BugFlow

SSRF on project import via the remote_attachment_url on a Note

One of the features this provides is the ability to download and attach a file via a url, see https://github.com/carrierwaveuploader/carrierwave/blob/v1.3.1/lib/carrierwave/mount.rb#L80. This means that the Note model has a method remote_attachment_url= which can be used to perform this action

1. Create a new project
2. Create an issue in the project
3. Add a note to the issue
4. Export the project
5. Extract the export
6. Add remote_attachment_url to the note hash with a url
7. Recompress the export and import it
8. View the note on the issue

  def remote_urls=(urls)
      return if not urls or urls == "" or urls.all?(&:blank?)

      @remote_urls = urls
      @download_error = nil
      @integrity_error = nil

      @uploaders = urls.zip(remote_request_headers || []).map do |url, header|
        uploader = blank_uploader
        uploader.download!(url, header || {})
        uploader
      end

    def file
          if @file.blank?
            headers = @remote_headers.
              reverse_merge('User-Agent' => "CarrierWave/#{CarrierWave::VERSION}")

            @file = Kernel.open(@uri.to_s, headers)
            @file = @file.is_a?(String) ? StringIO.new(@file) : @file
          end

/!\ Unable to understand it properly