Merge pull request 'hooks: Harden when we accept push options that change repo settings' (#3314) from earl-warren/forgejo:wip-push-options into forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3314
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Gergely Nagy <algernon@noreply.codeberg.org>
This commit is contained in:
Earl Warren 2024-04-20 05:57:35 +00:00
commit 41e0507cd3
2 changed files with 153 additions and 0 deletions

View file

@ -4,6 +4,7 @@
package private
import (
"errors"
"fmt"
"net/http"
"os"
@ -101,6 +102,60 @@ func (ctx *preReceiveContext) AssertCreatePullRequest() bool {
return true
}
var errPermissionDenied = errors.New("permission denied for changing repo settings")
func (ctx *preReceiveContext) canChangeSettings() error {
if !ctx.loadPusherAndPermission() {
return errPermissionDenied
}
if !ctx.userPerm.IsOwner() && !ctx.userPerm.IsAdmin() {
return errPermissionDenied
}
if ctx.Repo.Repository.IsFork {
return errPermissionDenied
}
return nil
}
func (ctx *preReceiveContext) validatePushOptions() error {
opts := web.GetForm(ctx).(*private.HookOptions)
if len(opts.GitPushOptions) == 0 {
return nil
}
changesRepoSettings := false
for key := range opts.GitPushOptions {
switch key {
case private.GitPushOptionRepoPrivate, private.GitPushOptionRepoTemplate:
changesRepoSettings = true
case "topic", "force-push", "title", "description":
// Agit options
default:
return fmt.Errorf("unknown option %s", key)
}
}
if changesRepoSettings {
return ctx.canChangeSettings()
}
return nil
}
func (ctx *preReceiveContext) assertPushOptions() bool {
if err := ctx.validatePushOptions(); err != nil {
ctx.JSON(http.StatusForbidden, private.Response{
UserMsg: fmt.Sprintf("options validation failed: %v", err),
})
return false
}
return true
}
// HookPreReceive checks whether a individual commit is acceptable
func HookPreReceive(ctx *gitea_context.PrivateContext) {
opts := web.GetForm(ctx).(*private.HookOptions)
@ -111,6 +166,12 @@ func HookPreReceive(ctx *gitea_context.PrivateContext) {
opts: opts,
}
if !ourCtx.assertPushOptions() {
log.Trace("Git push options validation failed")
return
}
log.Trace("Git push options validation succeeded")
// Iterate across the provided old commit IDs
for i := range opts.OldCommitIDs {
oldCommitID := opts.OldCommitIDs[i]

View file

@ -7,12 +7,17 @@ import (
"fmt"
"net/url"
"testing"
"time"
"code.gitea.io/gitea/models/db"
git_model "code.gitea.io/gitea/models/git"
repo_model "code.gitea.io/gitea/models/repo"
"code.gitea.io/gitea/models/unittest"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/git"
"code.gitea.io/gitea/modules/log"
repo_module "code.gitea.io/gitea/modules/repository"
"code.gitea.io/gitea/modules/test"
repo_service "code.gitea.io/gitea/services/repository"
"github.com/stretchr/testify/assert"
@ -146,3 +151,90 @@ func runTestGitPush(t *testing.T, u *url.URL, gitOperation func(t *testing.T, gi
require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID))
}
func TestOptionsGitPush(t *testing.T) {
onGiteaRun(t, testOptionsGitPush)
}
func testOptionsGitPush(t *testing.T, u *url.URL) {
user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_service.CreateRepoOptions{
Name: "repo-to-push",
Description: "test git push",
AutoInit: false,
DefaultBranch: "main",
IsPrivate: false,
})
require.NoError(t, err)
require.NotEmpty(t, repo)
gitPath := t.TempDir()
doGitInitTestRepository(gitPath)(t)
u.Path = repo.FullName() + ".git"
u.User = url.UserPassword(user.LowerName, userPassword)
doGitAddRemote(gitPath, "origin", u)(t)
t.Run("Unknown push options are rejected", func(t *testing.T) {
logChecker, cleanup := test.NewLogChecker(log.DEFAULT, log.TRACE)
logChecker.Filter("unknown option").StopMark("Git push options validation")
defer cleanup()
branchName := "branch0"
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepositoryFail(gitPath, "origin", branchName, "-o", "repo.template=false", "-o", "uknownoption=randomvalue")(t)
logFiltered, logStopped := logChecker.Check(5 * time.Second)
assert.True(t, logStopped)
assert.True(t, logFiltered[0])
})
t.Run("Owner sets private & template to true via push options", func(t *testing.T) {
branchName := "branch1"
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
require.NoError(t, err)
require.True(t, repo.IsPrivate)
require.True(t, repo.IsTemplate)
})
t.Run("Owner sets private & template to false via push options", func(t *testing.T) {
branchName := "branch2"
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=false", "-o", "repo.template=false")(t)
repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
require.NoError(t, err)
require.False(t, repo.IsPrivate)
require.False(t, repo.IsTemplate)
})
// create a collaborator with write access
collaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
u.User = url.UserPassword(collaborator.LowerName, userPassword)
doGitAddRemote(gitPath, "collaborator", u)(t)
repo_module.AddCollaborator(db.DefaultContext, repo, collaborator)
t.Run("Collaborator with write access is allowed to push", func(t *testing.T) {
branchName := "branch3"
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepository(gitPath, "collaborator", branchName)(t)
})
t.Run("Collaborator with write access fails to change private & template via push options", func(t *testing.T) {
logChecker, cleanup := test.NewLogChecker(log.DEFAULT, log.TRACE)
logChecker.Filter("permission denied for changing repo settings").StopMark("Git push options validation")
defer cleanup()
branchName := "branch4"
doGitCreateBranch(gitPath, branchName)(t)
doGitPushTestRepositoryFail(gitPath, "collaborator", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
require.NoError(t, err)
require.False(t, repo.IsPrivate)
require.False(t, repo.IsTemplate)
logFiltered, logStopped := logChecker.Check(5 * time.Second)
assert.True(t, logStopped)
assert.True(t, logFiltered[0])
})
require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, repo.ID))
}