Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSRF in repository migrate via git clone #5372

Closed
2 tasks
5alt opened this issue Aug 9, 2018 · 7 comments
Closed
2 tasks

SSRF in repository migrate via git clone #5372

5alt opened this issue Aug 9, 2018 · 7 comments
Labels
🔒 security Categorizes as related to security
Projects

Comments

@5alt
Copy link

5alt commented Aug 9, 2018

Description

attacker may use migrate to send arbitrary http get requests. impact just like #5366

poc

Patch

only allow migration from trusted sources
https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/

salt of Tencent's Xuanwu Lab

@unknwon unknwon added 🔒 security Categorizes as related to security status: needs reproduce Wait, how did that happen? labels Aug 14, 2018
@unknwon unknwon added this to the 0.12 milestone Aug 14, 2018
@5alt
Copy link
Author

5alt commented Aug 16, 2018

I think you can just escape some special chars like ? or # to avoid path cut-off, so that it can only access some fixed path to lower the impact.

@NicoleG25
Copy link

NicoleG25 commented Jan 2, 2020

Was this issue ever addressed? please note that CVE-2018-16409 was assigned

@unknwon unknwon modified the milestones: 0.13, 0.12 Jan 22, 2020
@unknwon unknwon added this to To do in 0.12 Jan 28, 2020
@unknwon unknwon moved this from To do to In progress in 0.12 Mar 21, 2020
@unknwon unknwon removed the status: needs reproduce Wait, how did that happen? label Mar 22, 2020
@unknwon unknwon removed this from the 0.12 milestone Mar 22, 2020
@unknwon unknwon removed this from In progress in 0.12 Mar 22, 2020
@unknwon unknwon added this to the 0.13 milestone Nov 11, 2020
@unknwon unknwon changed the title server-side request forgery (SSRF) vulnerability in migrate SSRF in repository migrate via git clone Nov 11, 2020
@unknwon unknwon added this to To do in 0.13 via automation Nov 11, 2020
@JaneX8
Copy link

JaneX8 commented Dec 17, 2021

Is this security issue fixed yet?

@unknwon
Copy link
Member

unknwon commented Dec 17, 2021

@ElleshaHackett No.

@JaneX8
Copy link

JaneX8 commented Dec 18, 2021

I see. It's more than three years. Anything I can help with?

@unknwon
Copy link
Member

unknwon commented Dec 19, 2021

@ElleshaHackett I think what we need is basically implement the similar mitigation that GitLab did, which from my understanding is to disable request to local IPv4/IPv6 addresses by default.

@unknwon
Copy link
Member

unknwon commented Mar 6, 2022

Hey, according to https://owasp.org/www-community/attacks/Server_Side_Request_Forgery, being able to make requests to the external network is not considered as SSRF. Thus closing. Please comment if you have any other questions!

@unknwon unknwon closed this as completed Mar 6, 2022
0.13 automation moved this from To do to Done Mar 6, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
🔒 security Categorizes as related to security
Projects
No open projects
0.13
  
Done
Development

No branches or pull requests

4 participants