mirror of
1
Fork 0
forgejo/routers
Gergely Nagy c8645d2a70
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.

Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.

There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e66153)

Conflicts: tests/integration/git_push_test.go
  	DeleteRepositoryDirectly does not exist
	CreateRepoOptions is in repo_module
2024-04-18 23:07:18 +02:00
..
api Do some missing checks (#28423) 2023-12-12 22:25:17 +01:00
common [BRANDING] Use `forgejo` binary name 2023-07-17 00:25:56 +02:00
install [GITEA] rework long-term authentication 2023-10-05 08:50:54 +02:00
private hooks: Harden when we accept push options that change repo settings 2024-04-18 23:07:18 +02:00
utils Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
web Do some missing checks (#28423) 2023-12-12 22:25:17 +01:00
init.go [API] Forgejo API /api/forgejo/v1 2023-07-16 23:44:22 +02:00