2026-03-03 17:55:35 +01:00
|
|
|
rules:
|
|
|
|
|
- id: forgejo-api-use-resource-SearchRepoOptions
|
|
|
|
|
patterns:
|
|
|
|
|
- pattern: |
|
|
|
|
|
repo_model.SearchRepoOptions{...}
|
|
|
|
|
- pattern-not: |
|
|
|
|
|
repo_model.SearchRepoOptions{
|
|
|
|
|
...,
|
|
|
|
|
AuthorizationReducer: ctx.Reducer,
|
|
|
|
|
...
|
|
|
|
|
}
|
|
|
|
|
languages:
|
|
|
|
|
- go
|
|
|
|
|
message: >
|
|
|
|
|
SearchRepoOptions does not take into account fine-grained access token limitations. Include the
|
|
|
|
|
AuthorizationReducer field.
|
|
|
|
|
severity: ERROR
|
|
|
|
|
paths:
|
|
|
|
|
include:
|
|
|
|
|
- "/routers/api/**/*.go"
|
|
|
|
|
|
|
|
|
|
- id: forgejo-api-use-resource-SearchRepoOptions
|
|
|
|
|
patterns:
|
|
|
|
|
- pattern: |
|
|
|
|
|
organization.SearchTeamRepoOptions{...}
|
|
|
|
|
- pattern-not: |
|
|
|
|
|
organization.SearchTeamRepoOptions{
|
|
|
|
|
...,
|
|
|
|
|
AuthorizationReducer: ctx.Reducer,
|
|
|
|
|
...
|
|
|
|
|
}
|
|
|
|
|
languages:
|
|
|
|
|
- go
|
|
|
|
|
message: >
|
|
|
|
|
SearchTeamRepoOptions does not take into account fine-grained access token limitations. Include the
|
|
|
|
|
AuthorizationReducer field.
|
|
|
|
|
severity: ERROR
|
|
|
|
|
paths:
|
|
|
|
|
include:
|
|
|
|
|
- "/routers/api/**/*.go"
|
|
|
|
|
|
|
|
|
|
- id: forgejo-api-use-resource-GetUserRepoPermission
|
|
|
|
|
patterns:
|
|
|
|
|
- pattern: |
|
|
|
|
|
$X.GetUserRepoPermission($CTX, $REPO, $DOER)
|
|
|
|
|
- metavariable-type:
|
|
|
|
|
metavariable: $CTX
|
|
|
|
|
types:
|
|
|
|
|
- "*context.APIContext"
|
|
|
|
|
languages:
|
|
|
|
|
- go
|
|
|
|
|
message: >
|
|
|
|
|
GetUserRepoPermission does not take into account fine-grained access token limitations. Use
|
|
|
|
|
GetUserRepoPermissionWithReducer.
|
|
|
|
|
fix: |
|
|
|
|
|
$X.GetUserRepoPermissionWithReducer($CTX, $REPO, $DOER, $CTX.Reducer)
|
|
|
|
|
severity: ERROR
|
|
|
|
|
|
|
|
|
|
- id: forgejo-api-suspicious-GetUserRepoPermission
|
|
|
|
|
patterns:
|
|
|
|
|
- pattern: $X.GetUserRepoPermission($CTX, $REPO, $DOER)
|
|
|
|
|
- pattern-not: # don't match if identical to forgejo-api-use-resource-GetUserRepoPermission
|
|
|
|
|
patterns:
|
|
|
|
|
- pattern: |
|
|
|
|
|
$X.GetUserRepoPermission($CTX, $REPO, $DOER)
|
|
|
|
|
- metavariable-type:
|
|
|
|
|
metavariable: $CTX
|
|
|
|
|
types:
|
|
|
|
|
- "*context.APIContext"
|
|
|
|
|
languages:
|
|
|
|
|
- go
|
|
|
|
|
message: >
|
|
|
|
|
API code is accessing GetUserRepoPermission which does not take into account fine-grained access token
|
|
|
|
|
limitations. Should this use GetUserRepoPermissionWithReducer?
|
|
|
|
|
severity: ERROR
|
|
|
|
|
paths:
|
|
|
|
|
include:
|
|
|
|
|
- "/routers/api/**/*.go"
|
feat: remove admin-level permissions from repo-specific & public-only access tokens (#11468)
This PR is part of a series (#11311).
