Blind SSRF in Prometheus Integration

HackerOne report #462325 by ngalog on 2018-12-14:

Summary: in https://about.gitlab.com/2018/11/28/security-release-gitlab-11-dot-5-dot-1-released/ It states that Prometheus is vulnerable to SSRF, and I checked and it was following 302 redirect when fetching the API endpoint, now it wouldn't follow redirect, meaning not vulnerable anymore.

However there is still one thing that integration forgot to check, toctou issue.

Steps To Reproduce:

Visit https://{gitlab_instance}/:project_namespace/services/prometheus/edit
enter a domain that points to external IP address
After it got accepted
Go to your DNS name provider and change the domain to point to an internal IP address
Blind SSRF again

Impact

Blind SSRF in Prometheus Integration

Security issue

https://dev.gitlab.org/gitlab/gitlabhq/issues/2807

Edited Feb 13, 2019 by Reuben Pereira