Unauthenticated CI lint API may lead to information disclosure and SSRF
HackerOne report #1059596 by myster
on 2020-12-15:
Report
HI!
CI Lint API (https://docs.gitlab.com/ee/api/lint.html) allows anonymous access for anyone to validate yaml syntax which in itself is not really an issue however use of remote
includes may result in an abuse of this unauthenticated API endpoint.
Scenario 1:
An administrator enables internal requests to use Webhooks with internal services assuming its safe to do because all users are part of the organization and can be trusted.
This would also allow an attacker to abuse the CI Lint Api with remote includes to perform internal network requests.
PoC .gitlab-ci.yml
:
include:
remote: 'http://127.0.0.1:9100/b.yml'
curl request:
curl -s -H 'Content-Type: application/json' https://redacted/api/v4/ci/lint --data '{ "include_merged_yaml": true, "content": "include:\n remote: 'http://127.0.0.1:9100/b.yml'" }'
response (if port is open):
"Included file `http://127.0.0.1:9100/b.yml` does not have valid YAML syntax!"
Scenario 2:
Let's assume that internal requests are blocked. Even in such a scenario, following risks are present:
-
Abuse of the Gitlab instance as a proxy to port scan remote targets (I know there are a lot of such proxies out there, but still there should at least be an option to disallow this)
-
Disclosure of origin IP address + User agent of Gitlab instance when its running behind a load balancer or services like Cloudflare for DDoS protection.
Therefore, I think this endpoint should not be public by default and enforcing authentication might be a good idea allowing a toggle to disable it if one is aware of potential risks here.
Thanks!
Impact
- Origin IP address disclosure
- Unauthenticated SSRF when an admin whitelists internal endpoints for Authenticated users
How To Reproduce
Please add reproducibility information to this section: