Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New commit status API doesn't check permissions properly #20331

Closed
leytilera opened this issue Jul 12, 2022 · 3 comments · Fixed by #20332
Closed

New commit status API doesn't check permissions properly #20331

leytilera opened this issue Jul 12, 2022 · 3 comments · Fixed by #20332
Labels
Milestone

Comments

@leytilera
Copy link
Contributor

leytilera commented Jul 12, 2022

Description

Using the Gitea API it is currrently possible with the new commit status endpoint to add a commit status to a repository, even if you don't have write access to that repository. This function does not check, if the user has access to the repository.

Gitea Version

from 1.16.8 to 1.18.0+dev-90-gc8e0fd0bc

Can you reproduce the bug on the Gitea demo site?

Yes

@zeripath zeripath changed the title New commit status API security issue New commit status API doesn't check permissions properly Jul 12, 2022
Gusted pushed a commit to Gusted/gitea that referenced this issue Jul 12, 2022
- Backport go-gitea#20332
  - Add write code checks for creating new commit status
  - Regression from go-gitea#5314
  - Resolves go-gitea#20331
Gusted pushed a commit to Gusted/gitea that referenced this issue Jul 12, 2022
- Backport go-gitea#20332
  - Add write code checks for creating new commit status
  - Regression from go-gitea#5314
  - Resolves go-gitea#20331
@zeripath
Copy link
Contributor

Thank you for reporting this, but in future please report issues like this directly to security@gitea.io .

NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.

By opening a public issue like this you've advertised this issue to everyone reading the bug tracker before we have had a chance to fix this or release a fixed version.

@zeripath zeripath changed the title New commit status API doesn't check permissions properly [CENSORED] Jul 12, 2022
6543 pushed a commit that referenced this issue Jul 12, 2022
- Backport #20332
  - Add write code checks for creating new commit status
  - Regression from #5314
  - Resolves #20331
6543 pushed a commit that referenced this issue Jul 12, 2022
- Backport #20332
  - Add write code checks for creating new commit status
  - Regression from #5314
  - Resolves #20331
@6543 6543 added this to the 1.16.9 milestone Jul 12, 2022
@6543 6543 changed the title [CENSORED] New commit status API doesn't check permissions properly Jul 12, 2022
@6543
Copy link
Member

6543 commented Jul 12, 2022

@leytilera **PLEASE follow SECURITY.md next time

& thanks for reporting

@6543
Copy link
Member

6543 commented Jul 12, 2022

also would you like to be mentioned in the https://blog.gitea.io ?

tyroneyeh added a commit to tyroneyeh/gitea that referenced this issue Jul 13, 2022
commit 713bc6c
Author: 6543 <6543@obermui.de>
Date:   Tue Jul 12 20:26:27 2022 +0200

    Changelog for 1.16.9 (update) (go-gitea#20341)

    * Changelog for 1.16.9 (update)

    * update security section

commit 6b7e860
Author: Lunny Xiao <xiaolunwen@gmail.com>
Date:   Wed Jul 13 01:13:31 2022 +0800

    Hide notify mail setting ui if not enabled (go-gitea#20138) (go-gitea#20337)

    Backport go-gitea#20138

commit 0f89417
Author: Gusted <williamzijl7@hotmail.com>
Date:   Tue Jul 12 12:52:20 2022 +0000

    Add write check for creating Commit status (go-gitea#20332) (go-gitea#20334)

    - Backport go-gitea#20332
      - Add write code checks for creating new commit status
      - Regression from go-gitea#5314
      - Resolves go-gitea#20331

commit 7c80a0b
Author: zeripath <art27@cantab.net>
Date:   Mon Jul 11 10:15:43 2022 +0100

    Ensure that drone tags 1.16.x and 1.16 on push to v1.16.x tag (go-gitea#20304)

    We need pushes to v1.16.9 to create tags to 1.16.9 and 1.16 but not 1 or latest.

    We have previously adjusted the manifest to remove the latest tag, and have removed
    auto_tags so that 1 does not get tagged but in doing so we also stopped 1.16 being
    tagged. So here we just state the that we tag x.yy in addition to x.yyz*.

    Signed-off-by: Andrew Thornton <art27@cantab.net>

commit b42df31
Author: zeripath <art27@cantab.net>
Date:   Wed Jul 6 02:47:16 2022 +0100

    Only show Followers that current user can access (go-gitea#20220) (go-gitea#20253)

    Backport go-gitea#20220

    Users who are following or being followed by a user should only be
    displayed if the viewing user can see them.

    Signed-off-by: Andrew Thornton <art27@cantab.net>

commit 6162fb0
Author: Gusted <williamzijl7@hotmail.com>
Date:   Fri Jul 1 17:39:10 2022 +0200

    Check for permission when fetching user controlled issues (go-gitea#20133) (go-gitea#20196)

    * Check if project has the same repository id with issue when assign project to issue

    * Check if issue's repository id match project's repository id

    * Add more permission checking

    * Remove invalid argument

    * Fix errors

    * Add generic check

    * Remove duplicated check

    * Return error + add check for new issues

    * Apply suggestions from code review

    Co-authored-by: Gusted <williamzijl7@hotmail.com>
    Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
    Co-authored-by: 6543 <6543@obermui.de>
@go-gitea go-gitea locked and limited conversation to collaborators May 3, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants