Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API privacy / security - organization endpoints can be accessed without an access token #5603

Closed
2 of 7 tasks
OndrejSpanel opened this issue Dec 27, 2018 · 14 comments
Closed
2 of 7 tasks

API privacy / security - organization endpoints can be accessed without an access token #5603

OndrejSpanel opened this issue Dec 27, 2018 · 14 comments
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented issue/not-a-bug The reported issue is the intended behavior or the problem is not inside Gitea modifies/api This PR adds API routes or modifies them type/enhancement An improvement of existing functionality

Comments

@OndrejSpanel
Copy link

  • Gitea version (or commit ref): 1.6.2
  • Git version: 1.9.1
  • Operating system: Debian 7
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist:

Description

Several API endpoints can be accessed without any authorization at all. I have found following GET requests which responded to me this way:

/orgs/{org}/repos
/orgs/{org}/members
/orgs/{org}

Some other endpoints I have tested require authorization (e.g. /orgs/{org}/hooks). I think the only gitea API endpoint which should be accessible without any authorization is version - any listing of repositories, users or organization should require it.

Screenshots

image
@adelowo adelowo mentioned this issue Dec 27, 2018
Closed
@lafriks lafriks added topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! modifies/api This PR adds API routes or modifies them labels Dec 28, 2018
@lafriks lafriks added this to the 1.7.0 milestone Dec 28, 2018
@markediez
Copy link

Hmm, I don't think this is an issue. GitHub allows unauthorized access in their APIs as well. I tried querying my org and it did not show my private repos given your steps.

@markediez
Copy link

/members endpoint only shows visible users
/repos endpoint only shows public repos
I don't see an option to set an org private.

@lafriks
Copy link
Member

lafriks commented Dec 28, 2018

It should probably follow setting if public access is allowed or not and based on that require token or allow without it. Needs rechecking if this is really is issue or not

@lafriks lafriks added the issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail label Dec 28, 2018
@OndrejSpanel
Copy link
Author

I see my repro on gitea test server is not representative, given the server is public. My gitea server is set to allow access only to registered users (REQUIRE_SIGNIN_VIEW = true). It would be nice if API followed this setting as well.

@jonasfranz jonasfranz added type/enhancement An improvement of existing functionality and removed topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail labels Jan 1, 2019
@jonasfranz jonasfranz modified the milestones: 1.7.0, 1.x.x Jan 1, 2019
@techknowlogick techknowlogick modified the milestones: 1.7.0, 1.8.0 Jan 5, 2019
@techknowlogick techknowlogick modified the milestones: 1.8.0, 1.9.0 Feb 19, 2019
@stale
Copy link

stale bot commented Apr 20, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

@stale stale bot added the issue/stale label Apr 20, 2019
@lunny lunny added the issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented label Apr 24, 2019
@stale stale bot removed the issue/stale label Apr 24, 2019
@lunny lunny mentioned this issue Apr 24, 2019
Merged
@lunny
Copy link
Member

lunny commented Apr 24, 2019

According #6731, @OndrejSpanel there is no problem here.

@OndrejSpanel
Copy link
Author

What I do not understand after reading that issue: Do you mean the behaviour I describe is as designed (or at least acceptable), or that the issue was fixed meanwhile?

@lunny
Copy link
Member

lunny commented Apr 24, 2019

@OndrejSpanel That means it's as designed. My tests haven't found a privacy / security problem on that. Those APIs will return public content when you have no access token.

@OndrejSpanel
Copy link
Author

OndrejSpanel commented Apr 24, 2019
edited
Loading

My issue about privacy is that I think no content should be considered "public" (accessible without an access token) when you require login even to access the Gitea main pages (i.e. when you use the option REQUIRE_SIGNIN_VIEW = true).

@mrsdizzie
Copy link
Member

This is how it currently works, and what @lunny test show in #6731

If REQUIRE_SIGNIN_VIEW = true The API calls for the examples above all return

403
{
    "message": "Only signed in user is allowed to call APIs."
}

As they all should, based on:

gitea/modules/context/auth.go

Lines 75 to 83 in 19ec260

if options.SignInRequired {
if !ctx.IsSigned {
// Restrict API calls with error message.
if auth.IsAPIPath(ctx.Req.URL.Path) {
ctx.JSON(403, map[string]string{
"message": "Only signed in user is allowed to call APIs.",
})
return
}

I don't see an example of this not working (the screenshot in the original issue is from public gitea that doesn't not have REQUIRE_SIGNIN_VIEW = true

Is there a specific example that can be seen of this not working?

@jtl999
Copy link

jtl999 commented Apr 28, 2019
edited
Loading

I was concerned about issues like this but before migrating to Gitea (from GitLab) but I tested with my local install (running 1.8 with REQUIRE_SIGNIN_VIEW set) and cannot reproduce.

Assuming there are no issues in auth.IsAPIPath function I don't see any issues here.

jtl@jtl-macbookpro-linux:~$ curl -X GET "http://10.2.2.32:3000/api/v1/users/search?q=jtl" -H  "accept: application/json" ; echo 
{"message":"Only signed in user is allowed to call APIs."}

@lunny lunny removed this from the 1.9.0 milestone Apr 28, 2019
@lunny
Copy link
Member

lunny commented Apr 28, 2019

Let's close this and please feel free to reopen it.

@lunny lunny closed this as completed Apr 28, 2019
@OndrejSpanel
Copy link
Author

I confirm the issue does not exist. My previous testing methodology was bad, as I was testing it in a browser session which has already performed the authentication. Testing in a fresh browser returns error as expected.

@jtl999
Copy link

jtl999 commented Apr 28, 2019

No harm no foul. Better to be careful about these sorts of things.

@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
@delvh delvh added issue/not-a-bug The reported issue is the intended behavior or the problem is not inside Gitea and removed reviewed/invalid labels Oct 7, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented issue/not-a-bug The reported issue is the intended behavior or the problem is not inside Gitea modifies/api This PR adds API routes or modifies them type/enhancement An improvement of existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

security: some organization endpoints can be accessed without authorization adelowo/gitea
9 participants
@lunny @techknowlogick @lafriks @jtl999 @mrsdizzie @markediez @jonasfranz @OndrejSpanel @delvh