Skip to content

Dependency proxy / Virtual registry SSRF check fails on network range

Summary

When setting up and use the Maven virtual registry, I was getting a 502 error when trying to fetch packages.

I've narrowed this down in the logs to an error in gitlab-workhorse:

{"correlation_id":"01K342NHJ3HDWC8XQ645B0AFBM","error":"Get \"https://repo1.maven.org/maven2/org/codehaus/mojo/exec-maven-plugin/3.0.0/exec-maven-plugin-3.0.0.jar\": dial tcp 199.232.56.209:443: error resolving IP address for 10.12.24.0/23: lookup 10.12.24.0/23: no such host","level":"error","method":"GET","msg":"","time":"2025-08-20T16:48:24+01:00","uri":"/api/v4/virtual_registries/packages/maven/1/org/codehaus/mojo/exec-maven-plugin/3.0.0/exec-maven-plugin-3.0.0.jar"}

With my current config for outbound_local_requests_allowlist set to 10.12.24.0/23. And if I unset it entirely I get:

{"correlation_id":"01K342QNCS648SAZGXY0YP2AT1","error":"Get \"https://repo1.maven.org/maven2/org/codehaus/mojo/exec-maven-plugin/3.0.0/exec-maven-plugin-3.0.0.jar\": dial tcp 199.232.56.209:443: error resolving IP address for 127.0.0.0/28: lookup 127.0.0.0/28: no such host","level":"error","method":"GET","msg":"","time":"2025-08-20T16:49:34+01:00","uri":"/api/v4/virtual_registries/packages/maven/1/org/codehaus/mojo/exec-maven-plugin/3.0.0/exec-maven-plugin-3.0.0.jar"}

It seems when outbound_local_requests_allowlist was added to the check in !188915 (merged) network ranges were not considered.

Steps to reproduce

  1. Set up a virtual registry (may also affect a dependency proxy)
  2. Set outbound_local_requests_allowlist to a network range
    • This is "Local IP addresses and domain names that hooks and integrations can access" in admin/application_settings/network#js-outbound-settings
  3. Attempt to make a request to the registry eg. curl -i --request GET --url https://gitlab.com/api/v4/virtual_registries/packages/maven/1/org/codehaus/mojo/exec-maven-plugin/3.0.0/exec-maven-plugin-3.0.0.jar --header 'PRIVATE-TOKEN: [REDACTED]' --user-agent "Apache-Maven/3.9.11 (Java 17.0.14; Windows 11 10.0)"

Example Project

What is the current bug behavior?

Workhorse fails to perform the SSRF check, and fails to download the package.

What is the expected correct behavior?

The package is downloaded without error.

Relevant logs and/or screenshots

See above.

Application settings:

image

Possible fixes

https://gitlab.com/gitlab-org/gitlab/-/blob/master/workhorse/internal/transport/transport.go?ref_type=heads#L174-192

needs to handle IP address networks like 10.0.0.1/23 which are allowed and suggested for outbound_local_requests_allowlist

Edited by 🤖 GitLab Bot 🤖