Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #353018
Closed
Open
Issue created Feb 16, 2022 by GitLab SecurityBot@gitlab-securitybotReporter

Blind SSRF in repository mirroring using DNS rebinding

HackerOne report #1462437 by ashish_r_padelkar on 2022-01-28, assigned to @dcouture:

Report | Attachments | How To Reproduce

Report

Summary

Hello,

I found a Blind SSRF issue in repository mirroring using DNS rebinding.

Steps to reproduce
  1. Go to https://lock.cmpxchg8b.com/rebinder.html and put any ip address in A and 127.0.0.1 in B.
  2. Now login to your project and go to https://gitlab.com/<NameSpace>/<ProjectName>/-/settings/repository#js-push-remote-settings
  3. In Mirroring repositories put the url generated in step 1 for eg http://ac41fb4e.7f000001.rbndr.us in Git repository URL.
  4. Use Push as mirror direction.
  5. It may block several times giving you reason as localhost not allowed(expected as it will switch to localhost in dns rebinding) but keep trying several times till it gets added .
  6. Once added, use the refresh icon near url several times and after few tries you should see message like below.

Screen_Shot_2022-01-28_at_11.22.54_AM.png

  1. This indicates that request reached localhost but connection got refused as port is closed.
Examples

If you want i can add you in my project for POC where i have already added the urls and you can see the error messages.
https://gitlab.com/[REDACTED]/githubimport/-/settings/repository#js-push-remote-settings

What is the current bug behavior?

Blind SSRF using DNS rebinding

What is the expected correct behavior?

Request should be blocked to localhost !

Output of checks

This bug happens on GitLab.com

Regards,
Ashish

Impact

Blind SSRF in repository mirroring using DNS rebinding

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

  • Screen_Shot_2022-01-28_at_11.22.54_AM.png

How To Reproduce

Please add reproducibility information to this section:

Steps were explained clearly by the reporter above, also see the video in #353018 (comment 845509652)

Edited Jan 25, 2023 by Costel Maxim
Assignee
Assign to
Time tracking