Skip to content
GitLab Next
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • GitLab FOSS GitLab FOSS
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar

Scheduled maintenance on the database layer will take place on 2022-07-02. We expect GitLab.com to be unavailable for up to 2 hours starting from 06:00 UTC. Kindly follow our status page for updates and read more in our blog post.

  • GitLab.org
  • GitLab FOSSGitLab FOSS
  • Issues
  • #55439
Closed
Open
Created Dec 17, 2018 by Francisco Javier López@fjsanpedro🔴Contributor

SSRF in project imports with LFS

Summary

Follow-up to https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2696/diffs#note_142737 https://gitlab.com/gitlab-org/gitlab-ce/issues/55200 and https://gitlab.com/gitlab-org/gitlab-ce/issues/55229.

Steps to reproduce

When importing a project that uses LFS from elsewhere, we import the LFS object by performing a HTTP request to get the LFS object, and streaming the contents to disk.

For this we're using open-uri to service the request, which means that redirects are followed without reference to Gitlab::UrlBlocker. So, this can be used to exfiltrate data from the local network, ignoring our policies about that.

What is the current bug behavior?

HTTP requests against arbitrary targets (SSRF)

What is the expected correct behavior?

It would be good to respect the SSRF policy in application settings, so requests against local networks could be forbidden. The requirements are onerous enough to prevent exfiltration, and we're limited to GET requests, which prevents data-modifying SSRF attacks.

Output of checks

This bug happens on GitLab.com

Possible fixes

Remove open-uri.

Assignee
Assign to
Time tracking