jojo/.semgrep/tests/auth.go

// Copyright 2016 The Gogs Authors. All rights reserved.
// Copyright 2020 The Gitea Authors.
// SPDX-License-Identifier: MIT

package repo

import (
	"net/http"

	"forgejo.org/models/db"
	access_model "forgejo.org/models/perm/access"
	repo_model "forgejo.org/models/repo"
	api "forgejo.org/modules/structs"
	"forgejo.org/routers/api/v1/utils"
	"forgejo.org/services/context"
	"forgejo.org/services/convert"
)

// ListForks list a repository's forks
func ListForks(ctx *context.APIContext) {
	forks, total, err := repo_model.GetForks(ctx, ctx.Repo.Repository, ctx.Doer, utils.GetListOptions(ctx))
	if err != nil {
		ctx.Error(http.StatusInternalServerError, "GetForks", err)
		return
	}
	apiForks := make([]*api.Repository, len(forks))
	for i, fork := range forks {
		// ruleid:forgejo-api-use-resource-GetUserRepoPermission
		permission, err := access_model.GetUserRepoPermission(ctx, fork, ctx.Doer)
		// ok:forgejo-api-use-resource-GetUserRepoPermission
		permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, fork, ctx.Doer, ctx.Reducer)
		if err != nil {
			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)
			return
		}
		apiForks[i] = convert.ToRepo(ctx, fork, permission)
	}
}

// getStarredRepos returns the repos that the user with the specified userID has
// starred
func getStarredRepos(ctx std_context.Context, user *user_model.User, private bool, listOptions db.ListOptions) ([]*api.Repository, error) {
	starredRepos, err := repo_model.GetStarredRepos(ctx, user.ID, private, listOptions)
	if err != nil {
		return nil, err
	}

	repos := make([]*api.Repository, len(starredRepos))
	for i, starred := range starredRepos {
		// ruleid:forgejo-api-suspicious-GetUserRepoPermission
		permission, err := access_model.GetUserRepoPermission(ctx, starred, user)
		if err != nil {
			return nil, err
		}
		repos[i] = convert.ToRepo(ctx, starred, permission)
	}
	return repos, nil
}
ci: add `semgrep` detection for API code ignoring repo-specific access tokens (#11476) This PR is part of a series (#11311). Prevents the usage of three internal APIs in the web API code: - `repo_model.SearchRepoOptions{}` without an `AuthorizationReducer` - `organization.SearchTeamRepoOptions{}` without an `AuthorizationReducer` - `access_model.GetUserRepoPermission()`, which doesn't take an `AuthorizationReducer` -- use `GetUserRepoPermissionWithReducer` instead. A couple lingering usages are marked with `// nosemgrep: ...` as they have been inspected and considered correct as-is. The `GetUserRepoPermission` is tested via the `.semgrep/tests` files; the other rules have been tested manually. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11476 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net> 2026-03-03 17:55:35 +01:00			`// Copyright 2016 The Gogs Authors. All rights reserved.`
			`// Copyright 2020 The Gitea Authors.`
			`// SPDX-License-Identifier: MIT`

			`package repo`

			`import (`
			`"net/http"`

			`"forgejo.org/models/db"`
			`access_model "forgejo.org/models/perm/access"`
			`repo_model "forgejo.org/models/repo"`
			`api "forgejo.org/modules/structs"`
			`"forgejo.org/routers/api/v1/utils"`
			`"forgejo.org/services/context"`
			`"forgejo.org/services/convert"`
			`)`

			`// ListForks list a repository's forks`
			`func ListForks(ctx *context.APIContext) {`
			`forks, total, err := repo_model.GetForks(ctx, ctx.Repo.Repository, ctx.Doer, utils.GetListOptions(ctx))`
			`if err != nil {`
			`ctx.Error(http.StatusInternalServerError, "GetForks", err)`
			`return`
			`}`
			`apiForks := make([]*api.Repository, len(forks))`
			`for i, fork := range forks {`
			`// ruleid:forgejo-api-use-resource-GetUserRepoPermission`
			`permission, err := access_model.GetUserRepoPermission(ctx, fork, ctx.Doer)`
			`// ok:forgejo-api-use-resource-GetUserRepoPermission`
			`permission, err := access_model.GetUserRepoPermissionWithReducer(ctx, fork, ctx.Doer, ctx.Reducer)`
			`if err != nil {`
			`ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err)`
			`return`
			`}`
			`apiForks[i] = convert.ToRepo(ctx, fork, permission)`
			`}`
			`}`

			`// getStarredRepos returns the repos that the user with the specified userID has`
			`// starred`
			`func getStarredRepos(ctx std_context.Context, user user_model.User, private bool, listOptions db.ListOptions) ([]api.Repository, error) {`
			`starredRepos, err := repo_model.GetStarredRepos(ctx, user.ID, private, listOptions)`
			`if err != nil {`
			`return nil, err`
			`}`

			`repos := make([]*api.Repository, len(starredRepos))`
			`for i, starred := range starredRepos {`
			`// ruleid:forgejo-api-suspicious-GetUserRepoPermission`
			`permission, err := access_model.GetUserRepoPermission(ctx, starred, user)`
			`if err != nil {`
			`return nil, err`
			`}`
			`repos[i] = convert.ToRepo(ctx, starred, permission)`
			`}`
			`return repos, nil`
			`}`