Enforce token on api routes [fixed critical security issue #4357] #4840
Conversation
bkcsoft
added
the
lgtm/need 2
|
@lunny yes I agree the first expression can be removed. the result is the same. the logic in the current test suites needs review and change, otherwise this pr won't pass all tests. In fact when token is enforced, some tests should be added to make sure cookie can not access protected api routes. |
beeonthego
changed the title
|
I assume the maintainers will review the access policy and modify test suites if agreeing to the policy of enforcing token in reqToken handler. I will not do anything about the test suites. Please let me know if there is any other action required from me. This PR is about fixing critical security issues, and is easy to review. It is highly appreciated if it can be given some priority. |
|
From a preliminary review this looks good, however now a lot of the tests fail, and the GPG test has a panic Edit: From posting this, I now see the post above mine. Sadly this won't be merged unless the tests pass (as the GitHub policies that are set up disable the button) |
techknowlogick
added
the
topic/security
|
Can someone review the access policy and test suite, prepare and merge a PR so a token is enforced in API routes? This issue has been around for a long time now, and the fix is easy. I don't want to waste time on test suites, if the maintainers eventually decide "no, we will keep things as they are now". |
|
I'm a maintainer and can promise you that Cezar97's reports will always be something that I listen to. Speaking of being a maintainer, I have the ability to push to your branch, I can work on the tests, however I like to ask permission before I make changes to someones branch, so is it ok if I work on your branch to resolve these failing tests? |
|
@techknowlogick yes please do so and enforce token policy on API routes asap. If you need to, I can add your public ssh key to my repo so you have full access to that branch. I have done internal tests and confirmed that browsers automatically send cookie along with cross site requests (GET and POST). Modern browsers have built-in same origin security policy and do not expose responses of certain content type to JavaScript. However such protection may not cover json/jsonp response. API routes accept cookie alone, skip csrf token check, and respond with json, and thus are not covered by browsers' same origin policy protection. API Routes are vulnerable to malicious scripts on another site, no XSS required.This may lead to theft/deletion of private code. Please do act quickly. |
|
@techknowlogick I think all maintainers can already make changes to the forked branch as I have enabled "Allow edits from maintainers". Please let me know if any action is required from me. thank you. |
|
🎉 Woooo! Tests now pass! (again, I'm so sorry for all of the commits, I'm still on mobile and am using the web editor which is extra difficult because it doesn't exist in mobile version of GitHub) |
|
@techknowlogick Thank you for the hard work! I don't mind the commit emails at all. These serve as time sheets to show you have spent 6 hours debugging and fixing the tests. Well done. Highly appreciated. |
Codecov Report
@@ Coverage Diff @@
## master #4840 +/- ##
==========================================
+ Coverage 37.32% 37.38% +0.06%
==========================================
Files 305 305
Lines 45219 45221 +2
==========================================
+ Hits 16876 16907 +31
+ Misses 25905 25873 -32
- Partials 2438 2441 +3
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Some ajax requests on the UI used /api/v1/**, some page and feature will be broken if this PR merged. refs:
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L1459
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L1486
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2087
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2507
https://github.com/go-gitea/gitea/blob/master/public/js/index.js#L2630
That routes have to be replaced before this PR merged.
