mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-12 22:10:25 +00:00
3653b34ec7
Backport: https://codeberg.org/forgejo/forgejo/pulls/12292 When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents. It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch. Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability. By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository. The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch. Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12294 Reviewed-by: 0ko <0ko@noreply.codeberg.org>
47 lines
1.4 KiB
Go
47 lines
1.4 KiB
Go
// Copyright 2026 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
|
|
package integration
|
|
|
|
import (
|
|
"fmt"
|
|
"testing"
|
|
|
|
actions_model "forgejo.org/models/actions"
|
|
"forgejo.org/models/db"
|
|
"forgejo.org/tests"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
// These are basically unit tests, but by running them in the integration test suite they are tested against all
|
|
// supported database types.
|
|
|
|
func TestDatabaseDefaultMaxInSize(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
// Ensure there are more than db.DefaultMaxInSize objects in a table:
|
|
targetCount := db.DefaultMaxInSize * 2
|
|
for i := range targetCount {
|
|
_, err := actions_model.InsertVariable(t.Context(), 2, 2, fmt.Sprintf("VAR_%d", i), fmt.Sprintf("Value %d", i))
|
|
require.NoError(t, err)
|
|
}
|
|
|
|
t.Run("GetByIDs", func(t *testing.T) {
|
|
defer tests.PrintCurrentTest(t)()
|
|
|
|
allActionVariables := make([]*actions_model.ActionVariable, 0, targetCount)
|
|
err := db.GetEngine(t.Context()).Find(&allActionVariables)
|
|
require.NoError(t, err)
|
|
|
|
allIDs := make([]int64, len(allActionVariables))
|
|
for i := range allActionVariables {
|
|
allIDs[i] = allActionVariables[i].ID
|
|
}
|
|
|
|
allActionVariablesAgain, err := db.GetByIDs(t.Context(), "id", allIDs, &actions_model.ActionVariable{})
|
|
require.NoError(t, err)
|
|
assert.Len(t, allActionVariablesAgain, len(allActionVariables))
|
|
})
|
|
}
|