SSRF vulnerability in gitlab.com webhook

Summary

https://hackerone.com/bugs?report_id=301924&subject=gitlab

wuqidashi (https://hackerone.com/wuqidashi) reported SSRF vulnerability in gitlab.com webhook (https://hackerone.com/bugs?report_id=301924&subject=gitlab)

Weakness: Server-Side Request Forgery (SSRF)

Severity: Medium

1、 Login to your GitLab account and create a new project, then go to-->>https://gitlab.com/{username}/{project}}/settings/integrations

2、 You can add url to ssrf.following are the steps to reproduce:

If you enter http://127.0.0.1:80/haha.txt as url,we will get -->>Hook executed successfully but returned HTTP 404 <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.12.1</center> </body> </html>

If you enter http://127.0.0.1:9200/haha.txt as url, we will get -->>Hook execution failed: Failed to open TCP connection to 127.0.0.1:9200 (Connection refused - connect(2) for "127.0.0.1" port 9200) (indicating that the port is actually closed.)

The test was done on https://gitlab.com/

I did not do more test.Thanks

Impact

can scan the intranet to get sensitive information.

View details on HackerOne (https://hackerone.com/bugs?report_id=301924&subject=gitlab).

This can be used to extract information out of Consul possibly performing destructive actions as well.

e.g. by using http://127.0.0.1:8500/v1/catalog/nodes we can extract information about all servers connected to the cluster including internal IPs

/cc: @kathyw