there is two bypass method for previous fixes of SSRF in gogs
The first is to utilize SSRF attack with a DNS rebinding feature.
The second is to use redirection to a localhost URL.
1- go to the webhooks section and create a gogs webhook.
2- enter an URL that redirects to http://169.254.169.254/metadata/v1.json
3- test the webhook and see its response; you can read the complete response data from internal resources.
for proof, I get the digitalocean public key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIaWqg1t4RKxx+G9JUq7rDbpFq/331m7Bei3NVwDBP0r"
there is no security issue within the digitalocean droplet’s metadata, but in AWS, GCP, and some other clouds, the access keys can be accessed through this vulnerability.
The account\webhook address that I used through my tests is https://try.gogs.io/amammad/Azadig/settings/hooks/523
IsLocalHostname
should return the valid IP addresses (of the hostname )