server-side request forgery (SSRF) vulnerability in webhooks

[Siesh1oo]

• Gitea version (or commit ref): 1.5.0+rc1-98-g9ea327f1f
• Git version: not relevant
• Operating system: not relevant
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

Due to shared code base, gitea is affected by issue gogs/gogs#5366 (server-side request forgery (SSRF) vulnerability in webhooks).

To reproduce:

• create Webhook with target URL to any running existing service exposed only to localhost (for example localhost:8080 or localhost:19999, depending on what is running on the test machine).
• POST content

Screenshots

See gogs/gogs#5366.

[SagePtr]

Probably there should be IP/subnet blacklist which could be configured in ini file or via admin panel.
But this functionality should be configurable because in some situations webhook may point to server on the same machine.
Could be also checkbox which allows to bypass protection for certain webhooks, but this checkbox should be visible and editable by server administrators only (like regular hooks) and auto-reset to off if webhook url is modified by non-admin user.

[Siesh1oo]

webhook URLs should never be allowed to point to localhost, 127.0.0.1, ::1, server name, server IP address, etc (one might consider an isAdmin() exception tho)

[techknowlogick]

The code that needs to get changed is here: https://github.com/go-gitea/gitea/blob/master/modules/httplib/httplib.go#L315-L339

Some similar code can be found here: https://github.com/hakobe/paranoidhttp/blob/master/client.go#L109

A note that Dial is deprecated, and should be changed to DialContext

[tosone]

Default IP black list should block the local network, and admin can change this by hand.

[lafriks]

I think it needs some kind of admin setting in app.ini to disable that

[daviian]

I love the idea to limit webhooks using internal ip address range to admin permission since the admin has knowledge about internal server infrastructure / services.
So if a project / repository needs that they can request an admin to add this webhook.

[Siesh1oo]

@daviian : still non-Admin User sind should probably not be allowed to create Webhooks pointing to the local server, or is there some use case where this seems useful (and harmless?)?

[daviian]

@Siesh1oo yes you're right. non-admin users shouldn't be allowed to add such webhooks. if they need to, for whatever reason, they should be required to ask an admin to do so.

[wxiaoguang]

I have fixed it by introducing allow list

• Only allow webhook to send requests to allowed hosts #17482