Skip to content

fix(auth): restrict oauth2 login avatar fetch to external hosts#38290

Open
insaf021 wants to merge 3 commits into
go-gitea:mainfrom
insaf021:oauth2-avatar-ssrf
Open

fix(auth): restrict oauth2 login avatar fetch to external hosts#38290
insaf021 wants to merge 3 commits into
go-gitea:mainfrom
insaf021:oauth2-avatar-ssrf

Conversation

@insaf021

@insaf021 insaf021 commented Jul 1, 2026

Copy link
Copy Markdown

oauth2UpdateAvatarIfNeed downloads the avatar URL handed over by the login provider (goth User.AvatarURL, i.e. the OIDC picture claim) with a bare client:

resp, err := oauth2AvatarHTTPClient.Do(req)

Webhook and migration egress is already funnelled through hostmatcher.NewDialContext, but this fetch was not, so with OAUTH2_CLIENT.UPDATE_AVATAR on, a hostile picture value drives a server-side GET to internal targets on sign-in: http://169.254.169.254/... cloud metadata, loopback admin panels, RFC1918 hosts.

Route the avatar client through the same dialer with a MatchBuiltinExternal allow-list so only public hosts are reachable, the same default the webhook client uses. Built via sync.OnceValue so proxy settings are read after config load rather than at package init.

Checked the resulting dialer rejects 127.0.0.1, 169.254.169.254, 10.0.0.0/8 and 192.168.0.0/16 while public hosts still resolve.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. type/bug

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants