gitlab did not apply validate_localhost function to import Fogbugz

Link:          https://hackerone.com/reports/402990
By:            @math1as

Details: ##Description: when user try to import project from Fogbugz , gitlab did not check the ip with validate_localhost function, attacker could access to internal network and know which port is open

##Steps To Reproduce:

  1. see a1.jpg , when access to a closed port http://127.0.0.1:8081 , it returns "could not connect"
  2. see a2.jpg , when access to port 8080 opened to localhost , it returns "looks like there was an issue"

##Impact: attacker could access to local and internal service.

##Fix: when user try to import a third-party project , the URL must match its domain. or just apply the validate_localhost function to it.

Impact

attacker could access to local and internal service.

a2

a1