forgejo/tests/integration/git_push_test.go

// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package integration

import (
	"net/url"
	"testing"

	"code.gitea.io/gitea/models/db"
	repo_model "code.gitea.io/gitea/models/repo"
	"code.gitea.io/gitea/models/unittest"
	user_model "code.gitea.io/gitea/models/user"
	repo_module "code.gitea.io/gitea/modules/repository"
	repo_service "code.gitea.io/gitea/services/repository"

	"github.com/stretchr/testify/require"
)

func TestOptionsGitPush(t *testing.T) {
	onGiteaRun(t, testOptionsGitPush)
}

func testOptionsGitPush(t *testing.T, u *url.URL) {
	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
	repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_service.CreateRepoOptions{
		Name:          "repo-to-push",
		Description:   "test git push",
		AutoInit:      false,
		DefaultBranch: "main",
		IsPrivate:     false,
	})
	require.NoError(t, err)
	require.NotEmpty(t, repo)

	gitPath := t.TempDir()

	doGitInitTestRepository(gitPath)(t)

	u.Path = repo.FullName() + ".git"
	u.User = url.UserPassword(user.LowerName, userPassword)
	doGitAddRemote(gitPath, "origin", u)(t)

	{
		// owner sets private & template to true via push options
		branchName := "branch1"
		doGitCreateBranch(gitPath, branchName)(t)
		doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
		repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
		require.NoError(t, err)
		require.True(t, repo.IsPrivate)
		require.True(t, repo.IsTemplate)
	}

	{
		// owner sets private & template to false via push options
		branchName := "branch2"
		doGitCreateBranch(gitPath, branchName)(t)
		doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=false", "-o", "repo.template=false")(t)
		repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
		require.NoError(t, err)
		require.False(t, repo.IsPrivate)
		require.False(t, repo.IsTemplate)
	}

	{
		// create a collaborator with write access
		collaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
		u.User = url.UserPassword(collaborator.LowerName, userPassword)
		doGitAddRemote(gitPath, "collaborator", u)(t)
		repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
		require.NoError(t, err)
		repo_module.AddCollaborator(db.DefaultContext, repo, collaborator)
	}

	{
		// collaborator with write access is allowed to push
		branchName := "branch3"
		doGitCreateBranch(gitPath, branchName)(t)
		doGitPushTestRepository(gitPath, "collaborator", branchName)(t)
	}

	{
		// collaborator with write access fails to change private & template via push options
		branchName := "branch4"
		doGitCreateBranch(gitPath, branchName)(t)
		doGitPushTestRepositoryFail(gitPath, "collaborator", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
		repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
		require.NoError(t, err)
		require.False(t, repo.IsPrivate)
		require.False(t, repo.IsTemplate)
	}

	require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, user.ID, repo.ID))
}
Performance optimization for git push (#30104) (#30354) Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104 (cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea) Conflicts: it is implemented differently in Forgejo, just keep the test in tests/integration/git_push_test.go 2024-04-10 06:12:19 +00:00			`// Copyright 2024 The Gitea Authors. All rights reserved.`
			`// SPDX-License-Identifier: MIT`

			`package integration`

			`import (`
			`"net/url"`
			`"testing"`

			`"code.gitea.io/gitea/models/db"`
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> 2024-04-15 08:07:45 +00:00			`repo_model "code.gitea.io/gitea/models/repo"`
Performance optimization for git push (#30104) (#30354) Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104 (cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea) Conflicts: it is implemented differently in Forgejo, just keep the test in tests/integration/git_push_test.go 2024-04-10 06:12:19 +00:00			`"code.gitea.io/gitea/models/unittest"`
			`user_model "code.gitea.io/gitea/models/user"`
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> 2024-04-15 08:07:45 +00:00			`repo_module "code.gitea.io/gitea/modules/repository"`
Performance optimization for git push (#30104) (#30354) Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104 (cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea) Conflicts: it is implemented differently in Forgejo, just keep the test in tests/integration/git_push_test.go 2024-04-10 06:12:19 +00:00			`repo_service "code.gitea.io/gitea/services/repository"`

			`"github.com/stretchr/testify/require"`
			`)`

hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> 2024-04-15 08:07:45 +00:00			`func TestOptionsGitPush(t *testing.T) {`
			`onGiteaRun(t, testOptionsGitPush)`
Performance optimization for git push (#30104) (#30354) Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104 (cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea) Conflicts: it is implemented differently in Forgejo, just keep the test in tests/integration/git_push_test.go 2024-04-10 06:12:19 +00:00			`}`

hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> 2024-04-15 08:07:45 +00:00			`func testOptionsGitPush(t testing.T, u url.URL) {`
Performance optimization for git push (#30104) (#30354) Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104 (cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea) Conflicts: it is implemented differently in Forgejo, just keep the test in tests/integration/git_push_test.go 2024-04-10 06:12:19 +00:00			`user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})`
			`repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_service.CreateRepoOptions{`
			`Name: "repo-to-push",`
			`Description: "test git push",`
			`AutoInit: false,`
			`DefaultBranch: "main",`
			`IsPrivate: false,`
			`})`
			`require.NoError(t, err)`
			`require.NotEmpty(t, repo)`

			`gitPath := t.TempDir()`

			`doGitInitTestRepository(gitPath)(t)`

			`u.Path = repo.FullName() + ".git"`
			`u.User = url.UserPassword(user.LowerName, userPassword)`
			`doGitAddRemote(gitPath, "origin", u)(t)`

hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> 2024-04-15 08:07:45 +00:00			`{`
			`// owner sets private & template to true via push options`
			`branchName := "branch1"`
			`doGitCreateBranch(gitPath, branchName)(t)`
			`doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)`
			`repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")`
			`require.NoError(t, err)`
			`require.True(t, repo.IsPrivate)`
			`require.True(t, repo.IsTemplate)`
			`}`

			`{`
			`// owner sets private & template to false via push options`
			`branchName := "branch2"`
			`doGitCreateBranch(gitPath, branchName)(t)`
			`doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=false", "-o", "repo.template=false")(t)`
			`repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")`
			`require.NoError(t, err)`
			`require.False(t, repo.IsPrivate)`
			`require.False(t, repo.IsTemplate)`
			`}`

			`{`
			`// create a collaborator with write access`
			`collaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})`
			`u.User = url.UserPassword(collaborator.LowerName, userPassword)`
			`doGitAddRemote(gitPath, "collaborator", u)(t)`
			`repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")`
			`require.NoError(t, err)`
			`repo_module.AddCollaborator(db.DefaultContext, repo, collaborator)`
			`}`

			`{`
			`// collaborator with write access is allowed to push`
			`branchName := "branch3"`
			`doGitCreateBranch(gitPath, branchName)(t)`
			`doGitPushTestRepository(gitPath, "collaborator", branchName)(t)`
			`}`
Performance optimization for git push (#30104) (#30354) Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104 (cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea) Conflicts: it is implemented differently in Forgejo, just keep the test in tests/integration/git_push_test.go 2024-04-10 06:12:19 +00:00
hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu> 2024-04-15 08:07:45 +00:00			`{`
			`// collaborator with write access fails to change private & template via push options`
			`branchName := "branch4"`
			`doGitCreateBranch(gitPath, branchName)(t)`
			`doGitPushTestRepositoryFail(gitPath, "collaborator", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)`
			`repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")`
			`require.NoError(t, err)`
			`require.False(t, repo.IsPrivate)`
			`require.False(t, repo.IsTemplate)`
			`}`
Performance optimization for git push (#30104) (#30354) Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104 (cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea) Conflicts: it is implemented differently in Forgejo, just keep the test in tests/integration/git_push_test.go 2024-04-10 06:12:19 +00:00
			`require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, user.ID, repo.ID))`
			`}`