From c92108097e8ae4702c115ae4702b63d960838e75 Mon Sep 17 00:00:00 2001 From: Stefan Bühler Date: Jul 24 2017 10:26:46 +0000 Subject: Hide private repos in ssh too '@all' shouldn't have access to private repos, otherwise every user sees all private repositories. Add the corresponding unit-tests This commit fixes CVE-2017-1002151 Merges https://pagure.io/pagure/pull-request/2426 --- diff --git a/pagure/lib/git_auth.py b/pagure/lib/git_auth.py index 939e053..577b668 100644 --- a/pagure/lib/git_auth.py +++ b/pagure/lib/git_auth.py @@ -126,7 +126,7 @@ class Gitolite2Auth(GitAuthHelper): repos = '' config.append('repo %s%s' % (repos, project.fullname)) - if repos not in ['tickets/', 'requests/']: + if not project.private and repos not in ['tickets/', 'requests/']: config.append(' R = @all') if project.committer_groups: config.append(' RW+ = @%s' % ' @'.join( diff --git a/tests/test_pagure_lib_gitolite_config.py b/tests/test_pagure_lib_gitolite_config.py index e07de7f..184256d 100644 --- a/tests/test_pagure_lib_gitolite_config.py +++ b/tests/test_pagure_lib_gitolite_config.py @@ -736,6 +736,77 @@ repo requests/test self.assertIsNone(args[1].get('group')) self.assertEqual(args[1].get('project').fullname, 'test') + def test_write_gitolite_project_test_private(self): + """ Test the write_gitolite_acls function of pagure.lib.git with + a postconf set """ + + # Make the test project private + project = pagure.lib._get_project(self.session, 'test') + project.private = True + self.session.add(project) + self.session.commit() + + # Re-generate the gitolite config just for this project + helper = pagure.lib.git_auth.get_git_auth_helper('gitolite3') + helper.write_gitolite_acls( + self.session, + self.outputconf, + project=None, + ) + self.assertTrue(os.path.exists(self.outputconf)) + + with open(self.outputconf) as stream: + data = stream.read().decode('utf-8') + + exp = u"""@grp2 = foo +@grp = pingou +# end of groups + +repo test + RW+ = pingou + +repo docs/test + RW+ = pingou + +repo tickets/test + RW+ = pingou + +repo requests/test + RW+ = pingou + +repo test2 + R = @all + RW+ = pingou + +repo docs/test2 + R = @all + RW+ = pingou + +repo tickets/test2 + RW+ = pingou + +repo requests/test2 + RW+ = pingou + +repo somenamespace/test3 + R = @all + RW+ = pingou + +repo docs/somenamespace/test3 + R = @all + RW+ = pingou + +repo tickets/somenamespace/test3 + RW+ = pingou + +repo requests/somenamespace/test3 + RW+ = pingou + +# end of body +""" + #print data + self.assertEqual(data, exp) + if __name__ == '__main__': unittest.main(verbosity=2)