SSRF via repository mirror URL
HackerOne report #860196 by sky003
on 2020-04-27, assigned to @jeremymatos:
Summary
SSRF protection can be bypassed by using malformed git repository URL. URL format:
git://localhost:[port]/[controlled-payload]@[legit-host]/
Example: git://localhost:1234/whatever-you-want@example.com/
Steps to reproduce
_1. Log into the gitlab server and start TCP listener on port 1234 ($ nc -vvlp 1234).
_2. Open "Settings" > "Repository" > "Mirroring repositories" and use the following payload to create a mirror:
Git repository URL: git://localhost@example.com/
Password: 1234/some-path?some-query=some-val#
_3. Trigger an update for the mirror you created.
_4. Check TCP listener. You should see the incoming connection.
Impact
Malicious user can establish TCP connection with local/internal network resources. For the most cases it's gonna be a blind SSRF (malicious user can read some git output from repository mirror update status, which is an error message).
What is the current bug behavior?
There's URL parsing differentials with gitlab app and git.
What is the expected correct behavior?
Since "git" protocol is not designed to have any authentication mechanism, I guess the URL part which contains the credentials can be safely removed.
Impact
Malicious user can establish TCP connection with local/internal network resources. For the most cases it's gonna be a blind SSRF (malicious user can read some git output from repository mirror update status, which is an error message).
Attachments
Warning: Attachments received through HackerOne, please exercise caution!