2026-06-10 security patches (#13001)

- fix: prevent stored XSS in user display name on Actions page
- fix: LFS locks must belong to the intended repo, port from Gitea
- fix: prevent unauthorized access to draft releases via API
- fix: prevent writes to OpenID visibility which may affect other users
- fix: prevent viewing private PRs that are linked to public issues on public projects

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13001
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
This commit is contained in:
Mathieu Fenniak 2026-06-10 06:05:01 +02:00 committed by Beowulf
commit 4b83448b7d
20 changed files with 407 additions and 36 deletions

View file

@ -288,6 +288,106 @@ func TestAPIReleaseGetDraftByTag(t *testing.T) {
assert.NotEmpty(t, err.Message)
}
func TestAPIReleaseGet(t *testing.T) {
defer tests.PrepareTestEnv(t)()
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
session := loginUser(t, "user2")
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
t.Run("draft release, no permission", func(t *testing.T) {
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
RepoID: repo.ID,
TagName: "draft-release",
})
assert.True(t, rel.IsDraft)
assert.False(t, rel.IsTag) // wouldn't test the CanWrite(TypeReleases) check for the draft, if this were the case
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d", repo.OwnerName, repo.Name, rel.ID))
resp := MakeRequest(t, req, http.StatusNotFound)
var err *api.APIError
DecodeJSON(t, resp, &err)
assert.NotEmpty(t, err.Message)
})
t.Run("draft release, w/ permission", func(t *testing.T) {
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
RepoID: repo.ID,
TagName: "draft-release",
})
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d", repo.OwnerName, repo.Name, rel.ID)).
AddTokenAuth(token)
resp := MakeRequest(t, req, http.StatusOK)
var apiRelease *api.Release
DecodeJSON(t, resp, &apiRelease)
assert.Equal(t, rel.TagName, apiRelease.TagName)
})
t.Run("published release", func(t *testing.T) {
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
RepoID: repo.ID,
TagName: "v1.1",
})
assert.False(t, rel.IsDraft)
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d", repo.OwnerName, repo.Name, rel.ID))
resp := MakeRequest(t, req, http.StatusOK)
var apiRelease *api.Release
DecodeJSON(t, resp, &apiRelease)
assert.Equal(t, rel.TagName, apiRelease.TagName)
})
}
func TestAPIReleaseGetAssets(t *testing.T) {
defer tests.PrepareTestEnv(t)()
repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
session := loginUser(t, "user2")
token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeReadRepository)
t.Run("draft release, no permission", func(t *testing.T) {
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
RepoID: repo.ID,
TagName: "draft-release",
})
assert.True(t, rel.IsDraft)
assert.False(t, rel.IsTag) // wouldn't test the CanWrite(TypeReleases) check for the draft, if this were the case
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets", repo.OwnerName, repo.Name, rel.ID))
resp := MakeRequest(t, req, http.StatusNotFound)
var err *api.APIError
DecodeJSON(t, resp, &err)
assert.NotEmpty(t, err.Message)
})
t.Run("draft release, w/ permission", func(t *testing.T) {
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
RepoID: repo.ID,
TagName: "draft-release",
})
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets", repo.OwnerName, repo.Name, rel.ID)).
AddTokenAuth(token)
resp := MakeRequest(t, req, http.StatusOK)
var attach []*api.Attachment
DecodeJSON(t, resp, &attach)
assert.Empty(t, attach)
})
t.Run("published release", func(t *testing.T) {
rel := unittest.AssertExistsAndLoadBean(t, &repo_model.Release{
RepoID: repo.ID,
TagName: "v1.1",
})
assert.False(t, rel.IsDraft)
req := NewRequest(t, "GET", fmt.Sprintf("/api/v1/repos/%s/%s/releases/%d/assets", repo.OwnerName, repo.Name, rel.ID))
resp := MakeRequest(t, req, http.StatusOK)
var attach []*api.Attachment
DecodeJSON(t, resp, &attach)
assert.Len(t, attach, 1)
})
}
func TestAPIReleaseDeleteByTagName(t *testing.T) {
defer tests.PrepareTestEnv(t)()