From 1b226ca48dc8b3e95cc1c41229d72819c960a1b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E1=B4=8A=E1=B4=8F=E1=B4=87=20=E1=B4=84=CA=9C=E1=B4=87?= =?UTF-8?q?=C9=B4?= Date: Thu, 29 Jan 2026 20:56:09 -0500 Subject: [PATCH] repo: improve authz for resources (#8119) https://github.com/gogs/gogs/security/advisories/GHSA-jj5m-h57j-5gv7 --- internal/route/api/v1/repo/issue_comment.go | 22 +++++++++++++++++++++ internal/route/api/v1/repo/key.go | 18 ++++++++++++++++- internal/route/repo/issue.go | 22 +++++++++++++++++++++ 3 files changed, 61 insertions(+), 1 deletion(-) diff --git a/internal/route/api/v1/repo/issue_comment.go b/internal/route/api/v1/repo/issue_comment.go index cf2cabb27..252dd173a 100644 --- a/internal/route/api/v1/repo/issue_comment.go +++ b/internal/route/api/v1/repo/issue_comment.go @@ -88,6 +88,17 @@ func EditIssueComment(c *context.APIContext, form api.EditIssueCommentOption) { return } + issue, err := database.GetIssueByID(comment.IssueID) + if err != nil { + c.NotFoundOrError(err, "get issue by ID") + return + } + + if issue.RepoID != c.Repo.Repository.ID { + c.NotFound() + return + } + if c.User.ID != comment.PosterID && !c.Repo.IsAdmin() { c.Status(http.StatusForbidden) return @@ -112,6 +123,17 @@ func DeleteIssueComment(c *context.APIContext) { return } + issue, err := database.GetIssueByID(comment.IssueID) + if err != nil { + c.NotFoundOrError(err, "get issue by ID") + return + } + + if issue.RepoID != c.Repo.Repository.ID { + c.NotFound() + return + } + if c.User.ID != comment.PosterID && !c.Repo.IsAdmin() { c.Status(http.StatusForbidden) return diff --git a/internal/route/api/v1/repo/key.go b/internal/route/api/v1/repo/key.go index 0b1287ce5..21b3dcbf1 100644 --- a/internal/route/api/v1/repo/key.go +++ b/internal/route/api/v1/repo/key.go @@ -45,6 +45,11 @@ func GetDeployKey(c *context.APIContext) { return } + if key.RepoID != c.Repo.Repository.ID { + c.NotFound() + return + } + if err = key.GetContent(); err != nil { c.Error(err, "get content") return @@ -94,7 +99,18 @@ func CreateDeployKey(c *context.APIContext, form api.CreateKeyOption) { // https://github.com/gogs/go-gogs-client/wiki/Repositories-Deploy-Keys#remove-a-deploy-key func DeleteDeploykey(c *context.APIContext) { - if err := database.DeleteDeployKey(c.User, c.ParamsInt64(":id")); err != nil { + key, err := database.GetDeployKeyByID(c.ParamsInt64(":id")) + if err != nil { + c.NotFoundOrError(err, "get deploy key by ID") + return + } + + if key.RepoID != c.Repo.Repository.ID { + c.NotFound() + return + } + + if err := database.DeleteDeployKey(c.User, key.ID); err != nil { if database.IsErrKeyAccessDenied(err) { c.ErrorStatus(http.StatusForbidden, errors.New("You do not have access to this key")) } else { diff --git a/internal/route/repo/issue.go b/internal/route/repo/issue.go index 724c5778c..f8c19ff7c 100644 --- a/internal/route/repo/issue.go +++ b/internal/route/repo/issue.go @@ -926,6 +926,17 @@ func UpdateCommentContent(c *context.Context) { return } + issue, err := database.GetIssueByID(comment.IssueID) + if err != nil { + c.NotFoundOrError(err, "get issue by ID") + return + } + + if issue.RepoID != c.Repo.Repository.ID { + c.NotFound() + return + } + if c.UserID() != comment.PosterID && !c.Repo.IsAdmin() { c.NotFound() return @@ -959,6 +970,17 @@ func DeleteComment(c *context.Context) { return } + issue, err := database.GetIssueByID(comment.IssueID) + if err != nil { + c.NotFoundOrError(err, "get issue by ID") + return + } + + if issue.RepoID != c.Repo.Repository.ID { + c.NotFound() + return + } + if c.UserID() != comment.PosterID && !c.Repo.IsAdmin() { c.NotFound() return