Merge pull request from GHSA-v627-69v2-xx37

Fixes #GHSA-v627-69v2-xx37 Change GetRepositoryByRepoName query to include project ID. This enforces that the user can only access the repos in the project they authorized with. This fixes a security issue where several API endpoints allowed any authenticated user to manipulate any repo in the DB, irrespective of who owned it.
mindersec · Mar 4, 2024 · 45750b4 · 45750b4
1 parent 5fd0f74
commit 45750b4
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 11 deletions.
diff --git a/database/query/repositories.sql b/database/query/repositories.sql
@@ -20,7 +20,7 @@ SELECT * FROM repositories WHERE id = $1;
 SELECT * FROM repositories WHERE repo_id = $1;
 
 -- name: GetRepositoryByRepoName :one
-SELECT * FROM repositories WHERE provider = $1 AND repo_owner = $2 AND repo_name = $3;
+SELECT * FROM repositories WHERE provider = $1 AND repo_owner = $2 AND repo_name = $3 AND project_id = $4;
 
 -- name: GetRepositoryByIDAndProject :one
 SELECT * FROM repositories WHERE provider = $1 AND repo_id = $2 AND project_id = $3;

diff --git a/internal/controlplane/handlers_artifacts.go b/internal/controlplane/handlers_artifacts.go
@@ -71,10 +71,14 @@ func (s *Server) GetArtifactByName(ctx context.Context, in *pb.GetArtifactByName
 		return nil, util.UserVisibleError(codes.InvalidArgument, "invalid artifact name user repoOwner/repoName/artifactName")
 	}
 
+	entityCtx := engine.EntityFromContext(ctx)
+	projectID := entityCtx.Project.ID
+
 	repo, err := s.store.GetRepositoryByRepoName(ctx, db.GetRepositoryByRepoNameParams{
 		Provider:  in.GetContext().GetProvider(),
 		RepoOwner: nameParts[0],
 		RepoName:  nameParts[1],
+		ProjectID: projectID,
 	})
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {

diff --git a/internal/controlplane/handlers_repositories.go b/internal/controlplane/handlers_repositories.go
@@ -274,8 +274,12 @@ func (s *Server) GetRepositoryByName(ctx context.Context,
 		return nil, providerError(err)
 	}
 
-	repo, err := s.store.GetRepositoryByRepoName(ctx,
-		db.GetRepositoryByRepoNameParams{Provider: provider.Name, RepoOwner: fragments[0], RepoName: fragments[1]})
+	repo, err := s.store.GetRepositoryByRepoName(ctx, db.GetRepositoryByRepoNameParams{
+		Provider:  provider.Name,
+		RepoOwner: fragments[0],
+		RepoName:  fragments[1],
+		ProjectID: projectID,
+	})
 
 	if errors.Is(err, sql.ErrNoRows) {
 		return nil, status.Errorf(codes.NotFound, "repository not found")
@@ -352,8 +356,12 @@ func (s *Server) DeleteRepositoryByName(ctx context.Context,
 		return nil, providerError(err)
 	}
 
-	repo, err := s.store.GetRepositoryByRepoName(ctx,
-		db.GetRepositoryByRepoNameParams{Provider: provider.Name, RepoOwner: fragments[0], RepoName: fragments[1]})
+	repo, err := s.store.GetRepositoryByRepoName(ctx, db.GetRepositoryByRepoNameParams{
+		Provider:  provider.Name,
+		RepoOwner: fragments[0],
+		RepoName:  fragments[1],
+		ProjectID: projectID,
+	})
 
 	if errors.Is(err, sql.ErrNoRows) {
 		return nil, status.Errorf(codes.NotFound, "repository not found")

diff --git a/internal/db/repositories.sql.go b/internal/db/repositories.sql.go
diff --git a/internal/db/repositories_test.go b/internal/db/repositories_test.go
@@ -129,7 +129,11 @@ func TestGetRepositoryByRepoName(t *testing.T) {
 	repo1 := createRandomRepository(t, project.ID, prov.Name)
 
 	repo2, err := testQueries.GetRepositoryByRepoName(context.Background(), GetRepositoryByRepoNameParams{
-		Provider: repo1.Provider, RepoOwner: repo1.RepoOwner, RepoName: repo1.RepoName})
+		Provider:  repo1.Provider,
+		RepoOwner: repo1.RepoOwner,
+		RepoName:  repo1.RepoName,
+		ProjectID: project.ID,
+	})
 	require.NoError(t, err)
 	require.NotEmpty(t, repo2)