From 437aa7f4a169c12878e7b53e7fdda02c288148c5 Mon Sep 17 00:00:00 2001 From: forgejo-backport-action Date: Wed, 8 Apr 2026 17:08:17 +0200 Subject: [PATCH] [v15.0/forgejo] fix: prevent actions workflows from generating OIDC tokens if not authorized in workflow (#12038) **Backport:** https://codeberg.org/forgejo/forgejo/pulls/12030 When using Forgejo's `enable-openid-connect: true`, a URL is generated into the actions under `$ACTIONS_ID_TOKEN_REQUEST_URL` that can be used to generate a JWT for accessing third-party resources authenticated as the action executing in this server on this repo. However, the endpoint of that url (`.../idtoken`) had unintentionally missed a `return` on an internal server error, and was missing a check that the action actually had `enable-openid-connect: true` on it. As a result, it was possible to generate a JWT for accessing third-party resources from an action that wasn't expected to be generating JWTs. In terms of real-world vulnerability, the most likely risk is that the JWT could be generated from a forked pull request. By not using the `$ACTIONS_ID_TOKEN_REQUEST_URL` and instead going directly to the `.../idtoken` endpoint, and parsing a generated JWT response that will be mixed with an error response, it's possible to retrieve a JWT in a forked pull request. It would require a slight misconfiguration on a third-party system to allow that JWT access, but it's a plausible risk. As this is a feature in Forgejo 15 that hasn't been released, it will be fixed in-public. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. - Feature is not yet released. Co-authored-by: Mathieu Fenniak Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12038 Reviewed-by: Mathieu Fenniak Co-authored-by: forgejo-backport-action Co-committed-by: forgejo-backport-action --- routers/api/actions/id_token.go | 9 +++++++++ tests/integration/api_actions_id_token_test.go | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/routers/api/actions/id_token.go b/routers/api/actions/id_token.go index 5eacc77fc9..ab9b2c8d22 100644 --- a/routers/api/actions/id_token.go +++ b/routers/api/actions/id_token.go @@ -6,6 +6,7 @@ package actions import ( "fmt" "net/http" + "slices" "strings" "time" @@ -72,6 +73,7 @@ func IDTokenContexter() func(next http.Handler) http.Handler { if err != nil { log.Error("Error runner api parsing custom claims: %v", err) ctx.Error(http.StatusInternalServerError, "Error runner api parsing custom claims") + return } task, err := actions.GetTaskByID(req.Context(), authorizationTokenClaims.TaskID) @@ -99,6 +101,13 @@ func IDTokenContexter() func(next http.Handler) http.Handler { return } + generateIDTokenScp := fmt.Sprintf("generate_id_token:%d:%d", task.Job.RunID, task.Job.ID) + scp := strings.Split(authorizationTokenClaims.Scp, " ") + if !slices.Contains(scp, generateIDTokenScp) { + ctx.Error(http.StatusForbidden, "missing scp generate_id_token") + return + } + audience := req.URL.Query().Get("audience") if audience == "" { // Default to organization that owns the repo if no audience is provided diff --git a/tests/integration/api_actions_id_token_test.go b/tests/integration/api_actions_id_token_test.go index d5c7301ad1..53a0a5b269 100644 --- a/tests/integration/api_actions_id_token_test.go +++ b/tests/integration/api_actions_id_token_test.go @@ -47,6 +47,8 @@ func TestActionsIDToken(t *testing.T) { token, err := actions_service.CreateAuthorizationToken(task, gitCtx, true) require.NoError(t, err) + tokenWithoutOIDCAccess, err := actions_service.CreateAuthorizationToken(task, gitCtx, false) + require.NoError(t, err) // get JWKs information req := NewRequest(t, "GET", "/api/actions/.well-known/keys") @@ -118,6 +120,13 @@ func TestActionsIDToken(t *testing.T) { doAssertions("testingAud", claims) }) + t.Run("with token that doesn't support OIDC", func(t *testing.T) { + req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true").AddTokenAuth(tokenWithoutOIDCAccess) + resp = MakeRequest(t, req, http.StatusInternalServerError) + assert.Contains(t, resp.Body.String(), "Error runner api parsing custom claims") + assert.NotContains(t, resp.Body.String(), "value") // must not leak an actual `getTokenResponse` + }) + t.Run("with no auth header", func(t *testing.T) { req = NewRequest(t, "GET", "/api/actions/_apis/pipelines/workflows/792/idtoken?placeholder=true&audience=testingAud") resp = MakeRequest(t, req, http.StatusUnauthorized)