[v15.0/forgejo] fix: ensure migrations allow/deny host lists are applied to onedev, pagure, and codebase migrators (#13220)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/13184

Similar to #13129, fixing a few places where `[migrations].ALLOWED_DOMAINS`, `...BLOCKED_DOMAINS`, and `...ALLOW_LOCALNETWORKS` are not implemented in external migrations, creating SSRF risks.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. All work and communication must conform to Forgejo's [AI Agreement](https://codeberg.org/forgejo/governance/src/branch/main/AIAgreement.md). There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13220
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
This commit is contained in:
forgejo-backport-action 2026-06-27 22:51:05 +02:00 committed by Mathieu Fenniak
commit 0a4df7ddaa
11 changed files with 116 additions and 36 deletions

View file

@ -39,7 +39,21 @@ func IsNormalPageCompleted(s string) bool {
func MockVariableValue[T any](p *T, v T) (reset func()) {
old := *p
*p = v
return func() { *p = old }
return func() {
*p = old
}
}
// Set the value *p to v, and return a closure that resets it when invoked. On
// set and reset the `afterChange` closure will be invoked.
func MockVariableValueWithReset[T any](p *T, v T, afterChange func()) (reset func()) {
old := *p
*p = v
afterChange()
return func() {
*p = old
afterChange()
}
}
// use for global variables only

View file

@ -15,8 +15,8 @@ import (
"forgejo.org/modules/log"
base "forgejo.org/modules/migration"
"forgejo.org/modules/proxy"
"forgejo.org/modules/structs"
"forgejo.org/services/migrations/allowlist"
)
var (
@ -75,6 +75,8 @@ type CodebaseDownloader struct {
maxIssueIndex int64
userMap map[int64]*codebaseUser
commitMap map[string]string
username string
password string
}
// SetContext set context
@ -92,18 +94,11 @@ func NewCodebaseDownloader(ctx context.Context, projectURL *url.URL, project, re
projectURL: projectURL,
project: project,
repoName: repoName,
client: &http.Client{
Transport: &http.Transport{
Proxy: func(req *http.Request) (*url.URL, error) {
if len(username) > 0 && len(password) > 0 {
req.SetBasicAuth(username, password)
}
return proxy.Proxy()(req)
},
},
},
userMap: make(map[int64]*codebaseUser),
commitMap: make(map[string]string),
client: allowlist.NewMigrationHTTPClient(),
username: username,
password: password,
userMap: make(map[int64]*codebaseUser),
commitMap: make(map[string]string),
}
log.Trace("Create Codebase downloader. BaseURL: %s Project: %s RepoName: %s", baseURL, project, repoName)
@ -145,6 +140,9 @@ func (d *CodebaseDownloader) callAPI(endpoint string, parameter map[string]strin
if err != nil {
return err
}
if len(d.username) > 0 && len(d.password) > 0 {
req.SetBasicAuth(d.username, d.password)
}
req.Header.Add("Accept", "application/xml")
resp, err := d.client.Do(req)

View file

@ -10,11 +10,29 @@ import (
"time"
base "forgejo.org/modules/migration"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
"forgejo.org/services/migrations/allowlist"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestCodebaseDownloaderBlocksLocalhost(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, false, func() { require.NoError(t, allowlist.Init()) })()
u, _ := url.Parse("http://localhost")
downloader := NewCodebaseDownloader(t.Context(), u, "test_project", "test_repo", "", "")
// The Codebase API base URL is hardcoded to the public service; point it at localhost to verify the migration HTTP
// client refuses to connect. This may seem like the entire point of SSRF protection here is invalid since the
// remote address is hardcoded, but, admins may have configured their restrictions to prevent this access, or DNS
// rebinding may be used either authoritatively or spoofed to change this address's destination.
downloader.baseURL = u
_, err := downloader.GetRepoInfo()
require.Error(t, err)
assert.Contains(t, err.Error(), "can only call allowed HTTP servers")
}
func TestCodebaseDownloadRepo(t *testing.T) {
// Skip tests if Codebase token is not found
cloneUser := os.Getenv("CODEBASE_CLONE_USER")

