SSRF - Scan Internal Ports and GCP/AWS endpoints
Link: https://hackerone.com/reports/406299
By: @ngalog
Details: Hi Gitlab Security,
I notice the mirroring repositories function allow user to specify ssh, http, https, git scheme to fetch repo.
The SSRF fix seems didn't apply here, I confirm I can make gitlab.com make a request to GCP endpoints and make it resolve to 169.254.169.152
The following screenshots shows the error message when gitlab.com try to connect with GCP different ports
Internal host port 22 is open, and verification is wrong
Steps to reproduce
Visit https://gitlab.com/{userid}/{project_id}/settings/repository
Enter following payload to the url as git repository url
ssh://metadata.google.internal:80/hihihi
ssh://metadata.google.internal/hihihi
Impact
SSRF to internal host and GCP