From 242deca524dbf922bfb08dadd65455164b9e663e Mon Sep 17 00:00:00 2001
From: Michael Rowley <michaellrowley@protonmail.com>
Date: Tue, 8 Mar 2022 03:34:53 +0000
Subject: security: fix SSRF in repository migration (#6812)

Co-authored-by: Joe Chen <jc@unknwon.io>
---
 internal/form/repo.go | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'internal/form')

diff --git a/internal/form/repo.go b/internal/form/repo.go
index ed963307..bc0dc426 100644
--- a/internal/form/repo.go
+++ b/internal/form/repo.go
@@ -13,6 +13,7 @@ import (
 	"gopkg.in/macaron.v1"
 
 	"gogs.io/gogs/internal/db"
+	"gogs.io/gogs/internal/netutil"
 )
 
 // _______________________________________    _________.______________________ _______________.___.
@@ -69,6 +70,11 @@ func (f MigrateRepo) ParseRemoteAddr(user *db.User) (string, error) {
 		if err != nil {
 			return "", db.ErrInvalidCloneAddr{IsURLError: true}
 		}
+
+		if netutil.IsLocalHostname(u.Hostname()) {
+			return "", db.ErrInvalidCloneAddr{IsURLError: true}
+		}
+
 		if len(f.AuthUsername)+len(f.AuthPassword) > 0 {
 			u.User = url.UserPassword(f.AuthUsername, f.AuthPassword)
 		}
-- 
cgit v1.2.3