In 2018, this issue was created to address a SSRF vulnerability in gogs wherein an attacker could have gogs send requests to network-internal hosts - a patch for this was released (see diff) and no queries about the SSRF issue seem to have been raised again since (from what I can tell).
The patch that was released is a blacklist-based one, this isn’t a bad idea in all cases but in this particular case; the blacklist does not cover all resolutions of localhost in quite a few scenarios.
The vulnerable code is as follows:
var localHostnames = []string{
"localhost",
"127.0.0.1",
"::1",
"0:0:0:0:0:0:0:1",
}
As it does not account for the fact that 127.*.*.*
resolves to localhost too.
https://try.gogs.io/repo/migrate
.http://127.1.33.7:3306/
.3306
was open (MySQL) and if not, it was closed. (an error in this case would be Migration failed: clone: exit status 128 - fatal: unable to access 'http://@127.1.33.7:[closed_port]/': Failed connect to 127.1.33.7:[closed_port]; Connection refused
).This vulnerability is capable of allowing attackers to conduct internal port scans.
(please note that the SSRF shown here is a ‘blind ssrf’ and attackers, from what I can tell, would not gain any sensitive information outside of the open/closed status of a given port).