mirror of
https://github.com/woodpecker-ci/woodpecker.git
synced 2024-10-02 08:22:01 +00:00
Check permissions on repo lookup (#2357)
There was no permission check when looking up repos so you were able to get basic repo information even if you're not allowed to. This uses `session.MustPull` (and set repo/perms before) to fix this.
This commit is contained in:
parent
91192a900a
commit
e847cbadfa
3 changed files with 9 additions and 28 deletions
|
@ -21,7 +21,6 @@ import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
|
@ -277,21 +276,7 @@ func ChownRepo(c *gin.Context) {
|
||||||
// @Param Authorization header string true "Insert your personal access token" default(Bearer <personal access token>)
|
// @Param Authorization header string true "Insert your personal access token" default(Bearer <personal access token>)
|
||||||
// @Param repo_full_name path string true "the repository full-name / slug"
|
// @Param repo_full_name path string true "the repository full-name / slug"
|
||||||
func LookupRepo(c *gin.Context) {
|
func LookupRepo(c *gin.Context) {
|
||||||
_store := store.FromContext(c)
|
c.JSON(http.StatusOK, session.Repo(c))
|
||||||
repoFullName := strings.TrimLeft(c.Param("repo_full_name"), "/")
|
|
||||||
|
|
||||||
repo, err := _store.GetRepoName(repoFullName)
|
|
||||||
if err != nil {
|
|
||||||
if errors.Is(err, types.RecordNotExist) {
|
|
||||||
c.AbortWithStatus(http.StatusNotFound)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
_ = c.AbortWithError(http.StatusInternalServerError, err)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
c.JSON(http.StatusOK, repo)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetRepo
|
// GetRepo
|
||||||
|
|
|
@ -68,7 +68,7 @@ func apiRoutes(e *gin.RouterGroup) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
apiBase.GET("/repos/lookup/*repo_full_name", api.LookupRepo) // TODO: check if this public route is a security issue
|
apiBase.GET("/repos/lookup/*repo_full_name", session.SetRepo(), session.SetPerm(), session.MustPull, api.LookupRepo)
|
||||||
apiBase.POST("/repos", session.MustUser(), api.PostRepo)
|
apiBase.POST("/repos", session.MustUser(), api.PostRepo)
|
||||||
repoBase := apiBase.Group("/repos/:repo_id")
|
repoBase := apiBase.Group("/repos/:repo_id")
|
||||||
{
|
{
|
||||||
|
|
|
@ -18,6 +18,7 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
|
@ -45,11 +46,10 @@ func Repo(c *gin.Context) *model.Repo {
|
||||||
func SetRepo() gin.HandlerFunc {
|
func SetRepo() gin.HandlerFunc {
|
||||||
return func(c *gin.Context) {
|
return func(c *gin.Context) {
|
||||||
var (
|
var (
|
||||||
_store = store.FromContext(c)
|
_store = store.FromContext(c)
|
||||||
owner = c.Param("owner")
|
fullName = strings.TrimLeft(c.Param("repo_full_name"), "/")
|
||||||
name = c.Param("name")
|
_repoID = c.Param("repo_id")
|
||||||
_repoID = c.Param("repo_id")
|
user = User(c)
|
||||||
user = User(c)
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var repo *model.Repo
|
var repo *model.Repo
|
||||||
|
@ -63,7 +63,7 @@ func SetRepo() gin.HandlerFunc {
|
||||||
}
|
}
|
||||||
repo, err = _store.GetRepo(repoID)
|
repo, err = _store.GetRepo(repoID)
|
||||||
} else {
|
} else {
|
||||||
repo, err = _store.GetRepoName(owner + "/" + name)
|
repo, err = _store.GetRepoName(fullName)
|
||||||
}
|
}
|
||||||
|
|
||||||
if repo != nil {
|
if repo != nil {
|
||||||
|
@ -73,11 +73,7 @@ func SetRepo() gin.HandlerFunc {
|
||||||
}
|
}
|
||||||
|
|
||||||
// debugging
|
// debugging
|
||||||
log.Debug().Msgf("Cannot find repository %s/%s. %s",
|
log.Debug().Err(err).Msgf("Cannot find repository %s.", fullName)
|
||||||
owner,
|
|
||||||
name,
|
|
||||||
err.Error(),
|
|
||||||
)
|
|
||||||
|
|
||||||
if user == nil {
|
if user == nil {
|
||||||
c.AbortWithStatus(http.StatusUnauthorized)
|
c.AbortWithStatus(http.StatusUnauthorized)
|
||||||
|
|
Loading…
Reference in a new issue