SSRF - Scan Internal Ports and GCP/AWS endpoints (#51327) · Issues · GitLab.org / GitLab FOSS · GitLab (original) (raw)

Skip to content

SSRF - Scan Internal Ports and GCP/AWS endpoints

Link:          https://hackerone.com/reports/406299
By:            @ngalog

Details: Hi Gitlab Security,

I notice the mirroring repositories function allow user to specify ssh, http, https, git scheme to fetch repo.

The SSRF fix seems didn't apply here, I confirm I can make gitlab.com make a request to GCP endpoints and make it resolve to 169.254.169.152

The following screenshots shows the error message when gitlab.com try to connect with GCP different ports

GCP port 80 is openScreen_Shot_2018-09-06_at_6.59.14_PM

GCP port 443 closedScreen_Shot_2018-09-06_at_6.59.30_PM

GCP port 80 not foundScreen_Shot_2018-09-06_at_6.59.39_PM

Internal host port 22 is open, and verification is wrongScreen_Shot_2018-09-06_at_6.59.48_PM

Steps to reproduce

Visit https://gitlab.com/{userid}/{project_id}/settings/repositoryEnter following payload to the url as git repository url

ssh://metadata.google.internal:80/hihihi ssh://metadata.google.internal/hihihi

Impact

SSRF to internal host and GCP