fedi/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-11-01 04:54:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
forgejo/tests/integration/git_push_test.go

289 lines
10 KiB
Go
Raw Normal View History

Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package integration
import (
"fmt"
"net/url"
"testing"
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
"time"
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
"code.gitea.io/gitea/models/db"
git_model "code.gitea.io/gitea/models/git"
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
repo_model "code.gitea.io/gitea/models/repo"
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
"code.gitea.io/gitea/modules/log"
repo_module "code.gitea.io/gitea/modules/repository"
"code.gitea.io/gitea/modules/test"
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
repo_service "code.gitea.io/gitea/services/repository"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
func forEachObjectFormat(t *testing.T, f func(t *testing.T, objectFormat git.ObjectFormat)) {
for _, objectFormat := range []git.ObjectFormat{git.Sha256ObjectFormat, git.Sha1ObjectFormat} {
t.Run(objectFormat.Name(), func(t *testing.T) {
f(t, objectFormat)
})
}
}
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
func TestGitPush(t *testing.T) {
onGiteaRun(t, testGitPush)
}
func testGitPush(t *testing.T, u *url.URL) {
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
forEachObjectFormat(t, func(t *testing.T, objectFormat git.ObjectFormat) {
t.Run("Push branches at once", func(t *testing.T) {
runTestGitPush(t, u, objectFormat, func(t *testing.T, gitPath string) (pushed, deleted []string) {
for i := 0; i < 100; i++ {
branchName := fmt.Sprintf("branch-%d", i)
pushed = append(pushed, branchName)
doGitCreateBranch(gitPath, branchName)(t)
}
pushed = append(pushed, "master")
doGitPushTestRepository(gitPath, "origin", "--all")(t)
return pushed, deleted
})
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
})
Fix push multiple branches error with tests (#31151) (cherry picked from commit 5c1b550e00e9460078e00c41a32d206b260ef482) Conflicts: tests/integration/git_push_test.go trivial context conflict because of 2ac3dcbd43 test: hook post-receive for sha256 repos
2024-05-29 06:43:02 +00:00
t.Run("Push branches exists", func(t *testing.T) {
runTestGitPush(t, u, objectFormat, func(t *testing.T, gitPath string) (pushed, deleted []string) {
for i := 0; i < 10; i++ {
branchName := fmt.Sprintf("branch-%d", i)
if i < 5 {
pushed = append(pushed, branchName)
}
doGitCreateBranch(gitPath, branchName)(t)
}
// only push master and the first 5 branches
pushed = append(pushed, "master")
args := append([]string{"origin"}, pushed...)
doGitPushTestRepository(gitPath, args...)(t)
pushed = pushed[:0]
// do some changes for the first 5 branches created above
for i := 0; i < 5; i++ {
branchName := fmt.Sprintf("branch-%d", i)
pushed = append(pushed, branchName)
doGitAddSomeCommits(gitPath, branchName)(t)
}
for i := 5; i < 10; i++ {
pushed = append(pushed, fmt.Sprintf("branch-%d", i))
}
pushed = append(pushed, "master")
Adjust codespell config + make it fix few typos which sneaked in since addition of codespell support (#4857) Now that my colleague just posted a wonderful blog post https://blog.datalad.org/posts/forgejo-runner-podman-deployment/ on forgejo runner, some time I will try to add that damn codespell action to work on CI here ;) meanwhile some typos managed to sneak in and this PR should address them (one change might be functional in a test -- not sure if would cause a fail or not) ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4857 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org> Co-authored-by: Yaroslav Halchenko <debian@onerussian.com> Co-committed-by: Yaroslav Halchenko <debian@onerussian.com>
2024-08-08 16:07:35 +00:00
// push all, so that master are not changed
Fix push multiple branches error with tests (#31151) (cherry picked from commit 5c1b550e00e9460078e00c41a32d206b260ef482) Conflicts: tests/integration/git_push_test.go trivial context conflict because of 2ac3dcbd43 test: hook post-receive for sha256 repos
2024-05-29 06:43:02 +00:00
doGitPushTestRepository(gitPath, "origin", "--all")(t)
return pushed, deleted
})
})
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
t.Run("Push branches one by one", func(t *testing.T) {
runTestGitPush(t, u, objectFormat, func(t *testing.T, gitPath string) (pushed, deleted []string) {
for i := 0; i < 100; i++ {
branchName := fmt.Sprintf("branch-%d", i)
