8000 server-side request forgery (SSRF) vulnerability in webhooks · Issue #5366 · gogs/gogs · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

server-side request forgery (SSRF) vulnerability in webhooks #5366

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 of 3 tasks
math1as opened this issue Aug 6, 2018 · 2 comments · Fixed by #6002
Closed
1 of 3 tasks

server-side request forgery (SSRF) vulnerability in webhooks #5366

math1as opened this issue Aug 6, 2018 · 2 comments · Fixed by #6002
Assignees
@unknwon
Labels
🔒 security Categorizes as related to security
Milestone
0.12

Comments

@math1as
Copy link
math1as commented Aug 6, 2018
edited
Loading
  • Gogs version (or commit ref): <= 0.11.53.0603
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist (usually found in log/gogs.log):

Description

when an attacker is able to set the url of webhooks , he may set it to an internal address.
here is the result i have tested in try.gogs.io

tester

you could see that i get the http response of caddy running in 127.0.0.1:80 of try.gogs.io , which is only opened to local user
also , i could know which port is opened like mysql in port 3306 , even it just opened to a local user

Patch

check the url that users may input , webhooks shouldn't allow such internal address access
reference on how GitLab deals with SSRF in webhooks
https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/

Discoverer

Wenxu Wu of Tencent's Xuanwu Lab
@Siesh1oo Siesh1oo mentioned this issue Aug 6, 2018
Closed
7 tasks
@5alt 5alt mentioned this issue Aug 9, 2018
Closed
2 tasks
@unknwon unknwon added the 🔒 security Categorizes as related to security label Aug 14, 2018
@unknwon unknwon added this to the 0.12 milestone Aug 14, 2018
@unknwon unknwon modified the milestones: 0.13, 0.12 Jan 28, 2020
@unknwon unknwon self-assigned this Mar 21, 2020
unknwon added a commit that referenced this issue Mar 22, 2020
@unknwon
Overual route handlers and fixes #5366
bb96365
@unknwon unknwon linked a pull request Mar 22, 2020 that will close this issue
webhook: overhaul route handlers #6002
Merged
unknwon added a commit that referenced this issue Mar 22, 2020
@unknwon
webhook: overhaul route handlers (#6002)
22717a1 
* Overual route handlers and fixes #5366

* Merge routes for repo and org

* Inject OrgRepoContext

* DRY validateWebhook

* DRY c.HasError

* Add tests

* Update CHANGELOG
@unknwon
Copy link
Member
unknwon commented Mar 22, 2020
edited
Loading

Thanks again for the report!

The patch has been pushed to master branch, and you shouldn't be able to create any new webhooks using local addresses without an admin account.

@bghira
Copy link
bghira commented Jul 11, 2020

wow, why hasn't this been pushed in a new release?

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@unknwon unknwon

Labels
🔒 security Categorizes as related to security
Projects
None yet
Milestone
0.12
Development

Successfully merging a pull request may close this issue.

webhook: overhaul route handlers gogs/gogs
3 participants
@unknwon @math1as @bghira
0