peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/services
History
Mathieu Fenniak fdd794abe3 [v15.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12293) 
Backport: https://codeberg.org/forgejo/forgejo/pulls/12292

When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.

Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12293
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-04-29 05:28:56 +02:00
..
actions [v15.0/forgejo] fix: resolve outer workflow call to success, not failure, on inner job skip (#12229) 2026-04-22 20:40:54 +02:00
agit chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
asymkey chore: do not clobber ~/.ssh/authorized_keys in certain tests (#10163) 2025-11-19 16:14:16 +01:00
attachment fix: check that attachments belong to correct resource 2026-03-06 11:21:07 -07:00
auth [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
authz feat: read, create, & delete repo-specific access tokens via API (#11504) 2026-03-07 21:55:08 +01:00
automerge chore: add integration testing 2026-03-06 11:21:07 -07:00
context [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
contexttest feat: add more filters to actions run and tasks api (#11584) 2026-03-10 01:20:00 +01:00
convert [v15.0/forgejo] perf: bulk load resolvers & reactions on pull request comments (#11995) 2026-04-05 17:30:39 +02:00
cron [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
doctor [v15.0/forgejo] fix(doctor): remove broken mergebase check (#12040) 2026-04-08 21:09:40 +02:00
externalaccount chore(cleanup): replaces unnecessary calls to formatting functions by non-formatting equivalents (#7994) 2025-05-29 17:34:29 +02:00
f3 chore: update gof3/v3 v3.11.15 (#10673) 2026-01-13 16:59:56 +01:00
federation feat(activitypub): use structure @PreferredUsername@host.tld:port for actors (#9254) 2026-01-30 23:45:11 +01:00
feed chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
forgejo chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
forms [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
gitdiff [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
indexer fix(issue-search): delete issue from indexer on DeleteIssue (#11585) 2026-03-09 18:51:18 +01:00
issue [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
lfs [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
mailer [v15.0/forgejo] i18n(mailer): Fix special usage of .Locale in admin_new_user (#12112) 2026-04-14 07:22:44 +02:00
markup chore: remove branding from context imports (#9628) 2025-10-11 01:52:51 +02:00
migrations [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
mirror [v15.0/forgejo] fix: store pull mirror creds encrypted with keying (#11984) 2026-04-04 14:47:05 +02:00
moderation chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
notify fix(issue-search): delete issue from indexer on DeleteIssue (#11585) 2026-03-09 18:51:18 +01:00
org fix: add missing deleting beans for organizations (#11699) 2026-03-17 09:11:52 +01:00
packages [v15.0/forgejo] test: fix intermittent test failure in TestPackageDebianConcurrent (#11998) 2026-04-06 03:39:53 +02:00
pull [v15.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12293) 2026-04-29 05:28:56 +02:00
redirect chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
release fix: don't trip deleting attachment with missing permission error (#11642) 2026-03-12 20:29:10 +01:00
remote chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
repository [v15.0/forgejo] fix(ui): allow creating files with name starting with dash (#12215) 2026-04-21 20:34:37 +02:00
secrets feat: allow renaming and replacing secrets (#11732) 2026-03-23 03:30:02 +01:00
shared/automerge fix: suppress false-positive error log when PR is already in the automerge queue (#9784) 2025-10-21 08:19:33 +02:00
stats chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
task ci: detect and prevent empty case statements in Go code (#11593) 2026-03-10 02:50:28 +01:00
uinotification chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
user refactor: replace ActionRunnerToken.OwnerID & RepoID with optional.Option[int64] (#11601) 2026-03-10 03:19:16 +01:00
webhook [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
wiki [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00