rhodecode-enterprise-ce Commit - r2173:d100eea4

repo-forks: security, check for access to fork_id parameter to prevent...

marcink -

r2173:d100eea4 default

parent child

rhodecode/apps/repository/views/repo_settings_advanced.py

0 +20 -10

             from rhodecode.lib import helpers as h
             from rhodecode.lib import audit_logger
             from rhodecode.lib.auth import (
-                LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired)
+                LoginRequired, HasRepoPermissionAnyDecorator, CSRFRequired,
+                HasRepoPermissionAny)
             from rhodecode.lib.exceptions import AttachedForksError
             from rhodecode.lib.utils2 import safe_int
             from rhodecode.lib.vcs import RepositoryError
                     """
                     _ = self.request.translate
-                    new_fork_id = self.request.POST.get('id_fork_of')
+                    new_fork_id = safe_int(self.request.POST.get('id_fork_of'))
-                    try:
+                    # valid repo, re-check permissions
+                    if new_fork_id:
+                        repo = Repository.get(new_fork_id)
+                        # ensure we have at least read access to the repo we mark
+                        perm_check = HasRepoPermissionAny(
+                            'repository.read', 'repository.write', 'repository.admin')
-                        if new_fork_id and not new_fork_id.isdigit():
+                        if repo and perm_check(repo_name=repo.repo_name):
-                            log.error('Given fork id %s is not an INT', new_fork_id)
+                            new_fork_id = repo.repo_id
+                        else:
+                            new_fork_id = None
-                        fork_id = safe_int(new_fork_id)
+                    try:
                         repo = ScmModel().mark_as_fork(
-                            self.db_repo_name, fork_id, self._rhodecode_user.user_id)
+                            self.db_repo_name, new_fork_id, self._rhodecode_user.user_id)
                         fork = repo.fork.repo_name if repo.fork else _('Nothing')
                         Session().commit()
-                        h.flash(_('Marked repo %s as fork of %s') % (self.db_repo_name, fork),
+                        h.flash(
-                                category='success')
+                            _('Marked repo %s as fork of %s') % (self.db_repo_name, fork),
+                            category='success')
                     except RepositoryError as e:
                         log.exception("Repository Error occurred")
                         h.flash(str(e), category='error')
-                    except Exception as e:
+                    except Exception:
                         log.exception("Exception while editing fork")
                         h.flash(_('An error occurred during this operation'),
                                 category='error')

rhodecode/public/js/rhodecode/routes.js

0 +1 0

                 pyroutes.register('edit_repo_strip', '/%(repo_name)s/settings/strip', ['repo_name']);
                 pyroutes.register('strip_check', '/%(repo_name)s/settings/strip_check', ['repo_name']);
                 pyroutes.register('strip_execute', '/%(repo_name)s/settings/strip_execute', ['repo_name']);
+                pyroutes.register('edit_repo_audit_logs', '/%(repo_name)s/settings/audit_logs', ['repo_name']);
                 pyroutes.register('rss_feed_home', '/%(repo_name)s/feed/rss', ['repo_name']);
                 pyroutes.register('atom_feed_home', '/%(repo_name)s/feed/atom', ['repo_name']);
                 pyroutes.register('repo_summary', '/%(repo_name)s', ['repo_name']);

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages