peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/services
History
Mathieu Fenniak 3653b34ec7 [v14.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12294) 
Backport: https://codeberg.org/forgejo/forgejo/pulls/12292

When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.

Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12294
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-04-29 05:29:23 +02:00
..
actions [v14.0/forgejo] fix: when expanding a dynamic matrix, original 'needs' access was lost (#11166) 2026-02-15 23:55:05 +01:00
agit fix: correctly mark reviews as stale for AGit PRs (#8450) 2025-07-09 07:38:00 +02:00
asymkey chore: do not clobber ~/.ssh/authorized_keys in certain tests (#10163) 2025-11-19 16:14:16 +01:00
attachment fix: check that attachments belong to correct resource 2026-03-06 11:20:40 -07:00
auth [v14.0/forgejo] fix: portable error reporting (#11317) 2026-04-02 03:45:55 +02:00
automerge chore: add integration testing 2026-03-06 11:20:40 -07:00
context fix: don't use attachment size as max memory for ParseMultipart 2026-01-06 10:33:22 -07:00
contexttest Replace the 'relative-time' element scripting with custom, translatable rewrite (#6154) 2025-05-03 14:11:01 +00:00
convert fix: hide user profile anonymous options on public repo APIs 2026-01-06 10:33:22 -07:00
cron fix: garbage collect lingering actions logs (#10009) 2025-11-18 18:59:01 +01:00
doctor feat: ensure only expected ssh public keys are in authorized_keys file (#10010) 2025-11-09 01:06:04 +01:00
externalaccount chore(cleanup): replaces unnecessary calls to formatting functions by non-formatting equivalents (#7994) 2025-05-29 17:34:29 +02:00
f3 chore: ensure consistent import aliasing for services and models (#10253) 2025-11-30 17:00:57 +01:00
federation fix(user): set ActivityPub users to ProhibitLogin (#10434) 2025-12-17 15:38:32 +01:00
feed fix: load reviewer for pull review dismiss action notifier 2026-01-06 10:33:22 -07:00
forgejo [v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672) 2026-01-05 12:14:11 +01:00
forms [v14.0/forgejo] fix: skip repo avatar upload when no file is selected (#11555) 2026-03-07 22:39:20 +01:00
gitdiff [v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672) 2026-01-05 12:14:11 +01:00
indexer [v14.0/forgejo] fix(issue-search): delete issue from indexer on DeleteIssue (#11596) 2026-03-09 22:50:04 +01:00
issue [v14.0/forgejo] fix(issue-search): delete issue from indexer on DeleteIssue (#11596) 2026-03-09 22:50:04 +01:00
lfs fix: return on error if an LFS token cannot be parsed 2025-10-25 10:41:49 -06:00
mailer chore: add unit test 2026-03-08 20:07:29 -06:00
markup chore: remove branding from context imports (#9628) 2025-10-11 01:52:51 +02:00
migrations [v14.0/forgejo] fix: prevent panic on gitlab import (releases/issues) (#11484) 2026-03-05 03:03:15 +01:00
mirror fix: don't push LFS when using SSH authentication (#10475) 2025-12-18 23:23:07 +01:00
moderation [v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672) 2026-01-05 12:14:11 +01:00
notify [v14.0/forgejo] fix(issue-search): delete issue from indexer on DeleteIssue (#11596) 2026-03-09 22:50:04 +01:00
org chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
packages [v14.0/forgejo] fix: cleanup of multi-platform container images (#11254) 2026-02-23 18:49:26 +01:00
pull [v14.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12294) 2026-04-29 05:29:23 +02:00
redirect [v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672) 2026-01-05 12:14:11 +01:00
release [v14.0/forgejo] fix: don't trip deleting attachment with missing permission error (#11658) 2026-03-12 21:21:02 +01:00
remote chore: tune down remote user promotion debug message shown as error (#7687) 2025-04-27 20:50:48 +00:00
repository [v14.0/forgejo] fix: remove template file from generated repo (#11722) 2026-03-18 21:11:52 +01:00
secrets feat: migrate action secrets to keying to store them more securely (#8692) 2025-07-29 01:03:36 +02:00
shared/automerge fix: suppress false-positive error log when PR is already in the automerge queue (#9784) 2025-10-21 08:19:33 +02:00
stats fix: possible cause of invalid issue counts; cache invalidation occurs before a active transaction is committed (#10130) 2025-11-17 01:07:29 +01:00
task feat: cache derived keys for faster keying (#10114) 2025-11-16 14:29:14 +01:00
uinotification chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
user [v14.0/forgejo] fix: decrease watch count when blocking user (#11060) 2026-01-27 13:57:57 +01:00
webhook [v14.0/forgejo] fix: webook/discord: omit empty embeds.footer from the payload for Spacebar compatibility (#11613) 2026-03-10 18:14:24 +01:00
wiki [v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672) 2026-01-05 12:14:11 +01:00