Bypassing Gitea's URL restrictions

24.3.2024 | bypassing-gitea-url-restrictions

Gitea is a git hosting service similar to GitHub with the ability of selfhosting it without needing beastly hardware. On their docs, they state that a Raspberry Pi 3 is powerful enough to run Gitea (I personally run it on a Raspberry Pi 4 and have yet to encounter any problems with it)

Migrations?

With migrations, you can migrate repositories from other Git services onto your Gitea instance. It supports a wide variety of providers - but we’ll focus on the migration of normal Git repositories.

picture of migration providers

Clicking on Migrate from Git brings you to a form, where you can fill out details like URL, username and password. Hosts on the same network/same machine are typically not allowed for security reasons and can be configured in the config.

The documentation describes these 3 options in more detail:

ALLOWED_DOMAINS: empty: Domains allowlist for migrating repositories, default is blank. It means everything will be allowed. Multiple domains could be separated by commas. Wildcard is supported: github.com, *.github.com.
BLOCKED_DOMAINS: empty: Domains blocklist for migrating repositories, default is blank. Multiple domains could be separated by commas. When ALLOWED_DOMAINS is not blank, this option has a higher priority to deny domains. Wildcard is supported.
ALLOW_LOCALNETWORKS: false: Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291. If a domain is allowed by ALLOWED_DOMAINS, this option will be ignored.

Cloning repositories

This all began with me wanting to make my website clonable (like doing git clone https://patriick.dev - which you can do right now!) When cloning https repos, git sends a request to {REPO}/info/refs to get information about the available refs. You can serve a redirect and git will gladly follow it - it just prints a warning out.

$ git clone https://patriick.dev tmp
   Cloning into 'tmp'...
   warning: redirecting to https://github.com/zImPatrick/zImPatrick.github.io/

This got me to test many other git providers to see how they handle this.

GitHub’s behaviour

GitHub doesn’t seem to follow redirects - at least for /info/refs. It has a “magic” import option where it checks multiple endpoints for a supported VCS, but I’ve only checked the one Git uses.

No source repositories were detected at <url>. Please check the URL and try again.

GitLab’s behaviour

GitLab explicitly states that they don’t follow redirects. I’ve checked, they don’t.

GitLab's import

Gitea’s behaviour

Gitea’s migration option w/ just a local address gives us this error message:

You cannot import from disallowed hosts, please ask the admin to check ALLOWED_DOMAINS/ALLOW_LOCALNETWORKS/BLOCKED_DOMAINS settings.

I’ve also tried pointing an DNS entry to an internal address - that also didn’t work. However, redirects just work! Pointing them to an internal address happily imports it. Here’s a video demo!

Disclosure

Sent initial email to [email protected] on the 22nd of March
No response, sent another email on the 27th of April
Response on the same day, asking for information about app.ini
They say it’s not a security issue

I didn’t want to send another email, they probably have more important things to do and I’m probably overestimating the impact of this.

Banning arbitrary people in Rainbow Six Siege

7.2.2025 | siege-banning-exploit

or alternatively: how to find an stupid exploit while being stupid