bypass the SSRF check when Run CI/CD pipelines for external repositories in gitlab.com

HackerOne report #441182 by math1as on 2018-11-15:

Summary: the SSRF check in gitlab.com online server could be bypassed when Run CI/CD pipelines for external repositories

Steps To Reproduce:

gitlab.com has a SSRF check in both webhook ([REDACTED]) and CI/CD ([REDACTED])

the one in CI/CD could be bypassed all the two checks 127.0.0.1 / localhost / 127...* , but for network segment 10...* , it was checked in webhooks , but not checked in CI/CD see [REDACTED] and [REDACTED]

notice that attacker could even inject newline into the data see [REDACTED] he could fully control the request data and may turn it into a remote code execution.

Impact

if there is a redis or other server in the intranet , attacker may be able to perform a remote code execution.