peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-13 06:20:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
jojo/models
History
Mathieu Fenniak 733a390ecd fix: verify PR author has write access to head to support allow maintainers edit (#12292) 
When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.

Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12292
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-04-29 05:26:22 +02:00
..
actions fix: allow viewing Actions run triggered by deleted user (#12271) 2026-04-26 15:13:32 +02:00
activities feat: Follow remote users; feed tab (#10380) 2026-04-12 03:31:03 +02:00
admin feat: cache derived keys for faster keying (#10114) 2025-11-16 14:29:14 +01:00
asymkey chore: flag suspicious OwnerID comparisons (#12184) 2026-04-19 04:24:09 +02:00
auth feat: add CLI command 'admin user create-authorized-integration' (#12299) 2026-04-28 21:32:45 +02:00
avatars feat(perf): remove unused size url parameter for local avatars (#10932) 2026-01-20 04:59:15 +01:00
db refactor: reduce code duplication when accessing DefaultMaxInSize (#11999) 2026-04-05 22:03:45 +02:00
dbfs chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
fixtures Exclude SSH certificate principals from output when viewing user's SSH keys (#12079) 2026-04-17 17:17:29 +02:00
forgefed chore(federation): re-enable nilnil lint (#11253) 2026-04-13 22:05:29 +02:00
forgejo/semver chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
forgejo_migrations feat: authorized integrations DB models and authentication implementation (#12261) 2026-04-26 20:52:42 +02:00
forgejo_migrations_legacy fix: normalize secrets consistently, display accurate help (#11052) 2026-02-09 17:02:18 +01:00
git chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
gitea_migrations chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
issues fix: verify PR author has write access to head to support allow maintainers edit (#12292) 2026-04-29 05:26:22 +02:00
moderation feat: render a link to poster profile next to the ID within shadow copy details (#10194) 2025-12-09 15:19:10 +01:00
organization fix: add missing deleting beans for organizations (#11699) 2026-03-17 09:11:52 +01:00
packages fix: duplicate key violates unique constraint in concurrent debian package uploads (#11776) 2026-03-26 21:50:25 +01:00
perm chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
project chore: flag suspicious OwnerID comparisons (#12184) 2026-04-19 04:24:09 +02:00
pull chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
quota chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
repo chore: flag suspicious OwnerID comparisons (#12184) 2026-04-19 04:24:09 +02:00
secret fix: secret name-prefix regex (#12213) 2026-04-21 19:55:16 +02:00
shared/types chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
system chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
unit chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
unittest feat: replace repo based server-side hooks with centralised hooks (#10397) 2026-04-27 22:34:46 +02:00
user chore(federation): re-enable nilnil lint (#11253) 2026-04-13 22:05:29 +02:00
webhook chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
error.go fix: don't allow credentials in migrate/push mirror URL 2025-08-30 08:07:23 +02:00
main_test.go chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
org.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
org_team.go chore: split AddRepository and AddTeamMember to return the inserted value (#11342) 2026-03-11 03:40:32 +01:00
org_team_test.go chore: split AddRepository and AddTeamMember to return the inserted value (#11342) 2026-03-11 03:40:32 +01:00
org_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
repo.go fix: possible cause of invalid issue counts; cache invalidation occurs before a active transaction is committed (#10130) 2025-11-17 01:07:29 +01:00
repo_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
repo_transfer.go chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
repo_transfer_test.go chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00