Webhooks and insecure internal web services (FREE SELF)
Users with at least the Maintainer role can set up webhooks that are
triggered when specific changes occur in a project. When triggered, a POST
HTTP request is sent to a URL. A webhook is
usually configured to send data to a specific external web service, which processes the data in an appropriate way.
However, a webhook can be configured with a URL for an internal web service instead of an external web service. When the webhook is triggered, non-GitLab web services running on your GitLab server or in its local network could be exploited.
Webhook requests are made by the GitLab server itself and use a single optional secret token per hook for authorization instead of:
- A user token.
- A repository-specific token.
As a result, these requests can have broader access than intended, including access to everything running on the server that hosts the webhook including:
- The GitLab server.
- The API itself.
- For some webhooks, network access to other servers in that webhook server's local network, even if these services are otherwise protected and inaccessible from the outside world.
Webhooks can be used to trigger destructive commands using web services that don't require authentication. These webhooks
can get the GitLab server to make POST
HTTP requests to endpoints that delete resources.
Allow webhook and service requests to local network
To prevent exploitation of insecure internal web services, all webhook requests to the following local network addresses are not allowed:
- The current GitLab instance server address.
- Private network addresses, including
127.0.0.1
,::1
,0.0.0.0
,10.0.0.0/8
,172.16.0.0/12
,192.168.0.0/16
, and IPv6 site-local (ffc0::/10
) addresses.
To allow access to these addresses:
- On the top bar, select Main menu > Admin.
- On the left sidebar, select Settings > Network.
- Expand Outbound requests.
- Select the Allow requests to the local network from web hooks and services checkbox.
Prevent system hook requests to local network
System hooks are permitted to make requests to local network by default because they are set up by administrators. To prevent system hook requests to the local network:
- On the top bar, select Main menu > Admin.
- On the left sidebar, select Settings > Network.
- Expand Outbound requests.
- Clear the Allow requests to the local network from system hooks checkbox.
Create an allowlist for local requests
Introduced in GitLab 12.2
You can allow certain domains and IP addresses to be accessible to both system hooks and webhooks, even when local requests are forbidden. To add these domains to the allowlist:
- On the top bar, select Main menu > Admin.
- On the left sidebar, select Settings > Network.
- Expand Outbound requests and add entries.
The entries can:
- Be separated by semicolons, commas, or whitespaces (including newlines).
- Be in different formats like hostnames, IP addresses, IP address ranges. IPv6 is supported. Hostnames that contain Unicode characters should use Internationalized Domain Names in Applications (IDNA) encoding.
- Include ports. For example,
127.0.0.1:8080
only allows connections to port 8080 on127.0.0.1
. If no port is specified, all ports on that IP address or domain are allowed. An IP address range allows all ports on all IP addresses in that range. - Number no more than 1000 entries of no more than 255 characters for each entry.
- Not contain wildcards (for example,
*.example.com
).
For example:
example.com;gitlab.example.com
127.0.0.1,1:0:0:0:0:0:0:1
127.0.0.0/8 1:0:0:0:0:0:0:0/124
[1:0:0:0:0:0:0:1]:8080
127.0.0.1:8080
example.com:8080