Blind SSRF in repository mirroring using DNS rebinding

HackerOne report #1462437 by ashish_r_padelkar on 2022-01-28, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

I found a Blind SSRF issue in repository mirroring using DNS rebinding.

Steps to reproduce

Go to https://lock.cmpxchg8b.com/rebinder.html and put any ip address in A and 127.0.0.1 in B.
Now login to your project and go to https://gitlab.com/<NameSpace>/<ProjectName>/-/settings/repository#js-push-remote-settings
In Mirroring repositories put the url generated in step 1 for eg http://ac41fb4e.7f000001.rbndr.us in Git repository URL.
Use Push as mirror direction.
It may block several times giving you reason as localhost not allowed(expected as it will switch to localhost in dns rebinding) but keep trying several times till it gets added .
Once added, use the refresh icon near url several times and after few tries you should see message like below.

This indicates that request reached localhost but connection got refused as port is closed.

Examples

If you want i can add you in my project for POC where i have already added the urls and you can see the error messages.
https://gitlab.com/[REDACTED]/githubimport/-/settings/repository#js-push-remote-settings

What is the current bug behavior?

Blind SSRF using DNS rebinding

What is the expected correct behavior?

Request should be blocked to localhost !

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Blind SSRF in repository mirroring using DNS rebinding

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

Screen_Shot_2022-01-28_at_11.22.54_AM.png

How To Reproduce

Please add reproducibility information to this section:

Steps were explained clearly by the reporter above, also see the video in #353018 (comment 845509652)

Edited Jan 25, 2023 by Costel Maxim