peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-17 00:06:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
jojo/models/issues
History
Exact
Mathieu Fenniak 3653b34ec7 [v14.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12294) 
Backport: https://codeberg.org/forgejo/forgejo/pulls/12292

When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.

Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12294
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-04-29 05:29:23 +02:00
..
TestGetUIDsAndStopwatch feat: add foreign keys to stopwatch & tracked_time tables (#9373) 2025-10-01 00:31:38 +02:00
action_aggregator.go feat(ui): add links to review request targets in issue comments (#8239) 2025-07-23 04:45:58 +02:00
action_aggregator_test.go feat(ui): add links to review request targets in issue comments (#8239) 2025-07-23 04:45:58 +02:00
assignees.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
assignees_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
comment.go fix: check that attachments belong to correct resource 2026-03-06 11:20:40 -07:00
comment_code.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
comment_list.go fix: load OldMilestone based on OldMilestoneID, not MilestoneID (#8330) 2025-06-29 12:08:03 +02:00
comment_list_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
comment_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
content_history.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
content_history_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
dependency.go refactor: migrate from lib/pq to jackc/pgx (#10219) 2025-11-30 17:47:45 +01:00
dependency_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue.go chore: fix typo (#10188) 2025-11-21 12:36:28 +01:00
issue_index.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_index_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_label.go fix: possible cause of invalid issue counts; cache invalidation occurs before a active transaction is committed (#10130) 2025-11-17 01:07:29 +01:00
issue_label_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_list.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_list_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
issue_lock.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_project.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_project_test.go chore: merge tests.AddFixtures and unittest.OverrideFixtures (#7648) 2025-04-25 09:14:33 +00:00
issue_search.go fix: do not display the title of unsubscribed issues or pull requests in the notification web page (#9362) 2025-09-19 22:32:06 +02:00
issue_stats.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_stats_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_test.go fix: Allow SHA-256 in PR commit URLs (#10309) 2025-12-16 00:45:00 +01:00
issue_update.go fix: check that attachments belong to correct resource 2026-03-06 11:20:40 -07:00
issue_user.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_user_test.go refactor: migrate from lib/pq to jackc/pgx (#10219) 2025-11-30 17:47:45 +01:00
issue_watch.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_watch_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_xref.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
issue_xref_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
label.go fix: possible cause of invalid issue counts; cache invalidation occurs before a active transaction is committed (#10130) 2025-11-17 01:07:29 +01:00
label_internal_test.go fix: reduce deadlocks merging PRs w/ async milestone stat recalcs (#9916) 2025-10-31 15:53:45 +01:00
label_test.go fix: reduce deadlocks merging PRs w/ async label stat recalcs (#9868) 2025-10-31 02:12:36 +01:00
main_test.go [v14.0/forgejo] chore(cleanup): move all test blank imports in a single package (#10672) 2026-01-05 12:14:11 +01:00
milestone.go fix: possible cause of invalid issue counts; cache invalidation occurs before a active transaction is committed (#10130) 2025-11-17 01:07:29 +01:00
milestone_internal_test.go fix: reduce deadlocks merging PRs w/ async milestone stat recalcs (#9916) 2025-10-31 15:53:45 +01:00
milestone_list.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
milestone_test.go refactor: migrate from lib/pq to jackc/pgx (#10219) 2025-11-30 17:47:45 +01:00
moderation.go feat: render a link to poster profile next to the ID within shadow copy details (#10194) 2025-12-09 15:19:10 +01:00
moderation_test.go feat: render a link to poster profile next to the ID within shadow copy details (#10194) 2025-12-09 15:19:10 +01:00
pull.go feat: show link to pull requests targeting a non-default branch when pushing (#10079) 2025-11-19 14:59:13 +01:00
pull_list.go [v14.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12294) 2026-04-29 05:29:23 +02:00
pull_test.go feat: show link to pull requests targeting a non-default branch when pushing (#10079) 2025-11-19 14:59:13 +01:00
reaction.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
reaction_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
review.go fix: PR not blocked by review request for a whitelisted team (#8511) 2025-07-15 23:21:42 +02:00
review_list.go chore: ensure consistent import aliasing for services and models (#10253) 2025-11-30 17:00:57 +01:00
review_test.go chore: ensure consistent import aliasing for services and models (#10253) 2025-11-30 17:00:57 +01:00
stopwatch.go feat: add foreign keys to stopwatch & tracked_time tables (#9373) 2025-10-01 00:31:38 +02:00
stopwatch_test.go chore: merge tests.AddFixtures and unittest.OverrideFixtures (#7648) 2025-04-25 09:14:33 +00:00
tracked_time.go [v14.0/forgejo] fix: ListTrackedTimes API has no defined record ordering (#10593) 2025-12-26 23:01:50 +01:00
tracked_time_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00