Skip to content

SECURITY: prevent DeleteFilePost doing arbitrary deletion #5631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 4, 2019
Merged

SECURITY: prevent DeleteFilePost doing arbitrary deletion #5631

merged 1 commit into from
Jan 4, 2019

Conversation

zeripath
Copy link
Contributor

@zeripath zeripath commented Jan 4, 2019

Unfortunately a suitably malformed request to DeleteFilePost will allow arbitrary deletion. Further it was also possible to adjust the .git directories on editFilePost and UploadFilePost.

@codecov-io
Copy link

codecov-io commented Jan 4, 2019
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@5a1ea37). Click here to learn what that means.
The diff coverage is 6.25%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #5631   +/-   ##
=========================================
  Coverage          ?   37.81%           
=========================================
  Files             ?      322           
  Lines             ?    47485           
  Branches          ?        0           
=========================================
  Hits              ?    17957           
  Misses            ?    26939           
  Partials          ?     2589
Impacted Files Coverage Δ
routers/repo/editor.go 29.01% <6.25%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5a1ea37...d87fcfc. Read the comment docs.

@bkcsoft bkcsoft added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jan 4, 2019
@jonasfranz jonasfranz added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! backport/v1.7 labels Jan 4, 2019
@jonasfranz jonasfranz added this to the 1.7.0 milestone Jan 4, 2019
@jonasfranz
Copy link
Member

@go-gitea/owners I think we have to backport this to 1.6 since this is quite critical IMHO.

jonasfranz
jonasfranz suggested changes Jan 4, 2019
View reviewed changes
@zeripath
SECURITY: protect DeleteFilePost et al with cleanUploadFileName
d87fcfc 
    This commit wraps more of the TreePaths with cleanUploadFileName

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath force-pushed the protect-delete-file branch from 9663346 to d87fcfc Compare January 4, 2019 15:54
@bkcsoft bkcsoft added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jan 4, 2019
@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 4, 2019
@techknowlogick techknowlogick merged commit fd1e856 into go-gitea:master Jan 4, 2019
@techknowlogick
Copy link
Member

@zeripath thanks for PR :) as @jonasfranz has said, please backport to both release/v1.7 and release/v1.6

@zeripath zeripath deleted the protect-delete-file branch January 4, 2019 16:13
zeripath added a commit to zeripath/gitea that referenced this pull request Jan 4, 2019
@zeripath
SECURITY: protect DeleteFilePost et al with cleanUploadFileName (go-g…
4108d3c 
…itea#5631)

This commit wraps more of the TreePaths with cleanUploadFileName

Signed-off-by: Andrew Thornton <[email protected]>
zeripath added a commit to zeripath/gitea that referenced this pull request Jan 4, 2019
@zeripath
SECURITY: protect DeleteFilePost et al with cleanUploadFileName (go-g…
9686286 
…itea#5631)

This commit wraps more of the TreePaths with cleanUploadFileName

Signed-off-by: Andrew Thornton <[email protected]>
jonasfranz pushed a commit that referenced this pull request Jan 4, 2019
@zeripath @jonasfranz
SECURITY: protect DeleteFilePost et al with cleanUploadFileName (#5631)…
6076674 
… (#5634)

This commit wraps more of the TreePaths with cleanUploadFileName

Signed-off-by: Andrew Thornton <[email protected]>
@jonasfranz jonasfranz added the backport/done All backports for this PR have been created label Jan 4, 2019
jonasfranz pushed a commit that referenced this pull request Jan 4, 2019
@zeripath @jonasfranz
SECURITY: protect DeleteFilePost et al with cleanUploadFileName (#5631)…
3ee3a4b 
… (#5635)

This commit wraps more of the TreePaths with cleanUploadFileName

Signed-off-by: Andrew Thornton <[email protected]>
@lafriks lafriks modified the milestones: 1.7.0, 1.8.0 Jan 4, 2019
@andypost andypost mentioned this pull request Jan 26, 2019
Closed
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@techknowlogick techknowlogick techknowlogick approved these changes

+1 more reviewer

@jonasfranz jonasfranz jonasfranz approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.
6 participants
@zeripath @codecov-io @jonasfranz @techknowlogick @lafriks @bkcsoft