validate_localhost function in url_blocker.rb could be bypassed
Link: https://hackerone.com/reports/402907
By: @math1as
Details: ##Description:
validate_localhost function (1.jpg) check the ip address that user input into webhooks , service ,etc. but it could be bypassed, for example , not only 127.0.0.1 => localhost using 127.0.0.2 could also access to local address and port.
Steps To Reproduce:
see 2.png , webhooks could send request to local port , bypassed the check function.
I also test this vulnerability in gitlab.com , see 3.jpg , I add a webhook points to local port 8080
and 4.jpg shows the result from local server
Impact
attacker could access to local and internal service. ignore the check function.