diff options
author | Jason Song <i@wolfogre.com> | 2023-04-07 04:57:30 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-04-06 16:57:30 -0400 |
commit | d92909fa8b4427cb3e6fca4ec18487ab506e34bf (patch) | |
tree | 8c09fc83e7e57fd4e5fc5f3721d9b6b61f597322 | |
parent | 9b416b2e36a035672226d4b83c6b7e87578b17fe (diff) | |
download | gitea-d92909fa8b4427cb3e6fca4ec18487ab506e34bf.tar.gz gitea-d92909fa8b4427cb3e6fca4ec18487ab506e34bf.zip |
Treat PRs with agit flow as fork PRs when triggering actions. (#23884)
There is no fork concept in agit flow, anyone with read permission can
push `refs/for/<target-branch>/<topic-branch>` to the repo. So we should
treat it as a fork pull request because it may be from an untrusted
user.
-rw-r--r-- | models/actions/run.go | 2 | ||||
-rw-r--r-- | services/actions/notifier_helper.go | 17 |
2 files changed, 17 insertions, 2 deletions
diff --git a/models/actions/run.go b/models/actions/run.go index 22041b65a9..b58683dd36 100644 --- a/models/actions/run.go +++ b/models/actions/run.go @@ -36,7 +36,7 @@ type ActionRun struct { TriggerUser *user_model.User `xorm:"-"` Ref string CommitSHA string - IsForkPullRequest bool + IsForkPullRequest bool // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow. NeedApproval bool // may need approval if it's a fork pull request ApprovedBy int64 `xorm:"index"` // who approved Event webhook_module.HookEventType diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go index b0e199fc6b..1c1b986a41 100644 --- a/services/actions/notifier_helper.go +++ b/services/actions/notifier_helper.go @@ -152,6 +152,21 @@ func notify(ctx context.Context, input *notifyInput) error { return fmt.Errorf("json.Marshal: %w", err) } + isForkPullRequest := false + if pr := input.PullRequest; pr != nil { + switch pr.Flow { + case issues_model.PullRequestFlowGithub: + isForkPullRequest = pr.IsFromFork() + case issues_model.PullRequestFlowAGit: + // There is no fork concept in agit flow, anyone with read permission can push refs/for/<target-branch>/<topic-branch> to the repo. + // So we can treat it as a fork pull request because it may be from an untrusted user + isForkPullRequest = true + default: + // unknown flow, assume it's a fork pull request to be safe + isForkPullRequest = true + } + } + for id, content := range workflows { run := &actions_model.ActionRun{ Title: strings.SplitN(commit.CommitMessage, "\n", 2)[0], @@ -161,7 +176,7 @@ func notify(ctx context.Context, input *notifyInput) error { TriggerUserID: input.Doer.ID, Ref: ref, CommitSHA: commit.ID.String(), - IsForkPullRequest: input.PullRequest != nil && input.PullRequest.IsFromFork(), + IsForkPullRequest: isForkPullRequest, Event: input.Event, EventPayload: string(p), Status: actions_model.StatusWaiting, |