2024-04-10 08:12:19 +02:00
|
|
|
// Copyright 2024 The Gitea Authors. All rights reserved.
|
|
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
|
|
|
|
package integration
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/url"
|
|
|
|
"testing"
|
|
|
|
|
|
|
|
"code.gitea.io/gitea/models/db"
|
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.
Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.
There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e661531794fff7f8a336eaaefdb7e3bd3956)
Conflicts: tests/integration/git_push_test.go
DeleteRepositoryDirectly does not exist
CreateRepoOptions is in repo_module
2024-04-15 10:07:45 +02:00
|
|
|
repo_model "code.gitea.io/gitea/models/repo"
|
2024-04-10 08:12:19 +02:00
|
|
|
"code.gitea.io/gitea/models/unittest"
|
|
|
|
user_model "code.gitea.io/gitea/models/user"
|
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.
Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.
There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e661531794fff7f8a336eaaefdb7e3bd3956)
Conflicts: tests/integration/git_push_test.go
DeleteRepositoryDirectly does not exist
CreateRepoOptions is in repo_module
2024-04-15 10:07:45 +02:00
|
|
|
repo_module "code.gitea.io/gitea/modules/repository"
|
2024-04-10 08:12:19 +02:00
|
|
|
repo_service "code.gitea.io/gitea/services/repository"
|
|
|
|
|
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
)
|
|
|
|
|
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.
Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.
There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e661531794fff7f8a336eaaefdb7e3bd3956)
Conflicts: tests/integration/git_push_test.go
DeleteRepositoryDirectly does not exist
CreateRepoOptions is in repo_module
2024-04-15 10:07:45 +02:00
|
|
|
func TestOptionsGitPush(t *testing.T) {
|
|
|
|
onGiteaRun(t, testOptionsGitPush)
|
2024-04-10 08:12:19 +02:00
|
|
|
}
|
|
|
|
|
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.
Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.
There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e661531794fff7f8a336eaaefdb7e3bd3956)
Conflicts: tests/integration/git_push_test.go
DeleteRepositoryDirectly does not exist
CreateRepoOptions is in repo_module
2024-04-15 10:07:45 +02:00
|
|
|
func testOptionsGitPush(t *testing.T, u *url.URL) {
|
2024-04-10 08:12:19 +02:00
|
|
|
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
|
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.
Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.
There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e661531794fff7f8a336eaaefdb7e3bd3956)
Conflicts: tests/integration/git_push_test.go
DeleteRepositoryDirectly does not exist
CreateRepoOptions is in repo_module
2024-04-15 10:07:45 +02:00
|
|
|
repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_module.CreateRepoOptions{
|
2024-04-10 08:12:19 +02:00
|
|
|
Name: "repo-to-push",
|
|
|
|
Description: "test git push",
|
|
|
|
AutoInit: false,
|
|
|
|
DefaultBranch: "main",
|
|
|
|
IsPrivate: false,
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEmpty(t, repo)
|
|
|
|
|
|
|
|
gitPath := t.TempDir()
|
|
|
|
|
|
|
|
doGitInitTestRepository(gitPath)(t)
|
|
|
|
|
|
|
|
u.Path = repo.FullName() + ".git"
|
|
|
|
u.User = url.UserPassword(user.LowerName, userPassword)
|
|
|
|
doGitAddRemote(gitPath, "origin", u)(t)
|
|
|
|
|
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.
Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.
There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e661531794fff7f8a336eaaefdb7e3bd3956)
Conflicts: tests/integration/git_push_test.go
DeleteRepositoryDirectly does not exist
CreateRepoOptions is in repo_module
2024-04-15 10:07:45 +02:00
|
|
|
{
|
|
|
|
// owner sets private & template to true via push options
|
|
|
|
branchName := "branch1"
|
|
|
|
doGitCreateBranch(gitPath, branchName)(t)
|
|
|
|
doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
|
|
|
|
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.True(t, repo.IsPrivate)
|
|
|
|
require.True(t, repo.IsTemplate)
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
// owner sets private & template to false via push options
|
|
|
|
branchName := "branch2"
|
|
|
|
doGitCreateBranch(gitPath, branchName)(t)
|
|
|
|
doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=false", "-o", "repo.template=false")(t)
|
|
|
|
repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.False(t, repo.IsPrivate)
|
|
|
|
require.False(t, repo.IsTemplate)
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
// create a collaborator with write access
|
|
|
|
collaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
|
|
|
|
u.User = url.UserPassword(collaborator.LowerName, userPassword)
|
|
|
|
doGitAddRemote(gitPath, "collaborator", u)(t)
|
|
|
|
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
|
|
|
|
require.NoError(t, err)
|
|
|
|
repo_module.AddCollaborator(db.DefaultContext, repo, collaborator)
|
|
|
|
}
|
2024-04-10 08:12:19 +02:00
|
|
|
|
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.
Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.
There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e661531794fff7f8a336eaaefdb7e3bd3956)
Conflicts: tests/integration/git_push_test.go
DeleteRepositoryDirectly does not exist
CreateRepoOptions is in repo_module
2024-04-15 10:07:45 +02:00
|
|
|
{
|
|
|
|
// collaborator with write access is allowed to push
|
|
|
|
branchName := "branch3"
|
|
|
|
doGitCreateBranch(gitPath, branchName)(t)
|
|
|
|
doGitPushTestRepository(gitPath, "collaborator", branchName)(t)
|
|
|
|
}
|
2024-04-10 08:12:19 +02:00
|
|
|
|
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.
Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.
There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e661531794fff7f8a336eaaefdb7e3bd3956)
Conflicts: tests/integration/git_push_test.go
DeleteRepositoryDirectly does not exist
CreateRepoOptions is in repo_module
2024-04-15 10:07:45 +02:00
|
|
|
{
|
|
|
|
// collaborator with write access fails to change private & template via push options
|
|
|
|
branchName := "branch4"
|
|
|
|
doGitCreateBranch(gitPath, branchName)(t)
|
|
|
|
doGitPushTestRepositoryFail(gitPath, "collaborator", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
|
|
|
|
repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.False(t, repo.IsPrivate)
|
|
|
|
require.False(t, repo.IsTemplate)
|
|
|
|
}
|
2024-04-10 08:12:19 +02:00
|
|
|
}
|