mirrors/woodpecker
1
0
Fork 0
mirror of https://github.com/woodpecker-ci/woodpecker.git synced 2024-07-04 13:06:09 +00:00
Code Issues Projects Releases Wiki Activity

Check permissions on repo lookup (#2357)

Browse source 
There was no permission check when looking up repos so you were able to
get basic repo information even if you're not allowed to.

This uses `session.MustPull` (and set repo/perms before) to fix this.
This commit is contained in:
qwerty287 2023-08-30 16:35:34 +02:00 committed by GitHub
parent 91192a900a
commit e847cbadfa
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
server/api/repo.go
View file

@ -21,7 +21,6 @@ import (
"fmt" "fmt"
"net/http" "net/http"
"strconv" "strconv"
"strings"
"time" "time"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
@ -277,21 +276,7 @@ func ChownRepo(c *gin.Context) {
// @Param Authorization header string true "Insert your personal access token" default(Bearer <personal access token>) // @Param Authorization header string true "Insert your personal access token" default(Bearer <personal access token>)
// @Param repo_full_name path string true "the repository full-name / slug" // @Param repo_full_name path string true "the repository full-name / slug"
func LookupRepo(c *gin.Context) { func LookupRepo(c *gin.Context) {
_store := store.FromContext(c) c.JSON(http.StatusOK, session.Repo(c))
repoFullName := strings.TrimLeft(c.Param("repo_full_name"), "/")
repo, err := _store.GetRepoName(repoFullName)
if err != nil {
if errors.Is(err, types.RecordNotExist) {
c.AbortWithStatus(http.StatusNotFound)
return
}
_ = c.AbortWithError(http.StatusInternalServerError, err)
return
}
c.JSON(http.StatusOK, repo)
} }
// GetRepo // GetRepo

2
server/router/api.go
View file

@ -68,7 +68,7 @@ func apiRoutes(e *gin.RouterGroup) {
} }
} }
apiBase.GET("/repos/lookup/*repo_full_name", api.LookupRepo) // TODO: check if this public route is a security issue apiBase.GET("/repos/lookup/*repo_full_name", session.SetRepo(), session.SetPerm(), session.MustPull, api.LookupRepo)
apiBase.POST("/repos", session.MustUser(), api.PostRepo) apiBase.POST("/repos", session.MustUser(), api.PostRepo)
repoBase := apiBase.Group("/repos/:repo_id") repoBase := apiBase.Group("/repos/:repo_id")
{ {

12
server/router/middleware/session/repo.go
View file

@ -18,6 +18,7 @@ import (
"errors" "errors"
"net/http" "net/http"
"strconv" "strconv"
"strings"
"time" "time"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
@ -46,8 +47,7 @@ func SetRepo() gin.HandlerFunc {
return func(c *gin.Context) { return func(c *gin.Context) {
var ( var (
_store = store.FromContext(c) _store = store.FromContext(c)
owner = c.Param("owner") fullName = strings.TrimLeft(c.Param("repo_full_name"), "/")
name = c.Param("name")
_repoID = c.Param("repo_id") _repoID = c.Param("repo_id")
user = User(c) user = User(c)
) )
@ -63,7 +63,7 @@ func SetRepo() gin.HandlerFunc {
} }
repo, err = _store.GetRepo(repoID) repo, err = _store.GetRepo(repoID)
} else { } else {
repo, err = _store.GetRepoName(owner + "/" + name) repo, err = _store.GetRepoName(fullName)
} }
if repo != nil { if repo != nil {
@ -73,11 +73,7 @@ func SetRepo() gin.HandlerFunc {
} }
// debugging // debugging
log.Debug().Msgf("Cannot find repository %s/%s. %s", log.Debug().Err(err).Msgf("Cannot find repository %s.", fullName)
owner,
name,
err.Error(),
)
if user == nil { if user == nil {
c.AbortWithStatus(http.StatusUnauthorized) c.AbortWithStatus(http.StatusUnauthorized)