**[HackerOne report #1236965](https://hackerone.com/reports/1236965)** by `minhli` on 2021-06-17, assigned to @dcouture: [Report](#report) | [How To Reproduce](#how-to-reproduce) ## Report Hi, Prior reports: - https://hackerone.com/reports/1110131 - https://hackerone.com/reports/1110131 Tested on version: 13.12.4-ee There is at least one more case which I think is not covered in this patch in case of `External users`. Considering following scenarios: (note from @dcouture, I removed the first scenario it was not valid) __Second Scenario__ 1. Sign ups are enabled 2. Under ` Account and limit`, set > New users set to external > Newly registered users will by default be external 3. As I noticed this in one of the organization and as the docs say: > In cases where it is desired that a user has access only to some internal or private projects, there is the option of creating External Users. This feature > may be useful when for example a contractor is working on a given project and should only have access to that project. > External users: > Can only create projects (including forks), subgroups, and snippets within the top-level group to which they belong. Right after signup, now no user can really do any action unless they are explicitly added to a group or project by the admins. So no SSRF should be possible, but by abusing the CI Lint API, in such a case any unauthenticated user can still abuse CI Lint API for SSRF. This option is really valuable with contractors and for open source projects where collaborators can use any email address to sign-up but usually manual account reviews, group/project assignments are done by maintainers. I am not sure if these cases have been overlooked, so filing this report to ensure this is known. In both these cases I think unauthenticated SSRF should not be possible by just anyone. Please review. Thanks! #### Impact Information disclosure protection bypass ## How To Reproduce Please add [reproducibility information] to this section: 1. 1. 1. [reproducibility information]: https://about.gitlab.com/handbook/engineering/security/#reproducibility-on-security-issues