Headline
CVE-2022-1285: webhook: revalidate local hostname before each delivery (#6988) · gogs/gogs@7885f45
Server-Side Request Forgery (SSRF) in GitHub repository gogs/gogs prior to 0.12.8.
@@ -119,20 +119,17 @@ func WebhooksNew(c *context.Context, orCtx *orgRepoContext) { c.Success(orCtx.TmplNew) }
func validateWebhook(actor *db.User, l macaron.Locale, w *db.Webhook) (field, msg string, ok bool) { if !actor.IsAdmin { // 🚨 SECURITY: Local addresses must not be allowed by non-admins to prevent SSRF, // see https://github.com/gogs/gogs/issues/5366 for details. payloadURL, err := url.Parse(w.URL) if err != nil { return "PayloadURL", l.Tr("repo.settings.webhook.err_cannot_parse_payload_url", err), false }
if netutil.IsLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) { return "PayloadURL", l.Tr(“repo.settings.webhook.err_cannot_use_local_addresses”), false } func validateWebhook(l macaron.Locale, w *db.Webhook) (field, msg string, ok bool) { // 🚨 SECURITY: Local addresses must not be allowed by non-admins to prevent SSRF, // see https://github.com/gogs/gogs/issues/5366 for details. payloadURL, err := url.Parse(w.URL) if err != nil { return "PayloadURL", l.Tr("repo.settings.webhook.err_cannot_parse_payload_url", err), false }
if netutil.IsBlockedLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) { return "PayloadURL", l.Tr(“repo.settings.webhook.url_resolved_to_blocked_local_address”), false } return "", "", true }
@@ -144,7 +141,7 @@ func validateAndCreateWebhook(c *context.Context, orCtx *orgRepoContext, w *db.W return }
field, msg, ok := validateWebhook(c.User, c.Locale, w) field, msg, ok := validateWebhook(c.Locale, w) if !ok { c.FormErr(field) c.RenderWithErr(msg, orCtx.TmplNew, nil) @@ -348,7 +345,7 @@ func validateAndUpdateWebhook(c *context.Context, orCtx *orgRepoContext, w *db.W return }
field, msg, ok := validateWebhook(c.User, c.Locale, w) field, msg, ok := validateWebhook(c.Locale, w) if !ok { c.FormErr(field) c.RenderWithErr(msg, orCtx.TmplNew, nil)
Related news
### Impact The malicious user is able to discover services in the internal network through webhook functionality. All installations accepting public traffic are affected. ### Patches Webhook payload URLs are revalidated before each delivery to make sure they are not resolved to blocked local network addresses. Users should upgrade to 0.12.8 or the latest 0.13.0+dev. ### Workarounds Run Gogs in its own private network. ### References https://huntr.dev/bounties/da1fbd6e-7a02-458e-9c2e-6d226c47046d/ ### For more information If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/6901.