Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #215879
Closed
Open
Issue created Apr 27, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

SSRF via repository mirror URL

HackerOne report #860196 by sky003 on 2020-04-27, assigned to @jeremymatos:

Summary

SSRF protection can be bypassed by using malformed git repository URL. URL format:

git://localhost:[port]/[controlled-payload]@[legit-host]/  
Example: git://localhost:1234/whatever-you-want@example.com/  

Steps to reproduce

_1. Log into the gitlab server and start TCP listener on port 1234 ($ nc -vvlp 1234).
_2. Open "Settings" > "Repository" > "Mirroring repositories" and use the following payload to create a mirror:

Git repository URL: git://localhost@example.com/  
Password: 1234/some-path?some-query=some-val#  

mirroring-repositories-page.png
_3. Trigger an update for the mirror you created.
trigger-mirror-update.png
_4. Check TCP listener. You should see the incoming connection.
ssrf2.png

Impact

Malicious user can establish TCP connection with local/internal network resources. For the most cases it's gonna be a blind SSRF (malicious user can read some git output from repository mirror update status, which is an error message).

What is the current bug behavior?

There's URL parsing differentials with gitlab app and git.

What is the expected correct behavior?

Since "git" protocol is not designed to have any authentication mechanism, I guess the URL part which contains the credentials can be safely removed.

Impact

Malicious user can establish TCP connection with local/internal network resources. For the most cases it's gonna be a blind SSRF (malicious user can read some git output from repository mirror update status, which is an error message).

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • ssrf2.png
  • trigger-mirror-update.png
  • mirroring-repositories-page.png
Assignee
Assign to
Time tracking