SSRF via workspaces

⚠ Please read the process on how to fix security issues before starting to work on the issue. Vulnerabilities must be fixed in a security mirror.

HackerOne report #2734142 by retr02332 on 2024-09-23, assigned to @cmaxim:

Report | Attachments | How To Reproduce

Report

When we create a workspace, Gitlab parses our .devfile, then passes the Devfile to an internal Golang binary to get the necessary data from the Devfile.

In this process, the binary makes an HTTP request to any URI defined in an Openshift or Kubernetes component.

Step by step

1. Login to the instance with the user shown below, access the single group and then the project where it gives you access called “traversal-test/kube-project”. Then edit the .devfile.yaml of the project to put the URL of a remote server to receive the request as interact-sh (note that you can also make external requests, as shown in the evidence below).

Gitlab Instance: https://retr02332.site
Username: Hackerone
Password: StrongPassword2332

Impact

A remote attacker can make HTTP requests to arbitrary internal resources, which can result in an attack on availability or in the worst case, integrity and confidentiality.

Attachments

Warning: Attachments received through HackerOne, please exercise caution!

• SSRF-GITLAB-Workspace.mov

How To Reproduce

Please add reproducibility information to this section: