Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #284819
Closed
Open
Issue created Nov 18, 2020 by GitLab SecurityBot@gitlab-securitybotReporter

SSRF: send arbitrary POST requests into local networks

HackerOne report #1037411 by yvvdwf on 2020-11-18, assigned to @dcouture:

Report | How To Reproduce

Report

Hello,

Prometheus integration service allows to issue any POST requests into local network.

Steps to reproduce
  1. In any existing project (or create a new one), goto Settings/Intergrations/Prometheus
  2. Setting the following parameters:
  • Active: check
  • API URL: https://gitlab.com (or any url)
  • Google IAP Audience Client ID: test (or any string)
  • Google IAP Service Account JSON: {"token_credential_uri": "http://localhost:1234/arbitrary-query?x=y", "private_key": 512}
  1. Click "Test" button, gitlab will hitlocalhost:1234 (e.g., open a web server at port 1234 to receive the requests)
Impact

The SSRF allows attackers to issue arbitrary POST requests into local network. The impact will be different, depending on which services are running on the local network. For example, if there exists a docker daemon that is listening on localhost:2375, then attackers may read any files by issuing a POST request to build an image from remote dockerfile. With your permission, I will try to discover gitlab.com .

Output of checks

This bug happens on GitLab.com

Impact

The SSRF allows attackers to issue arbitrary POST requests into local network. The impact will be different, depending on which services are running on the local network. For example, if there exists a docker daemon that is listening on localhost:2375, then attackers may read any files by issuing a POST request to build an image from remote dockerfile. With your permission, I will try to discover gitlab.com .

How To Reproduce

Please add reproducibility information to this section:

Edited Mar 15, 2021 by Dominic Couture
Assignee
Assign to
Time tracking