Convergent.blog

Git Plugin Installer: deploy GLPI plugins from any git repository

· Convergent · 2 min

The second GLPI plugin we’re opening up: Git Plugin Installer, now published on GitHub under a free licence.

Why open source

A tool that downloads and installs code into your GLPI is exactly the kind of thing that must be open. You should be able to audit its supply-chain defences line by line, not take them on faith:

  • read the SSRF guards and zip-slip checks yourself before trusting them with remote code;
  • contribute repository providers or policies back, instead of waiting on a vendor;
  • keep full reversibility — the installer can be removed without leaving anything behind.

Written to GLPI 10/11 best practices, with the threat model of “fetching untrusted archives” front of mind.

What the plugin does

The plugin extends GLPI’s native plugin manager to install and update plugins from git / HTTPS repositories (GitHub, GitLab, Gitea, Forgejo). Features:

  • per-source ref policy: track a branch, the latest tag, pin a tag/SHA, or a release asset;
  • encrypted credentials (GLPIKey) for private repos;
  • HTTPS tarball download — no git binary required;
  • SSRF-guarded fetch (DNS blocking of private/loopback/metadata IPs, host allowlist, re-validation on redirect);
  • zip-slip-safe extraction, atomic placement;
  • hourly update-check cron, update badge and a daily email digest (only when something changed).

The plugin can update itself. Release 0.1.0.

https://github.com/FathiBenNasr/gitplugins

What’s next

More plugins from our deployments are on the roadmap and will be published as they stabilise.

Running GLPI and need a custom plugin, managed operations or hardening? Let’s talk. And follow us on GitHub for the next releases.