View file

@ -8,11 +8,16 @@ import (
"testing"
"forgejo.org/models/unittest"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
"forgejo.org/services/migrations/allowlist"
"github.com/stretchr/testify/require"
)
func TestGitbucketDownloaderCreation(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
token := os.Getenv("GITHUB_READ_TOKEN")
fixturePath := "./testdata/github/full_download"
server := unittest.NewMockWebServer(t, "https://api.github.com", fixturePath, false)

View file

@ -12,6 +12,8 @@ import (
"forgejo.org/models/unittest"
base "forgejo.org/modules/migration"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
"forgejo.org/services/migrations/allowlist"
gitea_sdk "code.gitea.io/sdk/gitea"
@ -20,6 +22,8 @@ import (
)
func TestGiteaDownloadRepo(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
giteaToken := os.Getenv("GITEA_TOKEN")
fixturePath := "./testdata/gitea/full_download"
@ -320,6 +324,7 @@ func TestGiteaDownloadRepo(t *testing.T) {
}
func TestForgejoDownloadRepo(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
token := os.Getenv("CODE_FORGEJO_TOKEN")
fixturePath := "./testdata/code-forgejo-org/full_download"
@ -408,6 +413,7 @@ func createForgejoIssueComments(comments []*gitea_sdk.Comment) []*base.Comment {
}
func TestBreakConditions(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
giteaToken := os.Getenv("GITEA_TOKEN")
fixturePath := "./testdata/gitea/breaking_conditions"

View file

@ -15,6 +15,9 @@ import (
"forgejo.org/models/unittest"
"forgejo.org/modules/log"
base "forgejo.org/modules/migration"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
"forgejo.org/services/migrations/allowlist"
"github.com/google/go-github/v81/github"
"github.com/stretchr/testify/assert"
@ -22,6 +25,8 @@ import (
)
func TestGithubDownloaderFilterComments(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
GithubLimitRateRemaining = 3 // Wait at 3 remaining since we could have 3 CI in //
token := os.Getenv("GITHUB_READ_TOKEN")
@ -125,6 +130,7 @@ func ratelimitInjectHandler(handler http.Handler, urlpattern *regexp.Regexp, eve
}
func TestGitHubDownloadRepo(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
GithubLimitRateRemaining = 3 // Wait at 3 remaining since we could have 3 CI in //
token := os.Getenv("GITHUB_READ_TOKEN")
@ -489,6 +495,7 @@ func TestGithubMultiToken(t *testing.T) {
}
func TestGithubIssuePagination(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
GithubLimitRateRemaining = 3 // Wait at 3 remaining since we could have 3 CI in //
token := os.Getenv("GITHUB_READ_TOKEN_NIGOROLL")

View file

@ -15,6 +15,9 @@ import (
"forgejo.org/models/unittest"
"forgejo.org/modules/json"
base "forgejo.org/modules/migration"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
"forgejo.org/services/migrations/allowlist"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@ -22,6 +25,8 @@ import (
)
func TestGitlabDownloadRepo(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
// If a GitLab access token is provided, this test will make HTTP requests to the live gitlab.com instance.
// When doing so, the responses from gitlab.com will be saved as test data files.
// If no access token is available, those cached responses will be used instead.
@ -484,6 +489,8 @@ func TestGitlabDownloadRepo(t *testing.T) {
}
func TestGitlabSkippedIssueNumber(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
// If a GitLab access token is provided, this test will make HTTP requests to the live gitlab.com instance.
// When doing so, the responses from gitlab.com will be saved as test data files.
// If no access token is available, those cached responses will be used instead.
@ -841,6 +848,8 @@ func TestCommentBodyParser(t *testing.T) {
}
func TestGitlabConfidential(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
// If a GitLab access token is provided, this test will make HTTP requests to the live gitlab.com instance.
// When doing so, the responses from gitlab.com will be saved as test data files.
// If no access token is available, those cached responses will be used instead.