If the user authenticating to an API call is a Forgejo site administrator, or a Forgejo repo administrator, a wide variety of permission and ownership checks in the API are either bypassed, or are bypassable. If a user has created an access token with restricted resources, I understand the intent of the user is to create a token which has a layer of risk reduction in the event that the token is lost/leaked to an attacker. For this reason, it makes sense to me that restricted scope access tokens shouldn't inherit the owner's administrator access.
My intent is that repo-specific access tokens [will only be able to access specific authorization scopes](https://codeberg.org/forgejo/design/issues/50#issuecomment-11093951), probably: `repository:read`, `repository:write`, `issue:read`, `issue:write`, (`organization:read` / `user:read` maybe). This means that *most* admin access is not intended to be affected by this because repo-specific access tokens won't have, for example, `admin:write` scope. However, administrative access still grants elevated permissions in some areas that are relevant to these scopes, and need to be restricted:
- The `?sudo=otheruser` query parameter allows site administrators to impersonate other users in the API.
- Repository management rules are different for a site administrator, allowing them to create repos for another user, create repos in another organization, migrate a repository to an arbitrary owner, and transfer a repository to a prviate organization.
- Administrators have access to extra data through some APIs which would be in scope: the detailed configuration of branch protection rules, the some details of repository deploy keys (which repo, and which scope -- seems odd), (user:read -- user SSH keys, activity feeds of private users, user profiles of private users, user webhook configurations).
- Pull request reviews have additional perms for repo administrators, including the ability to dismiss PR reviews, delete PR reviews, and view draft PR reviews.
- Repo admins and site admins can comment on locked issues, and related to comments can edit or delete other user's comments and attachments.
- Repo admins can manage and view logged time on behalf of other users.
A handful of these permissions may make sense for repo-specific access tokens, but most of them clearly exceed the risk that would be expected from creating a limited scope access token. I'd generally prefer to take a restrictive approach, and we can relax it if real-world use-cases come in -- users will have a workaround of creating an access token without repo-specific restrictions if they are blocked from needed access.
**Breaking:** The administration restrictions introduced in this PR affect both repo-specific access tokens, and existing public-only access tokens.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests for Go changes
(can be removed for JavaScript changes)
- I added test coverage for Go changes...
- [x] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
- [x] `make pr-go` before pushing
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- Although repo-specific access tokens are not yet exposed to end users, the breaking changes to public-only tokens will be visible to users and require release notes.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11468
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2026-03-04 16:17:41 +01:00
|
|
|
|
|
|
|
|
- id: forgejo-api-direct-IsAdmin-check
|
|
|
|
|
patterns:
|
|
|
|
|
- pattern: |
|
|
|
|
|
ctx.Doer.IsAdmin
|
|
|
|
|
languages:
|
|
|
|
|
- go
|
|
|
|
|
message: |
|
|
|
|
|
ctx.Doer.IsAdmin does not take into account limited API access tokens. Use ctx.IsUserSiteAdmin() instead.
|
|
|
|
|
fix: |
|
|
|
|
|
ctx.IsUserSiteAdmin()
|
|
|
|
|
severity: ERROR
|
|
|
|
|
paths:
|
|
|
|
|
include:
|
|
|
|
|
- "/routers/api/**/*.go"
|
|
|
|
|
|
|
|
|
|
- id: forgejo-api-direct-repo-Admin-check
|
|
|
|
|
patterns:
|
|
|
|
|
- pattern: |
|
|
|
|
|
ctx.Repo.IsAdmin()
|
|
|
|
|
- pattern: |
|
|
|
|
|
ctx.Repo.IsOwner()
|
|
|
|
|
languages:
|
|
|
|
|
- go
|
|
|
|
|
message: |
|
|
|
|
|
ctx.Repo.IsAdmin/IsOwner() does not take into account limited API access tokens. Use ctx.IsUserRepoAdmin() instead.
|
|
|
|
|
fix: |
|
|
|
|
|
ctx.IsUserRepoAdmin()
|
|
|
|
|
severity: ERROR
|
|
|
|
|
paths:
|
|
|
|
|
include:
|
|
|
|
|
- "/routers/api/**/*.go"
|
|
|
|
|
|