Description

there is two bypass method for previous fixes of SSRF in gogs

The first is to utilize SSRF attack with a DNS rebinding feature.

The second is to use redirection to a localhost URL.

Proof of Concept

1- go to the webhooks section and create a gogs webhook.

2- enter an URL that redirects to http://169.254.169.254/metadata/v1.json

3- test the webhook and see its response; you can read the complete response data from internal resources.

for proof, I get the digitalocean public key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIaWqg1t4RKxx+G9JUq7rDbpFq/331m7Bei3NVwDBP0r"
there is no security issue within the digitalocean droplet’s metadata, but in AWS, GCP, and some other clouds, the access keys can be accessed through this vulnerability.

The account\webhook address that I used through my tests is https://try.gogs.io/amammad/Azadig/settings/hooks/523

fix suggestion

IsLocalHostname should return the valid IP addresses (of the hostname )