finn/forgejo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Mitigate Security vulnerability in the git hook feature (#13058)

Browse source 
* Extend git hook warning in the UI.

Git hooks are a dangerous feature, administrators should be warned before giving
the git hook privilege to users.

* Disable Git hooks by default and add warning.

Git hooks are a dangerous features (see warning text) that should only
be enabled if the administrator was informed about the risk involved.

Co-authored-by: Niklas Goerke <goerke@fzi.de>
This commit is contained in:
Niklas Goerke 2020-10-07 11:55:13 +02:00 committed by GitHub
parent d49242287d
commit 8fe8ab5cbf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
options/locale/locale_en-US.ini
View file

@ -2055,7 +2055,7 @@ users.prohibit_login = Disable Sign-In
users.is_admin = Is Administrator
users.is_restricted = Is Restricted
users.allow_git_hook = May Create Git Hooks
users.allow_git_hook_tooltip = Git Hooks are executed as the OS user running Gitea and will have the same level of host access
users.allow_git_hook_tooltip = Git Hooks are executed as the OS user running Gitea and will have the same level of host access. As a result, users with this special Git Hook privilege can access and modify all Gitea repositories as well as the database used by Gitea. Consequently they are also able to gain Gitea administrator privileges.
users.allow_import_local = May Import Local Repositories
users.allow_create_organization = May Create Organizations
users.update_profile = Update User Account