security: fix SSRF in repository migration #6812
Conversation
|
Thanks for the patch! Looks like the CI is failing. |
This should fix: ``Error: internal/route/repo/webhook.go:149:44: undefined: host``
This should fix: ``Error: internal/route/repo/webhook_test.go:31:40: missing ',' before newline in composite literal``
|
I think that the issues have been fixed. |
Codecov Report
@@ Coverage Diff @@
## main #6812 +/- ##
========================================
+ Coverage 8.79% 8.93% +0.14%
========================================
Files 97 98 +1
Lines 13206 13231 +25
========================================
+ Hits 1161 1182 +21
- Misses 11883 11885 +2
- Partials 162 164 +2 |
|
I think this PR is only fixing part of problem after a closer look, which is the webhook... not the repository migration, because the I'm going to make few direct pushes. |
|
@michaellrowley If you wanna look at the steps I made, you can go through each commit. |
| if netutil.IsLocalHostname(u.Hostname()) { | ||
| return "", db.ErrInvalidCloneAddr{IsURLError: true} | ||
| } |
There was a problem hiding this comment.
@michaellrowley This is where the real fix to the report as far as I understand.
There was a problem hiding this comment.
Yeah, that seems to be the case (although without the rewritten IsLocalHostname it would still have been possible to bypass this call and the one in validateWebhook)
Co-authored-by: Joe Chen <jc@unknwon.io> # Conflicts: # CHANGELOG.md # internal/route/repo/webhook.go
https://huntr.dev/bounties/327797d7-ae41-498f-9bff-cc0bf98cf531/ / CVE-2022-0870
Describe the pull request
This pull requests contains a proposed patch for the vulnerability noted in the above links.
Checklist