✍️ Description

In 2018, this issue was created to address a SSRF vulnerability in gogs wherein an attacker could have gogs send requests to network-internal hosts - a patch for this was released (see diff) and no queries about the SSRF issue seem to have been raised again since (from what I can tell).
The patch that was released is a blacklist-based one, this isn’t a bad idea in all cases but in this particular case; the blacklist does not cover all resolutions of localhost in quite a few scenarios.
The vulnerable code is as follows:

var localHostnames = []string{
	"localhost",
	"127.0.0.1",
	"::1",
	"0:0:0:0:0:0:0:1",
}

As it does not account for the fact that 127.*.*.* resolves to localhost too.

🕵️‍♂️ Proof of Concept

• Navigate to https://try.gogs.io/repo/migrate.
• Under ‘clone address’ enter http://127.1.33.7:3306/.
• Fill in the rest of the text areas and proceed.
• If the repository was created, port 3306 was open (MySQL) and if not, it was closed. (an error in this case would be Migration failed: clone: exit status 128 - fatal: unable to access 'http://@127.1.33.7:[closed_port]/': Failed connect to 127.1.33.7:[closed_port]; Connection refused ).

💥 Impact

This vulnerability is capable of allowing attackers to conduct internal port scans.

(please note that the SSRF shown here is a ‘blind ssrf’ and attackers, from what I can tell, would not gain any sensitive information outside of the open/closed status of a given port).