mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-15 10:55:17 +02:00
Addresses a batch of privately reported security issues, grouped by area: - **SSRF** - migration PR-patch/asset fetches, OAuth2 avatar & OpenID discovery, pull-mirror URL re-validation, and the outbound proxy path. - **Access-token scope** - prevent scope escalation on token creation; keep public-only tokens confined (feeds, packages, Actions listings, star/watch lists, limited/private owners). - **Access control / disclosure** - go-get default-branch leak, webhook authorization-header leak, watch clearing on private transitions, label/attachment scoping. - **Denial of service** - input bounds for npm dist-tags, Debian control files, Arch file lists, and SSH keys. ### 📌 Attention for site admins Not breaking - existing configs keep working - but two changes are worth a look: - **New SSRF protection** Outbound requests (migrations, OAuth2 avatars, OpenID discovery, pull mirrors, proxy path) are now validated against the allow/block host lists. If your instance legitimately reaches internal hosts, you may need to add them to `[security].ALLOWED_HOST_LIST` (and the relevant `ALLOW_LOCALNETWORKS` settings). - **Deprecation** `[webhook].ALLOWED_HOST_LIST` is deprecated and will be removed in a future release. Use `[security].ALLOWED_HOST_LIST` instead; the old key still works for now. --------- Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Zettat123 <zettat123@gmail.com>
149 lines
3.8 KiB
Go
149 lines
3.8 KiB
Go
// Copyright 2021 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package integration
|
|
|
|
import (
|
|
"net/http"
|
|
"testing"
|
|
|
|
auth_model "gitea.dev/models/auth"
|
|
"gitea.dev/modules/setting"
|
|
api "gitea.dev/modules/structs"
|
|
"gitea.dev/tests"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
)
|
|
|
|
// TestAPIManageEmailsFeatureDisabled ensures the email management API honors the
|
|
// manage_credentials feature restriction, matching the web UI.
|
|
func TestAPIManageEmailsFeatureDisabled(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
session := loginUser(t, "user2")
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
|
|
|
WithDisabledFeatures(t, setting.UserFeatureManageCredentials)
|
|
|
|
addReq := NewRequestWithJSON(t, "POST", "/api/v1/user/emails", &api.CreateEmailOption{
|
|
Emails: []string{"user2-3@example.com"},
|
|
}).AddTokenAuth(token)
|
|
MakeRequest(t, addReq, http.StatusNotFound)
|
|
|
|
delReq := NewRequestWithJSON(t, "DELETE", "/api/v1/user/emails", &api.DeleteEmailOption{
|
|
Emails: []string{"user2-2@example.com"},
|
|
}).AddTokenAuth(token)
|
|
MakeRequest(t, delReq, http.StatusNotFound)
|
|
}
|
|
|
|
func TestAPIListEmails(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
normalUsername := "user2"
|
|
session := loginUser(t, normalUsername)
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadUser)
|
|
|
|
req := NewRequest(t, "GET", "/api/v1/user/emails").
|
|
AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
emails := DecodeJSON(t, resp, []*api.Email{})
|
|
|
|
assert.Equal(t, []*api.Email{
|
|
{
|
|
Email: "user2@example.com",
|
|
Verified: true,
|
|
Primary: true,
|
|
},
|
|
{
|
|
Email: "user2-2@example.com",
|
|
Verified: false,
|
|
Primary: false,
|
|
},
|
|
}, emails)
|
|
}
|
|
|
|
func TestAPIAddEmail(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
normalUsername := "user2"
|
|
session := loginUser(t, normalUsername)
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
|
|
|
opts := api.CreateEmailOption{
|
|
Emails: []string{"user101@example.com"},
|
|
}
|
|
|
|
req := NewRequestWithJSON(t, "POST", "/api/v1/user/emails", &opts).
|
|
AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusUnprocessableEntity)
|
|
|
|
opts = api.CreateEmailOption{
|
|
Emails: []string{"user2-3@example.com"},
|
|
}
|
|
req = NewRequestWithJSON(t, "POST", "/api/v1/user/emails", &opts).
|
|
AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusCreated)
|
|
|
|
emails := DecodeJSON(t, resp, []*api.Email{})
|
|
assert.Equal(t, []*api.Email{
|
|
{
|
|
Email: "user2@example.com",
|
|
Verified: true,
|
|
Primary: true,
|
|
},
|
|
{
|
|
Email: "user2-2@example.com",
|
|
Verified: false,
|
|
Primary: false,
|
|
},
|
|
{
|
|
Email: "user2-3@example.com",
|
|
Verified: true,
|
|
Primary: false,
|
|
},
|
|
}, emails)
|
|
|
|
opts = api.CreateEmailOption{
|
|
Emails: []string{"notAEmail"},
|
|
}
|
|
req = NewRequestWithJSON(t, "POST", "/api/v1/user/emails", &opts).
|
|
AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusUnprocessableEntity)
|
|
}
|
|
|
|
func TestAPIDeleteEmail(t *testing.T) {
|
|
defer tests.PrepareTestEnv(t)()
|
|
|
|
normalUsername := "user2"
|
|
session := loginUser(t, normalUsername)
|
|
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteUser)
|
|
|
|
opts := api.DeleteEmailOption{
|
|
Emails: []string{"user2-3@example.com"},
|
|
}
|
|
req := NewRequestWithJSON(t, "DELETE", "/api/v1/user/emails", &opts).
|
|
AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNotFound)
|
|
|
|
opts = api.DeleteEmailOption{
|
|
Emails: []string{"user2-2@example.com"},
|
|
}
|
|
req = NewRequestWithJSON(t, "DELETE", "/api/v1/user/emails", &opts).
|
|
AddTokenAuth(token)
|
|
MakeRequest(t, req, http.StatusNoContent)
|
|
|
|
req = NewRequest(t, "GET", "/api/v1/user/emails").
|
|
AddTokenAuth(token)
|
|
resp := MakeRequest(t, req, http.StatusOK)
|
|
|
|
emails := DecodeJSON(t, resp, []*api.Email{})
|
|
assert.Equal(t, []*api.Email{
|
|
{
|
|
Email: "user2@example.com",
|
|
Verified: true,
|
|
Primary: true,
|
|
},
|
|
}, emails)
|
|
}
|