SSRF patch for CI Lint API is incomplete
HackerOne report #1236965 by minhli
on 2021-06-17, assigned to @dcouture:
Report
Hi,
Prior reports:
Tested on version: 13.12.4-ee
There is at least one more case which I think is not covered in this patch in case of External users
.
Considering following scenarios:
(note from @dcouture, I removed the first scenario it was not valid)
Second Scenario
- Sign ups are enabled
- Under
Account and limit
, set
New users set to external
Newly registered users will by default be external
- As I noticed this in one of the organization and as the docs say:
In cases where it is desired that a user has access only to some internal or private projects, there is the option of creating External Users. This feature > may be useful when for example a contractor is working on a given project and should only have access to that project.
External users:
Can only create projects (including forks), subgroups, and snippets within the top-level group to which they belong.
Right after signup, now no user can really do any action unless they are explicitly added to a group or project by the admins. So no SSRF should be possible, but by abusing the CI Lint API, in such a case any unauthenticated user can still abuse CI Lint API for SSRF. This option is really valuable with contractors and for open source projects where collaborators can use any email address to sign-up but usually manual account reviews, group/project assignments are done by maintainers.
I am not sure if these cases have been overlooked, so filing this report to ensure this is known. In both these cases I think unauthenticated SSRF should not be possible by just anyone.
Please review.
Thanks!
Impact
Information disclosure
protection bypass
How To Reproduce
Please add reproducibility information to this section: