Check permissions on repo lookup (#2357)

There was no permission check when looking up repos so you were able to get basic repo information even if you're not allowed to. This uses `session.MustPull` (and set repo/perms before) to fix this.
2025-04-27 14:04:42 +00:00 · 2023-08-30 16:35:34 +02:00 · 2023-08-30 16:35:34 +02:00 · e847cbadfa
commit e847cbadfa
parent 91192a900a
3 changed files with 9 additions and 28 deletions
--- a/server/api/repo.go
+++ b/server/api/repo.go
@ -21,7 +21,6 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
-	"strings"
 	"time"

 	"github.com/gin-gonic/gin"
@ -277,21 +276,7 @@ func ChownRepo(c *gin.Context) {
 //	@Param		Authorization	header	string	true	"Insert your personal access token"	default(Bearer <personal access token>)
 //	@Param		repo_full_name	path	string	true	"the repository full-name / slug"
 func LookupRepo(c *gin.Context) {
-	_store := store.FromContext(c)
-	repoFullName := strings.TrimLeft(c.Param("repo_full_name"), "/")
-
-	repo, err := _store.GetRepoName(repoFullName)
-	if err != nil {
-		if errors.Is(err, types.RecordNotExist) {
-			c.AbortWithStatus(http.StatusNotFound)
-			return
-		}
-
-		_ = c.AbortWithError(http.StatusInternalServerError, err)
-		return
-	}
-
-	c.JSON(http.StatusOK, repo)
+	c.JSON(http.StatusOK, session.Repo(c))
 }

 // GetRepo
--- a/server/router/api.go
+++ b/server/router/api.go
@ -68,7 +68,7 @@ func apiRoutes(e *gin.RouterGroup) {
 			}
 		}

-		apiBase.GET("/repos/lookup/*repo_full_name", api.LookupRepo) // TODO: check if this public route is a security issue
+		apiBase.GET("/repos/lookup/*repo_full_name", session.SetRepo(), session.SetPerm(), session.MustPull, api.LookupRepo)
 		apiBase.POST("/repos", session.MustUser(), api.PostRepo)
 		repoBase := apiBase.Group("/repos/:repo_id")
 		{
--- a/server/router/middleware/session/repo.go
+++ b/server/router/middleware/session/repo.go
@ -18,6 +18,7 @@ import (
 	"errors"
 	"net/http"
 	"strconv"
+	"strings"
 	"time"

 	"github.com/gin-gonic/gin"
@ -45,11 +46,10 @@ func Repo(c *gin.Context) *model.Repo {
 func SetRepo() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		var (
-			_store  = store.FromContext(c)
-			owner   = c.Param("owner")
-			name    = c.Param("name")
-			_repoID = c.Param("repo_id")
-			user    = User(c)
+			_store   = store.FromContext(c)
+			fullName = strings.TrimLeft(c.Param("repo_full_name"), "/")
+			_repoID  = c.Param("repo_id")
+			user     = User(c)
 		)

 		var repo *model.Repo
@ -63,7 +63,7 @@ func SetRepo() gin.HandlerFunc {
 			}
 			repo, err = _store.GetRepo(repoID)
 		} else {
-			repo, err = _store.GetRepoName(owner + "/" + name)
+			repo, err = _store.GetRepoName(fullName)
 		}

 		if repo != nil {
@ -73,11 +73,7 @@ func SetRepo() gin.HandlerFunc {
 		}

 		// debugging
-		log.Debug().Msgf("Cannot find repository %s/%s. %s",
-			owner,
-			name,
-			err.Error(),
-		)
+		log.Debug().Err(err).Msgf("Cannot find repository %s.", fullName)

 		if user == nil {
 			c.AbortWithStatus(http.StatusUnauthorized)