gitforge/routers
Mathieu Fenniak 0b2b072dce [v11.0/forgejo] fix: don't cache write permission on first pushed git reference (#13373)
Forgejo's git pre-receive hook validates whether the authenticated user can write to the target branch during a push operation.  A caching performance optimization in the hook caused the pre-receive hook to validate only the first branch reference in the push.  While typically a push operation has the same rights for all branches on a repository, some exceptions exist which could allow a user to push to a branch, pass the validation, and then bypass checks on additional references due to the cache.  The cache has been removed, forcing all references to be validated for code write permissions.

Thanks to Gitea for identifying this issue in https://github.com/go-gitea/gitea/pull/38103/changes/f25811942cea35233299efdbdfeec40663d4807a. This effort has been re-engineered for Forgejo, consistent with Forgejo's AI Agreement.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13373
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2026-07-09 06:10:00 +02:00
..
api [v11.0/forgejo]: 2026-06-10 security patches (#13003) 2026-06-10 06:02:41 +02:00
common [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
install [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
private [v11.0/forgejo] fix: don't cache write permission on first pushed git reference (#13373) 2026-07-09 06:10:00 +02:00
utils [PORT] drop utils.IsExternalURL (and expand IsRiskyRedirectURL tests) (#3167) 2024-04-15 13:03:08 +00:00
web [v11.0/forgejo]: 2026-06-10 security patches (#13003) 2026-06-10 06:02:41 +02:00
init.go [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00