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepository(gitPath, "origin", branchName)(t)
pushed = append(pushed, branchName)
}
return pushed, deleted
})
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
})
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
t.Run("Delete branches", func(t *testing.T) {
runTestGitPush(t, u, objectFormat, func(t *testing.T, gitPath string) (pushed, deleted []string) {
doGitPushTestRepository(gitPath, "origin", "master")(t) // make sure master is the default branch instead of a branch we are going to delete
pushed = append(pushed, "master")
for i := 0; i < 100; i++ {
branchName := fmt.Sprintf("branch-%d", i)
pushed = append(pushed, branchName)
doGitCreateBranch(gitPath, branchName)(t)
}
doGitPushTestRepository(gitPath, "origin", "--all")(t)
for i := 0; i < 10; i++ {
branchName := fmt.Sprintf("branch-%d", i)
doGitPushTestRepository(gitPath, "origin", "--delete", branchName)(t)
deleted = append(deleted, branchName)
}
return pushed, deleted
})
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
})
Restore deleted branches when syncing (#29898) Regression of #29493. If a branch has been deleted, repushing it won't restore it. Lunny may have noticed that, but I didn't delve into the comment then overlooked it: https://github.com/go-gitea/gitea/pull/29493#discussion_r1509046867 The additional comments added are to explain the issue I found during testing, which are unrelated to the fixes. (cherry picked from commit f371f84fa3456c2a71470632b6458d81e4892a54)
2024-03-20 01:45:27 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
t.Run("Push to deleted branch", func(t *testing.T) {
runTestGitPush(t, u, objectFormat, func(t *testing.T, gitPath string) (pushed, deleted []string) {
doGitPushTestRepository(gitPath, "origin", "master")(t) // make sure master is the default branch instead of a branch we are going to delete
pushed = append(pushed, "master")
Restore deleted branches when syncing (#29898) Regression of #29493. If a branch has been deleted, repushing it won't restore it. Lunny may have noticed that, but I didn't delve into the comment then overlooked it: https://github.com/go-gitea/gitea/pull/29493#discussion_r1509046867 The additional comments added are to explain the issue I found during testing, which are unrelated to the fixes. (cherry picked from commit f371f84fa3456c2a71470632b6458d81e4892a54)
2024-03-20 01:45:27 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
doGitCreateBranch(gitPath, "branch-1")(t)
doGitPushTestRepository(gitPath, "origin", "branch-1")(t)
pushed = append(pushed, "branch-1")
Restore deleted branches when syncing (#29898) Regression of #29493. If a branch has been deleted, repushing it won't restore it. Lunny may have noticed that, but I didn't delve into the comment then overlooked it: https://github.com/go-gitea/gitea/pull/29493#discussion_r1509046867 The additional comments added are to explain the issue I found during testing, which are unrelated to the fixes. (cherry picked from commit f371f84fa3456c2a71470632b6458d81e4892a54)
2024-03-20 01:45:27 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
// delete and restore
doGitPushTestRepository(gitPath, "origin", "--delete", "branch-1")(t)
doGitPushTestRepository(gitPath, "origin", "branch-1")(t)
Restore deleted branches when syncing (#29898) Regression of #29493. If a branch has been deleted, repushing it won't restore it. Lunny may have noticed that, but I didn't delve into the comment then overlooked it: https://github.com/go-gitea/gitea/pull/29493#discussion_r1509046867 The additional comments added are to explain the issue I found during testing, which are unrelated to the fixes. (cherry picked from commit f371f84fa3456c2a71470632b6458d81e4892a54)
2024-03-20 01:45:27 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
return pushed, deleted
})
Restore deleted branches when syncing (#29898) Regression of #29493. If a branch has been deleted, repushing it won't restore it. Lunny may have noticed that, but I didn't delve into the comment then overlooked it: https://github.com/go-gitea/gitea/pull/29493#discussion_r1509046867 The additional comments added are to explain the issue I found during testing, which are unrelated to the fixes. (cherry picked from commit f371f84fa3456c2a71470632b6458d81e4892a54)
2024-03-20 01:45:27 +00:00
})
})
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
}
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
func runTestGitPush(t *testing.T, u *url.URL, objectFormat git.ObjectFormat, gitOperation func(t *testing.T, gitPath string) (pushed, deleted []string)) {
