SSRF via repository mirror URL

HackerOne report #860196 by sky003 on 2020-04-27, assigned to @jeremymatos:

Summary

SSRF protection can be bypassed by using malformed git repository URL. URL format:

git://localhost:[port]/[controlled-payload]@[legit-host]/  
Example: git://localhost:1234/whatever-you-want@example.com/  

Steps to reproduce

_1. Log into the gitlab server and start TCP listener on port 1234 ($ nc -vvlp 1234).
_2. Open "Settings" > "Repository" > "Mirroring repositories" and use the following payload to create a mirror:

Git repository URL: git://localhost@example.com/  
Password: 1234/some-path?some-query=some-val#  

_3. Trigger an update for the mirror you created.

_4. Check TCP listener. You should see the incoming connection.

Impact

Malicious user can establish TCP connection with local/internal network resources. For the most cases it's gonna be a blind SSRF (malicious user can read some git output from repository mirror update status, which is an error message).

What is the current bug behavior?

There's URL parsing differentials with gitlab app and git.

What is the expected correct behavior?

Since "git" protocol is not designed to have any authentication mechanism, I guess the URL part which contains the credentials can be safely removed.

Impact

Malicious user can establish TCP connection with local/internal network resources. For the most cases it's gonna be a blind SSRF (malicious user can read some git output from repository mirror update status, which is an error message).

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• ssrf2.png
• trigger-mirror-update.png
• mirroring-repositories-page.png