From e5307eab385e1a47e6c192c40aa03f3f0decb41b Mon Sep 17 00:00:00 2001 From: qwerty287 Date: Wed, 30 Aug 2023 15:59:55 +0200 Subject: [PATCH 1/3] Check permissions on repo lookup --- server/api/repo.go | 22 ++++------------------ server/router/api.go | 2 +- 2 files changed, 5 insertions(+), 19 deletions(-) diff --git a/server/api/repo.go b/server/api/repo.go index 6ca9b64360..a68bd5eaf6 100644 --- a/server/api/repo.go +++ b/server/api/repo.go @@ -21,7 +21,6 @@ import ( "fmt" "net/http" "strconv" - "strings" "time" "github.com/gin-gonic/gin" @@ -270,28 +269,15 @@ func ChownRepo(c *gin.Context) { // LookupRepo // // @Summary Get repository by full-name -// @Router /repos/lookup/{repo_full_name} [get] +// @Router /repos/lookup/{owner}/{name} [get] // @Produce json // @Success 200 {object} Repo // @Tags Repositories // @Param Authorization header string true "Insert your personal access token" default(Bearer ) -// @Param repo_full_name path string true "the repository full-name / slug" +// @Param owner path string true "the repository owner" +// @Param name path string true "the repository name" func LookupRepo(c *gin.Context) { - _store := store.FromContext(c) - repoFullName := strings.TrimLeft(c.Param("repo_full_name"), "/") - - repo, err := _store.GetRepoName(repoFullName) - if err != nil { - if errors.Is(err, types.RecordNotExist) { - c.AbortWithStatus(http.StatusNotFound) - return - } - - _ = c.AbortWithError(http.StatusInternalServerError, err) - return - } - - c.JSON(http.StatusOK, repo) + c.JSON(http.StatusOK, session.Repo(c)) } // GetRepo diff --git a/server/router/api.go b/server/router/api.go index 53025bde10..4ad58c4b41 100644 --- a/server/router/api.go +++ b/server/router/api.go @@ -68,7 +68,7 @@ func apiRoutes(e *gin.RouterGroup) { } } - apiBase.GET("/repos/lookup/*repo_full_name", api.LookupRepo) // TODO: check if this public route is a security issue + apiBase.GET("/repos/lookup/:owner/:name", session.SetRepo(), session.SetPerm(), session.MustPull, api.LookupRepo) apiBase.POST("/repos", session.MustUser(), api.PostRepo) repoBase := apiBase.Group("/repos/:repo_id") { From 0c3218b3032da8e678241c52fbb7961bce56f45f Mon Sep 17 00:00:00 2001 From: qwerty287 Date: Wed, 30 Aug 2023 16:09:25 +0200 Subject: [PATCH 2/3] Fix subowner --- server/api/repo.go | 2 +- server/router/api.go | 2 +- server/router/middleware/session/repo.go | 18 +++++++----------- 3 files changed, 9 insertions(+), 13 deletions(-) diff --git a/server/api/repo.go b/server/api/repo.go index a68bd5eaf6..1ff1f3df80 100644 --- a/server/api/repo.go +++ b/server/api/repo.go @@ -269,7 +269,7 @@ func ChownRepo(c *gin.Context) { // LookupRepo // // @Summary Get repository by full-name -// @Router /repos/lookup/{owner}/{name} [get] +// @Router /repos/lookup/{repo_full_name} [get] // @Produce json // @Success 200 {object} Repo // @Tags Repositories diff --git a/server/router/api.go b/server/router/api.go index 4ad58c4b41..43ac2243fe 100644 --- a/server/router/api.go +++ b/server/router/api.go @@ -68,7 +68,7 @@ func apiRoutes(e *gin.RouterGroup) { } } - apiBase.GET("/repos/lookup/:owner/:name", session.SetRepo(), session.SetPerm(), session.MustPull, api.LookupRepo) + apiBase.GET("/repos/lookup/*repo_full_name", session.SetRepo(), session.SetPerm(), session.MustPull, api.LookupRepo) apiBase.POST("/repos", session.MustUser(), api.PostRepo) repoBase := apiBase.Group("/repos/:repo_id") { diff --git a/server/router/middleware/session/repo.go b/server/router/middleware/session/repo.go index 3868ab8591..58b7a1c489 100644 --- a/server/router/middleware/session/repo.go +++ b/server/router/middleware/session/repo.go @@ -18,6 +18,7 @@ import ( "errors" "net/http" "strconv" + "strings" "time" "github.com/gin-gonic/gin" @@ -45,11 +46,10 @@ func Repo(c *gin.Context) *model.Repo { func SetRepo() gin.HandlerFunc { return func(c *gin.Context) { var ( - _store = store.FromContext(c) - owner = c.Param("owner") - name = c.Param("name") - _repoID = c.Param("repo_id") - user = User(c) + _store = store.FromContext(c) + fullName = strings.TrimLeft(c.Param("repo_full_name"), "/") + _repoID = c.Param("repo_id") + user = User(c) ) var repo *model.Repo @@ -63,7 +63,7 @@ func SetRepo() gin.HandlerFunc { } repo, err = _store.GetRepo(repoID) } else { - repo, err = _store.GetRepoName(owner + "/" + name) + repo, err = _store.GetRepoName(fullName) } if repo != nil { @@ -73,11 +73,7 @@ func SetRepo() gin.HandlerFunc { } // debugging - log.Debug().Msgf("Cannot find repository %s/%s. %s", - owner, - name, - err.Error(), - ) + log.Debug().Err(err).Msgf("Cannot find repository %s.", fullName) if user == nil { c.AbortWithStatus(http.StatusUnauthorized) From f1c9503796b36e5b84f7ab7096138e82af94e08d Mon Sep 17 00:00:00 2001 From: qwerty287 Date: Wed, 30 Aug 2023 16:12:23 +0200 Subject: [PATCH 3/3] fix docs --- server/api/repo.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/server/api/repo.go b/server/api/repo.go index 1ff1f3df80..f92d9d2a3b 100644 --- a/server/api/repo.go +++ b/server/api/repo.go @@ -274,8 +274,7 @@ func ChownRepo(c *gin.Context) { // @Success 200 {object} Repo // @Tags Repositories // @Param Authorization header string true "Insert your personal access token" default(Bearer ) -// @Param owner path string true "the repository owner" -// @Param name path string true "the repository name" +// @Param repo_full_name path string true "the repository full-name / slug" func LookupRepo(c *gin.Context) { c.JSON(http.StatusOK, session.Repo(c)) }