SSRF in Prometheus integration

HackerOne report #427364 by bull on 2018-10-23:

Hi,

I have found an issue which can be used by an attacker to make internal request to localhost i.e 127.0.0.1 and all local ip range.

Issue:

So the problem here is it blocks localhost url input, but providing external links and if it redirects, the gitlab doesn't make any check after redirect and make request to internal network. i can also evade path with #

POC:

log into gitlab and create project and go to integrations
now go to the prometheus integration and enter in the api url http://bullbucket.s3-website-us-east-1.amazonaws.com/scuscscnhfdfssadqdq which redirects to http://127.0.0.1:12345/ssrf/dbvdbhvdb/local#
open netcat at port 12345 in gitlab ee to check if request is really made to internal network or not.

Screen_Recording_2018-10-23_at_8.14.36_PM.mov

Please let me know if you need any more information or if i missed something Thanks @bull

Impact

access to internal services

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Screen_Recording_2018-10-23_at_8.14.36_PM.mov

Fix

Security issue: https://dev.gitlab.org/gitlab/gitlabhq/issues/2736

Edited Nov 15, 2018 by Reuben Pereira