gitlab Import url is blocked: "Requests to the local network are not allowed" (#26845) · Issues · GitLab.org / GitLab

gitlab Import url is blocked: "Requests to the local network are not allowed"

### Summary When I try to import a project from a git server running in the same network domain (stash.mydomain.local) as the gitlab server (gitlab.mydomain.local) via URL (Import Project/git Repo by URL), I get the message: > "Import url is blocked: Requests to the local network are not allowed". We are running gitlab-ce docker omnibus image 11.7.5. Note that the server "stash.mydomain.local" does not run on the same server as the server "gitlab.mydomain.local". ### Steps to reproduce Settings: admin/application_settings/network#js-outbound-settings - do not allow requests to the local network from hooks and services. Goto "https://gitlab.mydomain.local/projects". Choose "Import project" and "git Repo by URL". Add repo: "https:<user>:<password>//stash.mydomain/scm/stest/test.git" > The form contains the following error: Import url is blocked: Requests to the local network are not allowed If I try to import a github.com repository by URL, I do not get the error message. ### Example Project Not applicable. ### What is the current *bug* behavior? I cannot import a project from a local hosted server (not running on the same server as gitlab) without enabling outbound requests, which is a risk to our gitlab server. I'm not sure when this stopped working, but I think after the latest upgrade from V11.6.3-ce.0 to V11.7.5-ce.0. I assume that "Import a project by URL" is a system hooks and thereby exempt from this protection because they are set up by admins (gitlab itself). ### What is the expected *correct* behavior? I can import projects via URL from local hosted servers. ### Relevant logs and/or screenshots Snippet from log/gitlab-rails/production.log: `Started POST "/projects" for 127.0.0.1 at 2019-02-20 10:30:22 +0000 Processing by ProjectsController#create as HTML Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "project"=>{"import_url"=>"[FILTERED]", "ci_cd_only"=>"false", "name"=>"cci-test", "namespac e_id"=>"34", "path"=>"cci-test", "description"=>"", "visibility_level"=>"0"}} Unable to save project. Error: Import url is blocked: Requests to the local network are not allowed` ### Output of checks Local hosted gitlab-ce docker server #### Results of GitLab environment info <details> <summary>Expand for output related to GitLab environment info</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) System information System: Current User: git Using RVM: no Ruby Version: 2.5.3p105 Gem Version: 2.7.6 Bundler Version:1.16.6 Rake Version: 12.3.2 Redis Version: 3.2.12 Git Version: 2.18.1 Sidekiq Version:5.2.3 Go Version: unknown GitLab information Version: 11.7.5 Revision: c5b5b18 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://gitlab.mydomain.local HTTP Clone URL: https://gitlab.mydomain.local/some-group/some-project.git SSH Clone URL: git@gitlab.mydomain.local:some-group/some-project.git Using LDAP: yes Using Omniauth: yes Omniauth Providers: GitLab Shell Version: 8.4.4 Repository storage paths: - default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`) </pre> </details> #### Results of GitLab application Check <details> <summary>Expand for output related to the GitLab application check</summary> <pre> (For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:check SANITIZE=true`) Checking GitLab subtasks ... Checking GitLab Shell ... GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Check GitLab API access: OK Redis available via internal API: OK Access to /var/opt/gitlab/.ssh/authorized_keys: OK gitlab-shell self-check successful Checking GitLab Shell ... Finished Checking Gitaly ... Gitaly: ... default ... OK Checking Gitaly ... Finished Checking Sidekiq ... Sidekiq: ... Running? ... yes Number of Sidekiq processes ... 1 Checking Sidekiq ... Finished Checking Incoming Email ... Incoming Email: ... Reply by email is disabled in config/gitlab.yml Checking Incoming Email ... Finished Checking LDAP ... LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) <<<<<< SKIPPED for privacy reasons >>>>>> Checking LDAP ... Finished Checking GitLab App ... Git configured correctly? ... yes Database config exists? ... yes All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Init script exists? ... skipped (omnibus-gitlab has no init script) Init script up-to-date? ... skipped (omnibus-gitlab has no init script) Projects have namespace: ... 38/1 ... yes 40/2 ... yes 40/3 ... yes 37/4 ... yes 37/5 ... yes 37/6 ... yes 37/7 ... yes 37/8 ... yes 71/10 ... yes 37/11 ... yes 71/12 ... yes 71/13 ... yes 69/14 ... yes 70/15 ... yes 71/16 ... yes 71/17 ... yes 37/18 ... yes 71/19 ... yes 37/20 ... yes 71/21 ... yes 71/22 ... yes 71/23 ... yes 37/24 ... yes 37/25 ... yes 37/26 ... yes 37/27 ... yes 37/28 ... yes 37/29 ... yes 37/33 ... yes 47/35 ... yes 47/36 ... yes 47/37 ... yes 38/38 ... yes 38/39 ... yes 38/40 ... yes 38/41 ... yes 47/42 ... yes 47/43 ... yes 51/44 ... yes 53/45 ... yes 51/46 ... yes 51/47 ... yes 51/48 ... yes 51/49 ... yes 51/50 ... yes 51/51 ... yes 51/52 ... yes 51/53 ... yes 70/54 ... yes 37/55 ... yes 71/57 ... yes 44/58 ... yes 38/59 ... yes 64/60 ... yes 70/61 ... yes 53/62 ... yes 66/63 ... yes 67/64 ... yes 69/65 ... yes 38/66 ... yes 69/67 ... yes 44/68 ... yes 78/69 ... yes 74/70 ... yes 38/71 ... yes 69/72 ... yes 69/73 ... yes 69/74 ... yes 38/75 ... yes 69/76 ... yes 38/79 ... yes 64/80 ... yes 78/81 ... yes 51/82 ... yes 80/83 ... yes 40/84 ... yes 69/85 ... yes 80/87 ... yes 69/89 ... yes 100/90 ... yes 102/91 ... yes 70/92 ... yes 69/93 ... yes 95/94 ... yes 102/95 ... yes 93/96 ... yes 100/97 ... yes 38/98 ... yes 38/99 ... yes 70/101 ... yes 96/102 ... yes 96/103 ... yes 80/104 ... yes 107/106 ... yes 109/107 ... yes 109/108 ... yes 70/109 ... yes 69/110 ... yes 100/111 ... yes 114/114 ... yes 38/115 ... yes 92/116 ... yes 78/117 ... yes 73/118 ... yes 73/120 ... yes 114/121 ... yes 114/122 ... yes 119/123 ... yes 119/124 ... yes 119/125 ... yes 119/126 ... yes 37/127 ... yes 92/128 ... yes 92/129 ... yes 92/130 ... yes 92/131 ... yes 92/132 ... yes 92/133 ... yes 92/134 ... yes Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.5.3) Git version >= 2.18.0 ? ... yes (2.18.1) Git user has default SSH configuration? ... yes Active users: ... 58 Checking GitLab App ... Finished Checking GitLab subtasks ... Finished </pre> </details> ### Possible fixes (If you can, link to the line of code that might be responsible for the problem)

issue