SSRF in project imports with LFS
Summary
Follow-up to https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2696/diffs#note_142737 https://gitlab.com/gitlab-org/gitlab-ce/issues/55200 and https://gitlab.com/gitlab-org/gitlab-ce/issues/55229.
Steps to reproduce
When importing a project that uses LFS from elsewhere, we import the LFS object by performing a HTTP request to get the LFS object, and streaming the contents to disk.
For this we're using open-uri
to service the request, which means that redirects are followed without reference to Gitlab::UrlBlocker
. So, this can be used to exfiltrate data from the local network, ignoring our policies about that.
What is the current bug behavior?
HTTP requests against arbitrary targets (SSRF)
What is the expected correct behavior?
It would be good to respect the SSRF policy in application settings, so requests against local networks could be forbidden. The requirements are onerous enough to prevent exfiltration, and we're limited to GET requests, which prevents data-modifying SSRF attacks.
Output of checks
This bug happens on GitLab.com
Possible fixes
Remove open-uri
.