New commit status API doesn't check permissions properly #20331
Comments
zeripath
changed the title
Gusted
added a commit
to Gusted/gitea
that referenced
this issue
Jul 12, 2022
- Backport go-gitea#20332 - Add write code checks for creating new commit status - Regression from go-gitea#5314 - Resolves go-gitea#20331
Gusted
added a commit
to Gusted/gitea
that referenced
this issue
Jul 12, 2022
- Backport go-gitea#20332 - Add write code checks for creating new commit status - Regression from go-gitea#5314 - Resolves go-gitea#20331
|
Thank you for reporting this, but in future please report issues like this directly to security@gitea.io .
By opening a public issue like this you've advertised this issue to everyone reading the bug tracker before we have had a chance to fix this or release a fixed version. |
zeripath
changed the title
6543
changed the title
|
@leytilera **PLEASE follow SECURITY.md next time & thanks for reporting |
|
also would you like to be mentioned in the https://blog.gitea.io ? |
tyroneyeh
added a commit
to tyroneyeh/gitea
that referenced
this issue
Jul 13, 2022
commit 713bc6c Author: 6543 <6543@obermui.de> Date: Tue Jul 12 20:26:27 2022 +0200 Changelog for 1.16.9 (update) (go-gitea#20341) * Changelog for 1.16.9 (update) * update security section commit 6b7e860 Author: Lunny Xiao <xiaolunwen@gmail.com> Date: Wed Jul 13 01:13:31 2022 +0800 Hide notify mail setting ui if not enabled (go-gitea#20138) (go-gitea#20337) Backport go-gitea#20138 commit 0f89417 Author: Gusted <williamzijl7@hotmail.com> Date: Tue Jul 12 12:52:20 2022 +0000 Add write check for creating Commit status (go-gitea#20332) (go-gitea#20334) - Backport go-gitea#20332 - Add write code checks for creating new commit status - Regression from go-gitea#5314 - Resolves go-gitea#20331 commit 7c80a0b Author: zeripath <art27@cantab.net> Date: Mon Jul 11 10:15:43 2022 +0100 Ensure that drone tags 1.16.x and 1.16 on push to v1.16.x tag (go-gitea#20304) We need pushes to v1.16.9 to create tags to 1.16.9 and 1.16 but not 1 or latest. We have previously adjusted the manifest to remove the latest tag, and have removed auto_tags so that 1 does not get tagged but in doing so we also stopped 1.16 being tagged. So here we just state the that we tag x.yy in addition to x.yyz*. Signed-off-by: Andrew Thornton <art27@cantab.net> commit b42df31 Author: zeripath <art27@cantab.net> Date: Wed Jul 6 02:47:16 2022 +0100 Only show Followers that current user can access (go-gitea#20220) (go-gitea#20253) Backport go-gitea#20220 Users who are following or being followed by a user should only be displayed if the viewing user can see them. Signed-off-by: Andrew Thornton <art27@cantab.net> commit 6162fb0 Author: Gusted <williamzijl7@hotmail.com> Date: Fri Jul 1 17:39:10 2022 +0200 Check for permission when fetching user controlled issues (go-gitea#20133) (go-gitea#20196) * Check if project has the same repository id with issue when assign project to issue * Check if issue's repository id match project's repository id * Add more permission checking * Remove invalid argument * Fix errors * Add generic check * Remove duplicated check * Return error + add check for new issues * Apply suggestions from code review Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: 6543 <6543@obermui.de>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Description
Using the Gitea API it is currrently possible with the new commit status endpoint to add a commit status to a repository, even if you don't have write access to that repository. This function does not check, if the user has access to the repository.
Gitea Version
from 1.16.8 to 1.18.0+dev-90-gc8e0fd0bc
Can you reproduce the bug on the Gitea demo site?
Yes
The text was updated successfully, but these errors were encountered: