Skip to content

gitlab Import url is blocked: "Requests to the local network are not allowed"

Summary

When I try to import a project from a git server running in the same network domain (stash.mydomain.local) as the gitlab server (gitlab.mydomain.local) via URL (Import Project/git Repo by URL), I get the message:

"Import url is blocked: Requests to the local network are not allowed".

We are running gitlab-ce docker omnibus image 11.7.5. Note that the server "stash.mydomain.local" does not run on the same server as the server "gitlab.mydomain.local".

Steps to reproduce

Settings: admin/application_settings/network#js-outbound-settings - do not allow requests to the local network from hooks and services. Goto "https://gitlab.mydomain.local/projects". Choose "Import project" and "git Repo by URL". Add repo: "https:://stash.mydomain/scm/stest/test.git"

The form contains the following error: Import url is blocked: Requests to the local network are not allowed

If I try to import a github.com repository by URL, I do not get the error message.

Example Project

Not applicable.

What is the current bug behavior?

I cannot import a project from a local hosted server (not running on the same server as gitlab) without enabling outbound requests, which is a risk to our gitlab server. I'm not sure when this stopped working, but I think after the latest upgrade from V11.6.3-ce.0 to V11.7.5-ce.0. I assume that "Import a project by URL" is a system hooks and thereby exempt from this protection because they are set up by admins (gitlab itself).

What is the expected correct behavior?

I can import projects via URL from local hosted servers.

Relevant logs and/or screenshots

Snippet from log/gitlab-rails/production.log:

Started POST "/projects" for 127.0.0.1 at 2019-02-20 10:30:22 +0000 Processing by ProjectsController#create as HTML Parameters: {"utf8"=>"✓", "authenticity_token"=>"[FILTERED]", "project"=>{"import_url"=>"[FILTERED]", "ci_cd_only"=>"false", "name"=>"cci-test", "namespac e_id"=>"34", "path"=>"cci-test", "description"=>"", "visibility_level"=>"0"}} Unable to save project. Error: Import url is blocked: Requests to the local network are not allowed

Output of checks

Local hosted gitlab-ce docker server

Results of GitLab environment info

Expand for output related to GitLab environment info 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)
System information
System:
Current User:   git
Using RVM:      no
Ruby Version:   2.5.3p105
Gem Version:    2.7.6
Bundler Version:1.16.6
Rake Version:   12.3.2
Redis Version:  3.2.12
Git Version:    2.18.1
Sidekiq Version:5.2.3
Go Version:     unknown


GitLab information
Version:        11.7.5
Revision:       c5b5b18
Directory:      /opt/gitlab/embedded/service/gitlab-rails
DB Adapter:     postgresql
URL:            https://gitlab.mydomain.local
HTTP Clone URL: https://gitlab.mydomain.local/some-group/some-project.git
SSH Clone URL:  git@gitlab.mydomain.local:some-group/some-project.git
Using LDAP:     yes
Using Omniauth: yes
Omniauth Providers:


GitLab Shell
Version:        8.4.4
Repository storage paths:
  • default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git

(For installations from source run and paste the output of: sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
Checking GitLab subtasks ...


Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 8.4.4 ? ... OK (8.4.4)
Running /opt/gitlab/embedded/service/gitlab-shell/bin/check
Check GitLab API access: OK
Redis available via internal API: OK


Access to /var/opt/gitlab/.ssh/authorized_keys: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... Server: ldapmain
LDAP authentication... Success
LDAP users with access to your GitLab server (only showing the first 100 results)
<<<<<< SKIPPED for privacy reasons >>>>>>
Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... skipped (omnibus-gitlab has no init script)
Init script up-to-date? ... skipped (omnibus-gitlab has no init script)
Projects have namespace: ...
38/1 ... yes
40/2 ... yes
40/3 ... yes
37/4 ... yes
37/5 ... yes
37/6 ... yes
37/7 ... yes
37/8 ... yes
71/10 ... yes
37/11 ... yes
71/12 ... yes
71/13 ... yes
69/14 ... yes
70/15 ... yes
71/16 ... yes
71/17 ... yes
37/18 ... yes
71/19 ... yes
37/20 ... yes
71/21 ... yes
71/22 ... yes
71/23 ... yes
37/24 ... yes
37/25 ... yes
37/26 ... yes
37/27 ... yes
37/28 ... yes
37/29 ... yes
37/33 ... yes
47/35 ... yes
47/36 ... yes
47/37 ... yes
38/38 ... yes
38/39 ... yes
38/40 ... yes
38/41 ... yes
47/42 ... yes
47/43 ... yes
51/44 ... yes
53/45 ... yes
51/46 ... yes
51/47 ... yes
51/48 ... yes
51/49 ... yes
51/50 ... yes
51/51 ... yes
51/52 ... yes
51/53 ... yes
70/54 ... yes
37/55 ... yes
71/57 ... yes
44/58 ... yes
38/59 ... yes
64/60 ... yes
70/61 ... yes
53/62 ... yes
66/63 ... yes
67/64 ... yes
69/65 ... yes
38/66 ... yes
69/67 ... yes
44/68 ... yes
78/69 ... yes
74/70 ... yes
38/71 ... yes
69/72 ... yes
69/73 ... yes
69/74 ... yes
38/75 ... yes
69/76 ... yes
38/79 ... yes
64/80 ... yes
78/81 ... yes
51/82 ... yes
80/83 ... yes
40/84 ... yes
69/85 ... yes
80/87 ... yes
69/89 ... yes
100/90 ... yes
102/91 ... yes
70/92 ... yes
69/93 ... yes
95/94 ... yes
102/95 ... yes
93/96 ... yes
100/97 ... yes
38/98 ... yes
38/99 ... yes
70/101 ... yes
96/102 ... yes
96/103 ... yes
80/104 ... yes
107/106 ... yes
109/107 ... yes
109/108 ... yes
70/109 ... yes
69/110 ... yes
100/111 ... yes
114/114 ... yes
38/115 ... yes
92/116 ... yes
78/117 ... yes
73/118 ... yes
73/120 ... yes
114/121 ... yes
114/122 ... yes
119/123 ... yes
119/124 ... yes
119/125 ... yes
119/126 ... yes
37/127 ... yes
92/128 ... yes
92/129 ... yes
92/130 ... yes
92/131 ... yes
92/132 ... yes
92/133 ... yes
92/134 ... yes
Redis version >= 2.8.0? ... yes
Ruby version >= 2.3.5 ? ... yes (2.5.3)
Git version >= 2.18.0 ? ... yes (2.18.1)
Git user has default SSH configuration? ... yes
Active users: ... 58


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished

Possible fixes

(If you can, link to the line of code that might be responsible for the problem)