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_service.CreateRepoOptions{
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
Name: "repo-to-push",
Description: "test git push",
AutoInit: false,
DefaultBranch: "main",
IsPrivate: false,
ObjectFormatName: objectFormat.Name(),
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
})
require.NoError(t, err)
require.NotEmpty(t, repo)
gitPath := t.TempDir()
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
doGitInitTestRepository(gitPath, objectFormat)(t)
Sync branches to DB immediately when handle git hook calling (gitea#29493) Unlike other async processing in the queue, we should sync branches to the DB immediately when handling git hook calling. If it fails, users can see the error message in the output of the git command. It can avoid potential inconsistency issues, and help #29494. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-03-06 08:47:52 +00:00
oldPath := u.Path
oldUser := u.User
defer func() {
u.Path = oldPath
u.User = oldUser
}()
u.Path = repo.FullName() + ".git"
u.User = url.UserPassword(user.LowerName, userPassword)
doGitAddRemote(gitPath, "origin", u)(t)
gitRepo, err := git.OpenRepository(git.DefaultContext, gitPath)
require.NoError(t, err)
defer gitRepo.Close()
pushedBranches, deletedBranches := gitOperation(t, gitPath)
dbBranches := make([]*git_model.Branch, 0)
require.NoError(t, db.GetEngine(db.DefaultContext).Where("repo_id=?", repo.ID).Find(&dbBranches))
assert.Equalf(t, len(pushedBranches), len(dbBranches), "mismatched number of branches in db")
dbBranchesMap := make(map[string]*git_model.Branch, len(dbBranches))
for _, branch := range dbBranches {
dbBranchesMap[branch.Name] = branch
}
deletedBranchesMap := make(map[string]bool, len(deletedBranches))
for _, branchName := range deletedBranches {
deletedBranchesMap[branchName] = true
}
for _, branchName := range pushedBranches {
branch, ok := dbBranchesMap[branchName]
deleted := deletedBranchesMap[branchName]
assert.True(t, ok, "branch %s not found in database", branchName)
assert.Equal(t, deleted, branch.IsDeleted, "IsDeleted of %s is %v, but it's expected to be %v", branchName, branch.IsDeleted, deleted)
commitID, err := gitRepo.GetBranchCommitID(branchName)
require.NoError(t, err)
assert.Equal(t, commitID, branch.CommitID)
}
require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID))
}
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
func TestOptionsGitPush(t *testing.T) {
onGiteaRun(t, testOptionsGitPush)
}
func testOptionsGitPush(t *testing.T, u *url.URL) {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
forEachObjectFormat(t, func(t *testing.T, objectFormat git.ObjectFormat) {
repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_service.CreateRepoOptions{
Name: "repo-to-push",
Description: "test git push",
AutoInit: false,
DefaultBranch: "main",
IsPrivate: false,
ObjectFormatName: objectFormat.Name(),
})
require.NoError(t, err)
require.NotEmpty(t, repo)
gitPath := t.TempDir()
doGitInitTestRepository(gitPath, objectFormat)(t)
u.Path = repo.FullName() + ".git"
u.User = url.UserPassword(user.LowerName, userPassword)
doGitAddRemote(gitPath, "origin", u)(t)
fix(hook): ignore unknown push options instead of failing If a repository has git config --add push.pushOption submit=".sourcehut/*.yml" it failed when pushed because of the unknown submit push option. It will be ignored instead. Filtering out the push options is done in an earlier stage, when the hook command runs, before it submits the options map to the private endpoint. * move all the push options logic to modules/git/pushoptions * add 100% test coverage for modules/git/pushoptions Test coverage for the code paths from which code was moved to the modules/git/pushoptions package: * cmd/hook.go:runHookPreReceive * routers/private/hook_pre_receive.go:validatePushOptions tests/integration/git_push_test.go:TestOptionsGitPush runs through both. The test verifying the option is rejected was removed and, if added again, will fail because the option is now ignored instead of being rejected. * cmd/hook.go:runHookProcReceive * services/agit/agit.go:ProcReceive tests/integration/git_test.go: doCreateAgitFlowPull runs through both. It uses variations of AGit related push options. * cmd/hook.go:runHookPostReceive * routers/private/hook_post_receive.go:HookPostReceive tests/integration/git_test.go:doPushCreate called by TestGit/HTTP/sha1/PushCreate runs through both. Note that although it provides coverage for this code path it does not use push options. Fixes: https://codeberg.org/forgejo/forgejo/issues/3651
