SSRF in project imports with LFS (#55439) · Issues · GitLab.org / GitLab FOSS

SSRF in project imports with LFS

Summary

Follow-up to https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2696/diffs#note_142737 https://gitlab.com/gitlab-org/gitlab-ce/issues/55200 and https://gitlab.com/gitlab-org/gitlab-ce/issues/55229.

Steps to reproduce

When importing a project that uses LFS from elsewhere, we import the LFS object by performing a HTTP request to get the LFS object, and streaming the contents to disk.

For this we're using open-uri to service the request, which means that redirects are followed without reference to Gitlab::UrlBlocker. So, this can be used to exfiltrate data from the local network, ignoring our policies about that.

What is the current bug behavior?

HTTP requests against arbitrary targets (SSRF)

What is the expected correct behavior?

It would be good to respect the SSRF policy in application settings, so requests against local networks could be forbidden. The requirements are onerous enough to prevent exfiltration, and we're limited to GET requests, which prevents data-modifying SSRF attacks.

Output of checks

This bug happens on GitLab.com

Possible fixes

Remove open-uri.

### Summary

### Steps to reproduce

When importing a project that uses LFS from elsewhere, we import the LFS object by performing a HTTP request to get the LFS object, and streaming the contents to disk.

For this we're using `open-uri` to service the request, which means that redirects are followed without reference to `Gitlab::UrlBlocker`. So, this can be used to exfiltrate data from the local network, ignoring our policies about that.

### What is the current _bug_ behavior?

HTTP requests against arbitrary targets (SSRF)

### What is the expected _correct_ behavior?

### Output of checks