mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-13 20:50:52 +00:00
Backport #38406 by @bircni Addresses a batch of privately reported security issues, grouped by area: - **SSRF** - migration PR-patch/asset fetches, OAuth2 avatar & OpenID discovery, pull-mirror URL re-validation, and the outbound proxy path. - **Access-token scope** - prevent scope escalation on token creation; keep public-only tokens confined (feeds, packages, Actions listings, star/watch lists, limited/private owners). - **Access control / disclosure** - go-get default-branch leak, webhook authorization-header leak, watch clearing on private transitions, label/attachment scoping. - **Denial of service** - input bounds for npm dist-tags, Debian control files, Arch file lists, and SSH keys. ### 📌 Attention for site admins Not breaking - existing configs keep working - but two changes are worth a look: - **New SSRF protection** Outbound requests (migrations, OAuth2 avatars, OpenID discovery, pull mirrors, proxy path) are now validated against the allow/block host lists. If your instance legitimately reaches internal hosts, you may need to add them to `[security].ALLOWED_HOST_LIST` (and the relevant `ALLOW_LOCALNETWORKS` settings). - **Deprecation** `[webhook].ALLOWED_HOST_LIST` is deprecated and will be removed in a future release. Use `[security].ALLOWED_HOST_LIST` instead; the old key still works for now. Co-authored-by: bircni <bircni@icloud.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Zettat123 <zettat123@gmail.com>
99 lines
3.6 KiB
Go
99 lines
3.6 KiB
Go
// Copyright 2022 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"testing"
|
|
|
|
auth_model "gitea.dev/models/auth"
|
|
repo_model "gitea.dev/models/repo"
|
|
"gitea.dev/models/unittest"
|
|
user_model "gitea.dev/models/user"
|
|
api "gitea.dev/modules/structs"
|
|
"gitea.dev/tests"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
func TestAPICreateHook(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 37})
|
|
owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
|
|
|
|
// user1 is an admin user
|
|
session := loginUser(t, "user1")
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
|
|
req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/%s", owner.Name, repo.Name, "hooks"), api.CreateHookOption{
|
|
Type: "gitea",
|
|
Config: api.CreateHookOptionConfig{
|
|
"content_type": "json",
|
|
"url": "http://example.com/",
|
|
},
|
|
AuthorizationHeader: "Bearer s3cr3t",
|
|
Name: " CI notifications ",
|
|
}).AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusCreated)
|
|
|
|
apiHook := DecodeJSON(t, resp, &api.Hook{})
|
|
assert.Equal(t, "http://example.com/", apiHook.Config["url"])
|
|
// the stored authorization header is a secret and must never be returned by the API
|
|
assert.Empty(t, apiHook.AuthorizationHeader)
|
|
assert.Equal(t, "CI notifications", apiHook.Name)
|
|
|
|
// a read-scoped token must not be able to read back the authorization header
|
|
readToken := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
|
|
getReq := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/hooks/%d", owner.Name, repo.Name, apiHook.ID)).
|
|
AddTokenAuth(readToken)
|
|
getResp := MakeRequest(t, getReq, http.StatusOK)
|
|
assert.NotContains(t, getResp.Body.String(), "s3cr3t")
|
|
|
|
newName := "Deploy hook"
|
|
patchReq := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/hooks/%d", owner.Name, repo.Name, apiHook.ID), api.EditHookOption{
|
|
Name: &newName,
|
|
}).AddTokenAuth(token)
|
|
patchResp := MakeRequest(t, patchReq, http.StatusOK)
|
|
patched := DecodeJSON(t, patchResp, &api.Hook{})
|
|
assert.Equal(t, newName, patched.Name)
|
|
|
|
hooksURL := fmt.Sprintf("/api/v1/repos/%s/%s/hooks", owner.Name, repo.Name)
|
|
|
|
// Create with Name field omitted: Name should be ""
|
|
req2 := NewRequestWithJSON(t, "POST", hooksURL, api.CreateHookOption{
|
|
Type: "gitea",
|
|
Config: api.CreateHookOptionConfig{
|
|
"content_type": "json",
|
|
"url": "http://example.com/",
|
|
},
|
|
}).AddTokenAuth(token)
|
|
resp2 := MakeRequest(t, req2, http.StatusCreated)
|
|
created := DecodeJSON(t, resp2, &api.Hook{})
|
|
assert.Empty(t, created.Name)
|
|
|
|
hookURL := fmt.Sprintf("/api/v1/repos/%s/%s/hooks/%d", owner.Name, repo.Name, created.ID)
|
|
|
|
// PATCH with Name set: existing Name must be updated
|
|
setName := "original"
|
|
setReq := NewRequestWithJSON(t, "PATCH", hookURL, api.EditHookOption{
|
|
Name: &setName,
|
|
}).AddTokenAuth(token)
|
|
MakeRequest(t, setReq, http.StatusOK)
|
|
|
|
// PATCH without Name field: name must remain "original"
|
|
patchReq2 := NewRequestWithJSON(t, "PATCH", hookURL, api.EditHookOption{}).AddTokenAuth(token)
|
|
patchResp2 := MakeRequest(t, patchReq2, http.StatusOK)
|
|
notCleared := DecodeJSON(t, patchResp2, &api.Hook{})
|
|
assert.Equal(t, "original", notCleared.Name)
|
|
|
|
// PATCH with Name: "" explicitly: Name should be cleared to ""
|
|
clearReq := NewRequestWithJSON(t, "PATCH", hookURL, api.EditHookOption{
|
|
Name: new(""),
|
|
}).AddTokenAuth(token)
|
|
clearResp := MakeRequest(t, clearReq, http.StatusOK)
|
|
cleared := DecodeJSON(t, clearResp, &api.Hook{})
|
|
assert.Empty(t, cleared.Name)
|
|
}
|