peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-13 06:20:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
jojo/models
History
Exact
Mathieu Fenniak fdd794abe3 [v15.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12293) 
Backport: https://codeberg.org/forgejo/forgejo/pulls/12292

When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.

Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12293
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-04-29 05:28:56 +02:00
..
actions [v15.0/forgejo] fix: allow viewing Actions run triggered by deleted user (#12272) 2026-04-26 16:00:57 +02:00
activities [v15.0/forgejo] refactor: reduce code duplication when accessing DefaultMaxInSize (#12000) 2026-04-05 22:53:13 +02:00
admin feat: cache derived keys for faster keying (#10114) 2025-11-16 14:29:14 +01:00
asymkey chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
auth [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
avatars feat(perf): remove unused size url parameter for local avatars (#10932) 2026-01-20 04:59:15 +01:00
db [v15.0/forgejo] refactor: reduce code duplication when accessing DefaultMaxInSize (#12000) 2026-04-05 22:53:13 +02:00
dbfs [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
fixtures [v15.0/forgejo] Exclude SSH certificate principals from output when viewing user's SSH keys (#12166) 2026-04-17 21:34:12 +02:00
forgefed log instrumentation & test package (#10371) 2025-12-09 15:37:50 +01:00
forgejo/semver chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
forgejo_migrations [v15.0/forgejo] feat: support timezone in scheduled workflows (#11986) 2026-04-04 19:16:35 +02:00
forgejo_migrations_legacy fix: normalize secrets consistently, display accurate help (#11052) 2026-02-09 17:02:18 +01:00
git [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
gitea_migrations [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
issues [v15.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12293) 2026-04-29 05:28:56 +02:00
moderation feat: render a link to poster profile next to the ID within shadow copy details (#10194) 2025-12-09 15:19:10 +01:00
organization fix: add missing deleting beans for organizations (#11699) 2026-03-17 09:11:52 +01:00
packages [v15.0/forgejo] fix: duplicate key violates unique constraint in concurrent debian package uploads (#11833) 2026-03-27 01:36:18 +01:00
perm [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
project [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
pull [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
quota chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
repo [v15.0/forgejo] fix: make /repos/search?uid=-2 return zero results, no repos with that owner (#12150) 2026-04-16 21:00:50 +02:00
secret [v15.0/forgejo] fix: secret name-prefix regex (#12216) 2026-04-21 20:52:57 +02:00
shared/types chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
system chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
unit [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
unittest [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
user [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
webhook [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
error.go fix: don't allow credentials in migrate/push mirror URL 2025-08-30 08:07:23 +02:00
main_test.go chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
org.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
org_team.go chore: split AddRepository and AddTeamMember to return the inserted value (#11342) 2026-03-11 03:40:32 +01:00
org_team_test.go chore: split AddRepository and AddTeamMember to return the inserted value (#11342) 2026-03-11 03:40:32 +01:00
org_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
repo.go fix: possible cause of invalid issue counts; cache invalidation occurs before a active transaction is committed (#10130) 2025-11-17 01:07:29 +01:00
repo_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
repo_transfer.go chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
repo_transfer_test.go chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00