View file

@ -16,6 +16,7 @@ import (
"forgejo.org/modules/log"
base "forgejo.org/modules/migration"
"forgejo.org/modules/structs"
"forgejo.org/services/migrations/allowlist"
)
var (
@ -79,6 +80,8 @@ type OneDevDownloader struct {
maxIssueIndex int64
userMap map[int64]*onedevUser
milestoneMap map[int64]string
username string
password string
}
// SetContext set context
@ -89,19 +92,12 @@ func (d *OneDevDownloader) SetContext(ctx context.Context) {
// NewOneDevDownloader creates a new downloader
func NewOneDevDownloader(ctx context.Context, baseURL *url.URL, username, password, repoName string) *OneDevDownloader {
downloader := &OneDevDownloader{
ctx: ctx,
baseURL: baseURL,
repoName: repoName,
client: &http.Client{
Transport: &http.Transport{
Proxy: func(req *http.Request) (*url.URL, error) {
if len(username) > 0 && len(password) > 0 {
req.SetBasicAuth(username, password)
}
return nil, nil
},
},
},
ctx: ctx,
baseURL: baseURL,
repoName: repoName,
client: allowlist.NewMigrationHTTPClient(),
username: username,
password: password,
userMap: make(map[int64]*onedevUser),
milestoneMap: make(map[int64]string),
}
@ -139,6 +135,9 @@ func (d *OneDevDownloader) callAPI(endpoint string, parameter map[string]string,
if err != nil {
return err
}
if len(d.username) > 0 && len(d.password) > 0 {
req.SetBasicAuth(d.username, d.password)
}
resp, err := d.client.Do(req)
if err != nil {

View file

@ -10,11 +10,24 @@ import (
"time"
base "forgejo.org/modules/migration"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
"forgejo.org/services/migrations/allowlist"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestOneDevDownloaderBlocksLocalhost(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, false, func() { require.NoError(t, allowlist.Init()) })()
u, _ := url.Parse("http://localhost")
downloader := NewOneDevDownloader(t.Context(), u, "", "", "test_repo")
_, err := downloader.GetRepoInfo()
require.Error(t, err)
assert.Contains(t, err.Error(), "can only call allowed HTTP servers")
}
func TestOneDevDownloadRepo(t *testing.T) {
resp, err := http.Get("https://code.onedev.io/projects/go-gitea-test_repo")
if err != nil || resp.StatusCode != http.StatusOK {

View file

@ -15,10 +15,10 @@ import (
"forgejo.org/modules/json"
"forgejo.org/modules/log"
base "forgejo.org/modules/migration"
"forgejo.org/modules/proxy"
"forgejo.org/modules/setting"
"forgejo.org/modules/structs"
"forgejo.org/modules/util"
"forgejo.org/services/migrations/allowlist"
)
var (
@ -238,14 +238,10 @@ func NewPagureDownloader(ctx context.Context, baseURL *url.URL, token, repoName
}
downloader := &PagureDownloader{
ctx: ctx,
baseURL: baseURL,
repoName: repoName,
client: &http.Client{
Transport: &http.Transport{
Proxy: proxy.Proxy(),
},
},
ctx: ctx,
baseURL: baseURL,
repoName: repoName,
client: allowlist.NewMigrationHTTPClient(),
token: token,
privateIssuesOnlyRepo: privateIssuesOnlyRepo,
userMap: make(map[string]*PagureUser),

View file

@ -12,12 +12,27 @@ import (
"forgejo.org/models/unittest"
base "forgejo.org/modules/migration"
"forgejo.org/modules/setting"
"forgejo.org/modules/test"
"forgejo.org/services/migrations/allowlist"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
func TestPagureDownloaderBlocksLocalhost(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, false, func() { require.NoError(t, allowlist.Init()) })()
u, _ := url.Parse("http://localhost")
downloader := NewPagureDownloader(t.Context(), u, "", "test_repo")
_, err := downloader.GetRepoInfo()
require.Error(t, err)
assert.Contains(t, err.Error(), "can only call allowed HTTP servers")
}
func TestPagureDownloadRepoWithPublicIssues(t *testing.T) {
defer test.MockVariableValueWithReset(&setting.Migrations.AllowLocalNetworks, true, func() { require.NoError(t, allowlist.Init()) })()
// Skip tests if Pagure token is not found
cloneUser := os.Getenv("PAGURE_CLONE_USER")
clonePassword := os.Getenv("PAGURE_CLONE_PASSWORD")