Webhooks and insecure internal web services

Users with at least the Maintainer role can set up webhooks that are triggered when specific changes occur in a project. When triggered, a POST HTTP request is sent to a URL. A webhook is usually configured to send data to a specific external web service, which processes the data in an appropriate way.

However, a webhook can be configured with a URL for an internal web service instead of an external web service. When the webhook is triggered, non-GitLab web services running on your GitLab server or in its local network could be exploited.

Webhook requests are made by the GitLab server itself and use a single optional secret token per hook for authorization instead of:

  • A user token.
  • A repository-specific token.

As a result, these requests can have broader access than intended, including access to everything running on the server that hosts the webhook including:

  • The GitLab server.
  • The API itself.
  • For some webhooks, network access to other servers in that webhook server’s local network, even if these services are otherwise protected and inaccessible from the outside world.

Webhooks can be used to trigger destructive commands using web services that don’t require authentication. These webhooks can get the GitLab server to make POST HTTP requests to endpoints that delete resources.

Allow webhook and service requests to local network

To prevent exploitation of insecure internal web services, all webhook requests to the following local network addresses are not allowed:

  • The current GitLab instance server address.
  • Private network addresses, including 127.0.0.1, ::1, 0.0.0.0, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and IPv6 site-local (ffc0::/10) addresses.

To allow access to these addresses:

  1. On the top bar, select Main menu > Admin.
  2. On the left sidebar, select Settings > Network.
  3. Expand Outbound requests.
  4. Select the Allow requests to the local network from web hooks and services checkbox.

Prevent system hook requests to local network

System hooks are permitted to make requests to local network by default because they are set up by administrators. To prevent system hook requests to the local network:

  1. On the top bar, select Main menu > Admin.
  2. On the left sidebar, select Settings > Network.
  3. Expand Outbound requests.
  4. Clear the Allow requests to the local network from system hooks checkbox.

Create an allowlist for local requests

Introduced in GitLab 12.2

You can allow certain domains and IP addresses to be accessible to both system hooks and webhooks, even when local requests are forbidden. To add these domains to the allowlist:

  1. On the top bar, select Main menu > Admin.
  2. On the left sidebar, select Settings > Network.
  3. Expand Outbound requests and add entries.

The entries can:

  • Be separated by semicolons, commas, or whitespaces (including newlines).
  • Be in different formats like hostnames, IP addresses, IP address ranges. IPv6 is supported. Hostnames that contain Unicode characters should use Internationalized Domain Names in Applications (IDNA) encoding.
  • Include ports. For example, 127.0.0.1:8080 only allows connections to port 8080 on 127.0.0.1. If no port is specified, all ports on that IP address or domain are allowed. An IP address range allows all ports on all IP addresses in that range.
  • Number no more than 1000 entries of no more than 255 characters for each entry.
  • Not contain wildcards (for example, *.example.com).

For example:

example.com;gitlab.example.com
127.0.0.1,1:0:0:0:0:0:0:1
127.0.0.0/8 1:0:0:0:0:0:0:0/124
[1:0:0:0:0:0:0:1]:8080
127.0.0.1:8080
example.com:8080