SSRF in Prometheus integration
HackerOne report #427364 by bull on 2018-10-23:
I have found an issue which can be used by an attacker to make internal request to localhost i.e 127.0.0.1 and all local ip range.
So the problem here is it blocks localhost url input, but providing external links and if it redirects, the gitlab doesn't make any check after redirect and make request to internal network. i can also evade path with
- log into gitlab and create project and go to integrations
- now go to the prometheus integration and enter in the api url
http://bullbucket.s3-website-us-east-1.amazonaws.com/scuscscnhfdfssadqdqwhich redirects to
- open netcat at port
12345in gitlab ee to check if request is really made to internal network or not.
Please let me know if you need any more information or if i missed something Thanks @bull
access to internal services
Warning: Attachments received through HackerOne, please exercise caution!
Security issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2736