hooks: Harden when we accept push options that change repo settings

It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 10:07:45 +02:00 · 2024-04-15 10:07:45 +02:00 · 8eba631f8d
commit 8eba631f8d
parent 67d6c674df
2 changed files with 153 additions and 0 deletions
--- a/tests/integration/git_push_test.go
+++ b/tests/integration/git_push_test.go
@ -7,12 +7,17 @@ import (
 	"fmt"
 	"net/url"
 	"testing"
+	"time"

 	"code.gitea.io/gitea/models/db"
 	git_model "code.gitea.io/gitea/models/git"
+	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/log"
+	repo_module "code.gitea.io/gitea/modules/repository"
+	"code.gitea.io/gitea/modules/test"
 	repo_service "code.gitea.io/gitea/services/repository"

 	"github.com/stretchr/testify/assert"
@ -146,3 +151,90 @@ func runTestGitPush(t *testing.T, u *url.URL, gitOperation func(t *testing.T, gi

 	require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID))
 }
+
+func TestOptionsGitPush(t *testing.T) {
+	onGiteaRun(t, testOptionsGitPush)
+}
+
+func testOptionsGitPush(t *testing.T, u *url.URL) {
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_service.CreateRepoOptions{
+		Name:          "repo-to-push",
+		Description:   "test git push",
+		AutoInit:      false,
+		DefaultBranch: "main",
+		IsPrivate:     false,
+	})
+	require.NoError(t, err)
+	require.NotEmpty(t, repo)
+
+	gitPath := t.TempDir()
+
+	doGitInitTestRepository(gitPath)(t)
+
+	u.Path = repo.FullName() + ".git"
+	u.User = url.UserPassword(user.LowerName, userPassword)
+	doGitAddRemote(gitPath, "origin", u)(t)
+
+	t.Run("Unknown push options are rejected", func(t *testing.T) {
+		logChecker, cleanup := test.NewLogChecker(log.DEFAULT, log.TRACE)
+		logChecker.Filter("unknown option").StopMark("Git push options validation")
+		defer cleanup()
+		branchName := "branch0"
+		doGitCreateBranch(gitPath, branchName)(t)
+		doGitPushTestRepositoryFail(gitPath, "origin", branchName, "-o", "repo.template=false", "-o", "uknownoption=randomvalue")(t)
+		logFiltered, logStopped := logChecker.Check(5 * time.Second)
+		assert.True(t, logStopped)
+		assert.True(t, logFiltered[0])
+	})
+
+	t.Run("Owner sets private & template to true via push options", func(t *testing.T) {
+		branchName := "branch1"
+		doGitCreateBranch(gitPath, branchName)(t)
+		doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
+		repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
+		require.NoError(t, err)
+		require.True(t, repo.IsPrivate)
+		require.True(t, repo.IsTemplate)
+	})
+
+	t.Run("Owner sets private & template to false via push options", func(t *testing.T) {
+		branchName := "branch2"
+		doGitCreateBranch(gitPath, branchName)(t)
+		doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=false", "-o", "repo.template=false")(t)
+		repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
+		require.NoError(t, err)
+		require.False(t, repo.IsPrivate)
+		require.False(t, repo.IsTemplate)
+	})
+
+	// create a collaborator with write access
+	collaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+	u.User = url.UserPassword(collaborator.LowerName, userPassword)
+	doGitAddRemote(gitPath, "collaborator", u)(t)
+	repo_module.AddCollaborator(db.DefaultContext, repo, collaborator)
+
+	t.Run("Collaborator with write access is allowed to push", func(t *testing.T) {
+		branchName := "branch3"
+		doGitCreateBranch(gitPath, branchName)(t)
+		doGitPushTestRepository(gitPath, "collaborator", branchName)(t)
+	})
+
+	t.Run("Collaborator with write access fails to change private & template via push options", func(t *testing.T) {
+		logChecker, cleanup := test.NewLogChecker(log.DEFAULT, log.TRACE)
+		logChecker.Filter("permission denied for changing repo settings").StopMark("Git push options validation")
+		defer cleanup()
+		branchName := "branch4"
+		doGitCreateBranch(gitPath, branchName)(t)
+		doGitPushTestRepositoryFail(gitPath, "collaborator", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
+		repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
+		require.NoError(t, err)
+		require.False(t, repo.IsPrivate)
+		require.False(t, repo.IsTemplate)
+		logFiltered, logStopped := logChecker.Check(5 * time.Second)
+		assert.True(t, logStopped)
+		assert.True(t, logFiltered[0])
+	})
+
+	require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID))
+}