Описание
Gogs user can update repository content with read-only permission
Vulnerability Description
The endpoint
PUT /repos/:owner/:repo/contents/*
does not require write permissions and allows access with read permission only via repoAssignment().
After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in:
- Commit creation
- Execution of
git push
As a result, a token with read-only permission can be used to modify repository contents.
Attack Prerequisites
- Possession of a valid access token
- Read permission on the target repository (public repository or collaborator with read access)
Attack Scenario
- The attacker accesses the target repository with a read-only token
- The attacker sends a
PUT /contentsrequest to update an arbitrary file - The server creates a commit and performs a git push on behalf of the attacker
Potential Impact
- Source code tampering
- Injection of backdoors
- Compromise of release artifacts and distributed packages
Пакеты
gogs.io/gogs
<= 0.13.3
0.13.4
Связанные уязвимости
Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint "PUT /repos/:owner/:repo/contents/*" does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev.