox to Integrations on the GitLab board.Apr 18 2024, 6:23 PM

brennen edited projects, added GitLab (Integrations); removed GitLab.

Review the capabilities of the Gitlab slack appOpen, LowPublicActions

Description

Event Timeline

Review the capabilities of the Gitlab slack app
Open, LowPublic
Actions