mirror of
1
Fork 0
forgejo/tests
Gergely Nagy cc80e66153
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.

Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.

There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-18 11:53:30 +02:00
..
e2e Change green buttons to primary color (#27099) 2023-09-18 22:05:31 +00:00
fuzz Rework markup link rendering (#26745) (#28803) 2024-01-16 14:41:11 +00:00
gitea-lfs-meta Test views of LFS files (#22196) 2022-12-23 07:41:56 +08:00
gitea-repositories-meta [GITEA] Detect file rename and show in history 2023-11-13 14:06:30 +01:00
integration hooks: Harden when we accept push options that change repo settings 2024-04-18 11:53:30 +02:00
testdata/data/attachments/a/0 Allow get release download files and lfs files with oauth2 token format (#26430) (#27379) 2023-10-01 19:54:11 +08:00
mssql.ini.tmpl [CI] set PASSWORD_HASH_ALGO = argon2 for integration tests 2023-11-13 11:52:15 +01:00
mysql.ini.tmpl [CI] set PASSWORD_HASH_ALGO = argon2 for integration tests 2023-11-13 11:52:15 +01:00
mysql8.ini.tmpl [CI] set PASSWORD_HASH_ALGO = argon2 for integration tests 2023-11-13 11:52:15 +01:00
pgsql.ini.tmpl [CI] set PASSWORD_HASH_ALGO = argon2 for integration tests 2023-11-13 11:52:15 +01:00
sqlite.ini.tmpl [TESTS] increase test-sqlite log level to Trace 2023-11-13 12:33:48 +01:00
test_utils.go [TESTS] tests.AddFixtures helper loads additional per-test fixtures 2023-11-13 12:33:49 +01:00