2024-06-27 22:37:39 +00:00
t.Run("Unknown push options are silently ignored", func(t *testing.T) {
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
branchName := "branch0"
doGitCreateBranch(gitPath, branchName)(t)
fix(hook): ignore unknown push options instead of failing If a repository has git config --add push.pushOption submit=".sourcehut/*.yml" it failed when pushed because of the unknown submit push option. It will be ignored instead. Filtering out the push options is done in an earlier stage, when the hook command runs, before it submits the options map to the private endpoint. * move all the push options logic to modules/git/pushoptions * add 100% test coverage for modules/git/pushoptions Test coverage for the code paths from which code was moved to the modules/git/pushoptions package: * cmd/hook.go:runHookPreReceive * routers/private/hook_pre_receive.go:validatePushOptions tests/integration/git_push_test.go:TestOptionsGitPush runs through both. The test verifying the option is rejected was removed and, if added again, will fail because the option is now ignored instead of being rejected. * cmd/hook.go:runHookProcReceive * services/agit/agit.go:ProcReceive tests/integration/git_test.go: doCreateAgitFlowPull runs through both. It uses variations of AGit related push options. * cmd/hook.go:runHookPostReceive * routers/private/hook_post_receive.go:HookPostReceive tests/integration/git_test.go:doPushCreate called by TestGit/HTTP/sha1/PushCreate runs through both. Note that although it provides coverage for this code path it does not use push options. Fixes: https://codeberg.org/forgejo/forgejo/issues/3651
2024-06-27 22:37:39 +00:00
doGitPushTestRepository(gitPath, "origin", branchName, "-o", "uknownoption=randomvalue", "-o", "repo.private=true")(t)
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
require.NoError(t, err)
require.True(t, repo.IsPrivate)
require.False(t, repo.IsTemplate)
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
})
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
t.Run("Owner sets private & template to true via push options", func(t *testing.T) {
branchName := "branch1"
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
require.NoError(t, err)
require.True(t, repo.IsPrivate)
require.True(t, repo.IsTemplate)
})
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
t.Run("Owner sets private & template to false via push options", func(t *testing.T) {
branchName := "branch2"
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=false", "-o", "repo.template=false")(t)
repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
require.NoError(t, err)
require.False(t, repo.IsPrivate)
require.False(t, repo.IsTemplate)
})
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
// create a collaborator with write access
collaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
u.User = url.UserPassword(collaborator.LowerName, userPassword)
doGitAddRemote(gitPath, "collaborator", u)(t)
repo_module.AddCollaborator(db.DefaultContext, repo, collaborator)
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
t.Run("Collaborator with write access is allowed to push", func(t *testing.T) {
branchName := "branch3"
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepository(gitPath, "collaborator", branchName)(t)
})
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
t.Run("Collaborator with write access fails to change private & template via push options", func(t *testing.T) {
logChecker, cleanup := test.NewLogChecker(log.DEFAULT, log.TRACE)
logChecker.Filter("permission denied for changing repo settings").StopMark("Git push options validation")
defer cleanup()
branchName := "branch4"
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepositoryFail(gitPath, "collaborator", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
require.NoError(t, err)
require.False(t, repo.IsPrivate)
require.False(t, repo.IsTemplate)
logFiltered, logStopped := logChecker.Check(5 * time.Second)
assert.True(t, logStopped)
assert.True(t, logFiltered[0])
})
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
test: hook post-receive for sha256 repos failing push-to-create for sha256 will be fixed in a followup PR
2024-05-15 13:35:19 +00:00
require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID))
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> Signed-off-by: Earl Warren <contact@earl-warren.org>
2024-04-15 08:07:45 +00:00
})
}
Reference in a new issue Copy permalink