hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
This commit is contained in:
Gergely Nagy
Earl Warren
parent
67d6c674df
commit
8eba631f8d
2 changed files with 153 additions and 0 deletions
|
|
@ -4,6 +4,7 @@
|
|||
package private
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
|
|
@ -101,6 +102,60 @@ func (ctx *preReceiveContext) AssertCreatePullRequest() bool {
|
|||
return true
|
||||
}
|
||||
|
||||
var errPermissionDenied = errors.New("permission denied for changing repo settings")
|
||||
|
||||
func (ctx *preReceiveContext) canChangeSettings() error {
|
||||
if !ctx.loadPusherAndPermission() {
|
||||
return errPermissionDenied
|
||||
}
|
||||
|
||||
if !ctx.userPerm.IsOwner() && !ctx.userPerm.IsAdmin() {
|
||||
return errPermissionDenied
|
||||
}
|
||||
|
||||
if ctx.Repo.Repository.IsFork {
|
||||
return errPermissionDenied
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (ctx *preReceiveContext) validatePushOptions() error {
|
||||
opts := web.GetForm(ctx).(*private.HookOptions)
|
||||
|
||||
if len(opts.GitPushOptions) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
changesRepoSettings := false
|
||||
for key := range opts.GitPushOptions {
|
||||
switch key {
|
||||
case private.GitPushOptionRepoPrivate, private.GitPushOptionRepoTemplate:
|
||||
changesRepoSettings = true
|
||||
case "topic", "force-push", "title", "description":
|
||||
// Agit options
|
||||
default:
|
||||
return fmt.Errorf("unknown option %s", key)
|
||||
}
|
||||
}
|
||||
|
||||
if changesRepoSettings {
|
||||
return ctx.canChangeSettings()
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (ctx *preReceiveContext) assertPushOptions() bool {
|
||||
if err := ctx.validatePushOptions(); err != nil {
|
||||
ctx.JSON(http.StatusForbidden, private.Response{
|
||||
UserMsg: fmt.Sprintf("options validation failed: %v", err),
|
||||
})
|
||||
return false
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
// HookPreReceive checks whether a individual commit is acceptable
|
||||
func HookPreReceive(ctx *gitea_context.PrivateContext) {
|
||||
opts := web.GetForm(ctx).(*private.HookOptions)
|
||||
|
|
@ -111,6 +166,12 @@ func HookPreReceive(ctx *gitea_context.PrivateContext) {
|
|||
opts: opts,
|
||||
}
|
||||
|
||||
if !ourCtx.assertPushOptions() {
|
||||
log.Trace("Git push options validation failed")
|
||||
return
|
||||
}
|
||||
log.Trace("Git push options validation succeeded")
|
||||
|
||||
// Iterate across the provided old commit IDs
|
||||
for i := range opts.OldCommitIDs {
|
||||
oldCommitID := opts.OldCommitIDs[i]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue