server-side request forgery (SSRF) vulnerability in webhooks #2147

Closed
opened 2025-11-02 04:25:20 -06:00 by GiteaMirror · 9 comments
Owner

Originally created by @Siesh1oo on GitHub (Aug 6, 2018).

  • Gitea version (or commit ref): 1.5.0+rc1-98-g9ea327f1f
  • Git version: not relevant
  • Operating system: not relevant
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

Due to shared code base, gitea is affected by issue https://github.com/gogs/gogs/issues/5366 (server-side request forgery (SSRF) vulnerability in webhooks).

To reproduce:

  • create Webhook with target URL to any running existing service exposed only to localhost (for example localhost:8080 or localhost:19999, depending on what is running on the test machine).
  • POST content

Screenshots

See https://github.com/gogs/gogs/issues/5366.

Originally created by @Siesh1oo on GitHub (Aug 6, 2018). - Gitea version (or commit ref): 1.5.0+rc1-98-g9ea327f1f - Git version: not relevant - Operating system: not relevant - Database (use `[x]`): - [ ] PostgreSQL - [x] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [x] Yes (provide example URL) - [ ] No - [ ] Not relevant - Log gist: ## Description Due to shared code base, gitea is affected by issue https://github.com/gogs/gogs/issues/5366 (server-side request forgery (SSRF) vulnerability in webhooks). To reproduce: - create Webhook with target URL to any running existing service exposed only to localhost (for example localhost:8080 or localhost:19999, depending on what is running on the test machine). - POST content ## Screenshots See https://github.com/gogs/gogs/issues/5366.
GiteaMirror added the topic/security label 2025-11-02 04:25:20 -06:00
Author
Owner

@SagePtr commented on GitHub (Aug 6, 2018):

Probably there should be IP/subnet blacklist which could be configured in ini file or via admin panel.
But this functionality should be configurable because in some situations webhook may point to server on the same machine.
Could be also checkbox which allows to bypass protection for certain webhooks, but this checkbox should be visible and editable by server administrators only (like regular hooks) and auto-reset to off if webhook url is modified by non-admin user.

@SagePtr commented on GitHub (Aug 6, 2018): Probably there should be IP/subnet blacklist which could be configured in ini file or via admin panel. But this functionality should be configurable because in some situations webhook may point to server on the same machine. Could be also checkbox which allows to bypass protection for certain webhooks, but this checkbox should be visible and editable by server administrators only (like regular hooks) and auto-reset to off if webhook url is modified by non-admin user.
Author
Owner

@Siesh1oo commented on GitHub (Aug 7, 2018):

webhook URLs should never be allowed to point to localhost, 127.0.0.1, ::1, server name, server IP address, etc (one might consider an isAdmin() exception tho)

@Siesh1oo commented on GitHub (Aug 7, 2018): webhook URLs should never be allowed to point to localhost, 127.0.0.1, ::1, server name, server IP address, etc (one might consider an isAdmin() exception tho)
Author
Owner

@techknowlogick commented on GitHub (Aug 9, 2018):

The code that needs to get changed is here: https://github.com/go-gitea/gitea/blob/master/modules/httplib/httplib.go#L315-L339

Some similar code can be found here: https://github.com/hakobe/paranoidhttp/blob/master/client.go#L109

A note that Dial is deprecated, and should be changed to DialContext

@techknowlogick commented on GitHub (Aug 9, 2018): The code that needs to get changed is here: https://github.com/go-gitea/gitea/blob/master/modules/httplib/httplib.go#L315-L339 Some similar code can be found here: https://github.com/hakobe/paranoidhttp/blob/master/client.go#L109 A note that `Dial` is deprecated, and should be changed to `DialContext`
Author
Owner

@tosone commented on GitHub (Aug 15, 2018):

Default IP black list should block the local network, and admin can change this by hand.

@tosone commented on GitHub (Aug 15, 2018): Default IP black list should block the local network, and admin can change this by hand.
Author
Owner

@lafriks commented on GitHub (Aug 15, 2018):

I think it needs some kind of admin setting in app.ini to disable that

@lafriks commented on GitHub (Aug 15, 2018): I think it needs some kind of admin setting in app.ini to disable that
Author
Owner

@daviian commented on GitHub (Aug 23, 2018):

I love the idea to limit webhooks using internal ip address range to admin permission since the admin has knowledge about internal server infrastructure / services.
So if a project / repository needs that they can request an admin to add this webhook.

@daviian commented on GitHub (Aug 23, 2018): I love the idea to limit webhooks using internal ip address range to admin permission since the admin has knowledge about internal server infrastructure / services. So if a project / repository needs that they can request an admin to add this webhook.
Author
Owner

@Siesh1oo commented on GitHub (Aug 25, 2018):

@daviian : still non-Admin User sind should probably not be allowed to create Webhooks pointing to the local server, or is there some use case where this seems useful (and harmless?)?

@Siesh1oo commented on GitHub (Aug 25, 2018): @daviian : still non-Admin User sind should probably not be allowed to create Webhooks pointing to the local server, or is there some use case where this seems useful (and harmless?)?
Author
Owner

@daviian commented on GitHub (Aug 28, 2018):

@Siesh1oo yes you're right. non-admin users shouldn't be allowed to add such webhooks. if they need to, for whatever reason, they should be required to ask an admin to do so.

@daviian commented on GitHub (Aug 28, 2018): @Siesh1oo yes you're right. non-admin users shouldn't be allowed to add such webhooks. if they need to, for whatever reason, they should be required to ask an admin to do so.
Author
Owner

@wxiaoguang commented on GitHub (Jul 5, 2022):

I have fixed it by introducing allow list

@wxiaoguang commented on GitHub (Jul 5, 2022): I have fixed it by introducing allow list * https://github.com/go-gitea/gitea/pull/17482
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#2147