diff options
| author | ᴜɴᴋɴᴡᴏɴ <u@gogs.io> | 2020-04-08 20:55:15 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-04-08 20:55:15 +0800 |
| commit | e79aebb3e1f433928af6521230a04a3ad2e8acd8 (patch) | |
| tree | ce43c2fc24fa2d7bf88ee27d4a05f2e7a1cb2ebd /internal/route/repo/tasks.go | |
| parent | 6a096811ffb658f575525921fd49bd7f4f0d45a5 (diff) | |
route: bypass require signin check for trigger repo tasks (#6079)
* route: bypass require signin check for trigger repo tasks
* CHANGELOG
* Fix lint errors
Diffstat (limited to 'internal/route/repo/tasks.go')
| -rw-r--r-- | internal/route/repo/tasks.go | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/internal/route/repo/tasks.go b/internal/route/repo/tasks.go new file mode 100644 index 00000000..e06d3ee7 --- /dev/null +++ b/internal/route/repo/tasks.go @@ -0,0 +1,74 @@ +// Copyright 2020 The Gogs Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package repo + +import ( + "net/http" + + "gopkg.in/macaron.v1" + log "unknwon.dev/clog/v2" + + "gogs.io/gogs/internal/db" + "gogs.io/gogs/internal/tool" +) + +func TriggerTask(c *macaron.Context) { + branch := c.Query("branch") + pusherID := c.QueryInt64("pusher") + secret := c.Query("secret") + if branch == "" || pusherID <= 0 || secret == "" { + c.Error(http.StatusBadRequest, "Incomplete branch, pusher or secret") + return + } + + username := c.Params(":username") + reponame := c.Params(":reponame") + + owner, err := db.Users.GetByUsername(username) + if err != nil { + if db.IsErrUserNotExist(err) { + c.Error(http.StatusBadRequest, "Owner does not exist") + } else { + c.Status(http.StatusInternalServerError) + log.Error("Failed to get user [name: %s]: %v", username, err) + } + return + } + + // 🚨 SECURITY: No need to check existence of the repository if the client + // can't even get the valid secret. Mostly likely not a legitimate request. + if secret != tool.MD5(owner.Salt) { + c.Error(http.StatusBadRequest, "Invalid secret") + return + } + + repo, err := db.Repos.GetByName(owner.ID, reponame) + if err != nil { + if db.IsErrRepoNotExist(err) { + c.Error(http.StatusBadRequest, "Repository does not exist") + } else { + c.Status(http.StatusInternalServerError) + log.Error("Failed to get repository [owner_id: %d, name: %s]: %v", owner.ID, reponame, err) + } + return + } + + pusher, err := db.Users.GetByID(pusherID) + if err != nil { + if db.IsErrUserNotExist(err) { + c.Error(http.StatusBadRequest, "Pusher does not exist") + } else { + c.Status(http.StatusInternalServerError) + log.Error("Failed to get user [id: %d]: %v", pusherID, err) + } + return + } + + log.Trace("TriggerTask: %s/%s@%s by %q", owner.Name, repo.Name, branch, pusher.Name) + + go db.HookQueue.Add(repo.ID) + go db.AddTestPullRequestTask(pusher, repo.ID, branch, true) + c.Status(http.StatusAccepted) +} |