mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-17 23:33:22 +02:00
Addresses a batch of privately reported security issues, grouped by area: - **SSRF** - migration PR-patch/asset fetches, OAuth2 avatar & OpenID discovery, pull-mirror URL re-validation, and the outbound proxy path. - **Access-token scope** - prevent scope escalation on token creation; keep public-only tokens confined (feeds, packages, Actions listings, star/watch lists, limited/private owners). - **Access control / disclosure** - go-get default-branch leak, webhook authorization-header leak, watch clearing on private transitions, label/attachment scoping. - **Denial of service** - input bounds for npm dist-tags, Debian control files, Arch file lists, and SSH keys. ### 📌 Attention for site admins Not breaking - existing configs keep working - but two changes are worth a look: - **New SSRF protection** Outbound requests (migrations, OAuth2 avatars, OpenID discovery, pull mirrors, proxy path) are now validated against the allow/block host lists. If your instance legitimately reaches internal hosts, you may need to add them to `[security].ALLOWED_HOST_LIST` (and the relevant `ALLOW_LOCALNETWORKS` settings). - **Deprecation** `[webhook].ALLOWED_HOST_LIST` is deprecated and will be removed in a future release. Use `[security].ALLOWED_HOST_LIST` instead; the old key still works for now. --------- Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Zettat123 <zettat123@gmail.com>
110 lines
3.8 KiB
Go
110 lines
3.8 KiB
Go
// Copyright 2022 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"encoding/xml"
|
|
"net/http"
|
|
"testing"
|
|
|
|
auth_model "gitea.dev/models/auth"
|
|
"gitea.dev/tests"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
// RSS is a struct to unmarshal RSS feeds test only
|
|
type RSS struct {
|
|
Channel struct {
|
|
Title string `xml:"title"`
|
|
Link string `xml:"link"`
|
|
Description string `xml:"description"`
|
|
PubDate string `xml:"pubDate"`
|
|
Items []struct {
|
|
Title string `xml:"title"`
|
|
Link string `xml:"link"`
|
|
Description string `xml:"description"`
|
|
PubDate string `xml:"pubDate"`
|
|
} `xml:"item"`
|
|
} `xml:"channel"`
|
|
}
|
|
|
|
func TestFeedUser(t *testing.T) {
|
|
t.Run("User", func(t *testing.T) {
|
|
t.Run("Atom", func(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
req := NewRequest(t, "GET", "/user2.atom")
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
data := resp.Body.String()
|
|
assert.Contains(t, data, `<feed xmlns="http://www.w3.org/2005/Atom"`)
|
|
})
|
|
|
|
t.Run("RSS", func(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
req := NewRequest(t, "GET", "/user2.rss")
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
data := resp.Body.String()
|
|
assert.Contains(t, data, `<rss version="2.0"`)
|
|
|
|
var rss RSS
|
|
err := xml.Unmarshal(resp.Body.Bytes(), &rss)
|
|
assert.NoError(t, err)
|
|
assert.Contains(t, rss.Channel.Link, "/user2")
|
|
assert.NotEmpty(t, rss.Channel.PubDate)
|
|
})
|
|
})
|
|
}
|
|
|
|
// TestFeedUserPublicOnlyToken ensures a public-only API token cannot surface a user's
|
|
// private activity through their profile feed, even when authenticated as the owner.
|
|
func TestFeedUserPublicOnlyToken(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
// user2 has activity on the private repo user2/repo2
|
|
const privateMarker = "user2/repo2"
|
|
|
|
// a normal read:user token authenticated as the owner sees private activity
|
|
fullToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser)
|
|
reqFull := NewRequest(t, "GET", "/user2.rss")
|
|
reqFull.SetBasicAuth("user2", fullToken)
|
|
respFull := MakeRequest(t, reqFull, http.StatusOK)
|
|
assert.Contains(t, respFull.Body.String(), privateMarker)
|
|
|
|
// a public-only token must not surface the private activity
|
|
publicOnlyToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopePublicOnly)
|
|
reqPublicOnly := NewRequest(t, "GET", "/user2.rss")
|
|
reqPublicOnly.SetBasicAuth("user2", publicOnlyToken)
|
|
respPublicOnly := MakeRequest(t, reqPublicOnly, http.StatusOK)
|
|
assert.NotContains(t, respPublicOnly.Body.String(), privateMarker)
|
|
}
|
|
|
|
// TestProfileActivityPublicOnlyToken ensures the HTML profile activity tab does not
|
|
// surface a user's private activity to a public-only API token, mirroring the RSS/Atom
|
|
// guard. The /{username} route is AllowBasic, so a public-only PAT used as the Basic
|
|
// password must still be downgraded even for the feed owner.
|
|
func TestProfileActivityPublicOnlyToken(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
// user2 has activity on the private repo user2/repo2
|
|
const privateMarker = "user2/repo2"
|
|
|
|
// a normal read:user token authenticated as the owner sees private activity
|
|
fullToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser)
|
|
reqFull := NewRequest(t, "GET", "/user2?tab=activity")
|
|
reqFull.SetBasicAuth("user2", fullToken)
|
|
respFull := MakeRequest(t, reqFull, http.StatusOK)
|
|
assert.Contains(t, respFull.Body.String(), privateMarker)
|
|
|
|
// a public-only token must not surface the private activity
|
|
publicOnlyToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadUser, auth_model.AccessTokenScopePublicOnly)
|
|
reqPublicOnly := NewRequest(t, "GET", "/user2?tab=activity")
|
|
reqPublicOnly.SetBasicAuth("user2", publicOnlyToken)
|
|
respPublicOnly := MakeRequest(t, reqPublicOnly, http.StatusOK)
|
|
assert.NotContains(t, respPublicOnly.Body.String(), privateMarker)
|
|
}
|