|
@lunny As I wrote in the comment when submitting the PR, API routes used by front end ajax requests do not have reqToken middleware, and are not affected. These routes will continue to work, are all GET requests performing no action to change state or modify data. These routes and handler functions can be addressed with another PR. what do you think? |
|
@beeonthego oh my, I didn't even realize that was the amount of time I spent 😬 I would've been faster if only I wasn't on mobile. |
bkcsoft
added
lgtm/need 1
|
@techknowlogick It took me hours to trace functions in different modules, search the JavaScript to see the potential impact, and finally come up with 3 lines of code. Time goes by faster in front of screens, big or small. Thank you for the hard work on the tests. We now have one less thing to worry about. Cheers! |
bkcsoft
added
lgtm/done
|
@techknowlogick @beeonthego new test needs to get updated too, is good otherwise |
|
@beeonthego would you be able to backport this to the |
|
@techknowlogick could you backport it to release/v1.5? thank you. |
Prepare for wild/v1.6 branch * BREAKING * Respect email privacy option in user search via API (go-gitea#4512) * Simply remove tidb and deps (go-gitea#3993) * Swagger.v1.json template (go-gitea#3572) * FEATURE * Pull request review/approval and comment on code (go-gitea#3748) * Added dependencies for issues (go-gitea#2196) (go-gitea#2531) * Add the ability to have built in themes in Gitea and provide dark theme arc-green (go-gitea#4198) * Add sudo functionality to the API (go-gitea#4809) * Add oauth providers via cli (go-gitea#4591) * Disable merging a WIP Pull request (go-gitea#4529) * Force user to change password (go-gitea#4489) * Add letsencrypt to Gitea (go-gitea#4189) * Add push webhook support for mirrored repositories (go-gitea#4127) * Add csv file render support defaultly (go-gitea#4105) * Add Recaptcha functionality to Gitea (go-gitea#4044) * BUGFIXES * Fix release creation via API (go-gitea#5076) * Remove links from topics in edit mode (go-gitea#5026) * Fix missing AppSubUrl in few more templates (fixup) (go-gitea#5021) * Fix missing AppSubUrl in some templates (go-gitea#5020) * Hide outdated comments in file view (go-gitea#5017) * Upgrade gopkg.in/testfixtures.v2 (go-gitea#4999) * Disable debug routes unless PPROF is enabled in configuration (go-gitea#4995) * Fix user menu item styling (go-gitea#4985) * Fix layout of the topics editing form (go-gitea#4971) * Fix null pointer dereference in ParseCommitWithSignature (go-gitea#4962) * Fix url in discord webhook (go-gitea#4953) * Detect charset and convert non UTF-8 files for display (go-gitea#4950) * Make sure to catch the right error so it is displayed on the UI (go-gitea#4945) * Fix(topics): don't redirect to explore page. (go-gitea#4938) * Fix bug forget to remove Stopwatch when remove repository (go-gitea#4928) * Fix bug when repo remained bare if multiple branches pushed in single push (go-gitea#4923) * Fix: Let's Encrypt configuration settings (go-gitea#4911) * Fix: Crippled diff (go-gitea#4726) (go-gitea#4900) * Fix trimming of markup section names (go-gitea#4863) * Issues api allow pulls and fix go-gitea#4832 (go-gitea#4852) * Do not autocreate directory for new users/orgs (go-gitea#4828) (go-gitea#4849) * Fix redirect with non-ascii branch names (go-gitea#4764) (go-gitea#4810) * Fix missing release title in webhook (go-gitea#4783) (go-gitea#4796) * User shouldn't be able to approve or reject his/her own PR (go-gitea#4729) * Make sure to reset commit count in the cache on mirror syncing (go-gitea#4720) * Fixed bug where team with admin privelege type doesn't get any unit (go-gitea#4719) * Fix incorrect caption of webhook setting (go-gitea#4701) (go-gitea#4717) * Allow WIP marker to contains < or > (go-gitea#4709) * Hide org/create menu item in Dashboard if user has no rights (go-gitea#4678) (go-gitea#4680) * Site admin could create repos even MAX_CREATION_LIMIT=0 (go-gitea#4645) * Fix custom templates being ignored (go-gitea#4638) * Fix starring icon after semantic ui update (go-gitea#4628) * Fix Split-View line adjustment (go-gitea#4622) * Fix integer constant overflows in tests (go-gitea#4616) * Push whitelist now doesn't apply to branch deletion (go-gitea#4601) (go-gitea#4607) * Fix bugs when too many IN variables (go-gitea#4594) * Fix failure on creating pull request with assignees (go-gitea#4419) (go-gitea#4583) * Fix panic issue on update avatar email (go-gitea#4580) (go-gitea#4581) * Fix status code label for a successful webhook (go-gitea#4540) * An inactive user shouldn't be able to be added as a collaborator (go-gitea#4535) * Don't fail silently if trying to add a collaborator twice (go-gitea#4533) * Fix incorrect MergeWhitelistTeamIDs check in CanUserMerge function (go-gitea#4519) (go-gitea#4525) * Fix out-of-transaction query in removeOrgUser (go-gitea#4521) (go-gitea#4522) * Fix migration from older releases (go-gitea#4495) * Accept 'Data:' in commit graph (go-gitea#4487) * Update xorm to latest version and fix correct `user` table referencing in sql (go-gitea#4473) * Relative URLs for LibreJS page (go-gitea#4460) * Redirect to correct page after using scratch token (go-gitea#4458) * Fix column droping for MSSQL that need new transaction for that (go-gitea#4440) * Replace src with raw to fix image paths (go-gitea#4377) * Add default merge options when creating new repository (go-gitea#4369) * Fix docker build (go-gitea#4358) * Fixes repo membership check in API (go-gitea#4341) * Dep upgrade mysql lib (go-gitea#4161) * Fix some issues with special chars in branch names (go-gitea#3767) * Responsive design fixes (go-gitea#4508) * ENHANCEMENT * Fix milestones sorted wrongly (go-gitea#4987) * Allow api to create tags for releases if they don't exist (go-gitea#4890) * Fix go-gitea#4877 to follow the OpenID Connect Audiences spec (go-gitea#4878) * Enforce token on api routes [fixed critical security issue go-gitea#4357] (go-gitea#4840) * Update legacy branch and tag URLs in dashboard to new format (go-gitea#4812) * Slack webhook channel name cannot be empty or just contain an hashtag (go-gitea#4786) * Add whitespace handling to PR-comparsion (go-gitea#4683) * Make reverse proxy auth optional (go-gitea#4643) * MySQL TLS (go-gitea#4642) * Make sure to set PR split view when creating/previewing a pull request (go-gitea#4617) * Log user in after a successful sign up (go-gitea#4615) * Fix typo IsPullReuqestBroken -> IsPullRequestBroken (go-gitea#4578) * Allow admin toggle forcing a password change for newly created users (go-gitea#4563) * Update jQuery to v1.12.4 (go-gitea#4551) * Env var GITEA_PUSHER_EMAIL (go-gitea#4516) * Feat(repo): support search repository by topic name (go-gitea#4505) * Small improvements to dependency UI (go-gitea#4503) * Make max commits in graph configurable (go-gitea#4498) * Add valid for lfs oid (go-gitea#4461) * Add shortcut to save wiki page (go-gitea#4452) * Allow administrator to create repository for any organization (go-gitea#4368) * Fix repository last updated time update when delete a user who watched the repo (go-gitea#4363) * Switch plaintext scratch tokens to use hash instead (go-gitea#4331) * Increase default TOTP secret size to 320 bits (go-gitea#4287) * Keep preseeded database password (go-gitea#4284) * Implemented hover text showing user FullName (go-gitea#4261) * Add ability to delete a token (go-gitea#4235) * Fix typos in i18n variable names. (go-gitea#4080) * Api: repos/search: add parameters to control the sort order (go-gitea#3964) * Add missing path in the Docker app.ini template (go-gitea#2181) * Add file name and branch to page title (go-gitea#4902) * Offline use of google fonts (go-gitea#4872) * Add missing History link to directory listings v2 (go-gitea#4829) * Locale for Edit and Remove due date issue (go-gitea#4802) * Disable 'May Import Local Repository' when is disabled by setting (Is… (go-gitea#4780) * API /admin/users/{username} missing parameter (go-gitea#4775) * Display error when adding a user to a team twice (go-gitea#4746) * Remove UsePrivilegeSeparation from the Docker sshd_config, see go-gitea#2876 (go-gitea#4722) * Focus title input when clicking helper link (go-gitea#4696) * Add vendor to user reserved words and format words list according alphabet (go-gitea#4685) * Add gitea/issues link to 500 page (go-gitea#4654) * Hide home button when landing page is not set to home (go-gitea#4651) * Remove link to GitHub issues in 404 template (go-gitea#4639) * Cmd/serve: pprof cpu and memory profile dumps to disk (go-gitea#4560) * Add flash message after an account has been successfully activated (go-gitea#4510) * Prevent html entity escaping on delete branch (go-gitea#4471) * Locale for button Edit on protected branch (go-gitea#4442) * Update notification icon (go-gitea#4343) * Added front-end topics validation (go-gitea#4316) * Don't display buttons if there are no system notifications (go-gitea#4280) * Issue due date api (go-gitea#3890) * SECURITY * Improve URL validation for external wiki and external issues (go-gitea#4710) * Make cookies HttpOnly and obey COOKIE_SECURE flag (go-gitea#4706) * Don't disclose emails of all users when sending out emails (go-gitea#4664) * Check that repositories can only be migrated to own user or organizations (go-gitea#4366) * TRANSLATION * Fix punctuation in English translation (go-gitea#4958) * Fix translation (go-gitea#4355)
Check and make sure an authentication has been made using token or basic auth in reqToken handler.
When a user logs into Drone using gitea password, the current integration with Drone depends on basic auth to authenticate a Gitea user and fetches/creates an access token with the name drone. So this PR treats a valid basic auth header as the equivalent of api token, in order for Drone integration continue to work.
The user dashboard uses a few API routes for searching user/repo. All these requests use GET methods, and return results depending on whether the user has signed in, including token and other methods. These routes do not use reqToken handler, and will continue to work as they are now.
Please review and comment if changes are required. It is highly appreciated if it can be merged soon to have API routes covered.