Treat PRs with agit flow as fork PRs when triggering actions. (#23884)
There is no fork concept in agit flow, anyone with read permission can push `refs/for/<target-branch>/<topic-branch>` to the repo. So we should treat it as a fork pull request because it may be from an untrusted user.
This commit is contained in:
Jason Song
GitHub
parent
9b416b2e36
commit
d92909fa8b
2 changed files with 17 additions and 2 deletions
|
|
@ -36,7 +36,7 @@ type ActionRun struct {
|
||||||
TriggerUser *user_model.User `xorm:"-"`
|
TriggerUser *user_model.User `xorm:"-"`
|
||||||
Ref string
|
Ref string
|
||||||
CommitSHA string
|
CommitSHA string
|
||||||
IsForkPullRequest bool
|
IsForkPullRequest bool // If this is triggered by a PR from a forked repository or an untrusted user, we need to check if it is approved and limit permissions when running the workflow.
|
||||||
NeedApproval bool // may need approval if it's a fork pull request
|
NeedApproval bool // may need approval if it's a fork pull request
|
||||||
ApprovedBy int64 `xorm:"index"` // who approved
|
ApprovedBy int64 `xorm:"index"` // who approved
|
||||||
Event webhook_module.HookEventType
|
Event webhook_module.HookEventType
|
||||||
|
|
|
||||||
|
|
@ -152,6 +152,21 @@ func notify(ctx context.Context, input *notifyInput) error {
|
||||||
return fmt.Errorf("json.Marshal: %w", err)
|
return fmt.Errorf("json.Marshal: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
isForkPullRequest := false
|
||||||
|
if pr := input.PullRequest; pr != nil {
|
||||||
|
switch pr.Flow {
|
||||||
|
case issues_model.PullRequestFlowGithub:
|
||||||
|
isForkPullRequest = pr.IsFromFork()
|
||||||
|
case issues_model.PullRequestFlowAGit:
|
||||||
|
// There is no fork concept in agit flow, anyone with read permission can push refs/for/<target-branch>/<topic-branch> to the repo.
|
||||||
|
// So we can treat it as a fork pull request because it may be from an untrusted user
|
||||||
|
isForkPullRequest = true
|
||||||
|
default:
|
||||||
|
// unknown flow, assume it's a fork pull request to be safe
|
||||||
|
isForkPullRequest = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
for id, content := range workflows {
|
for id, content := range workflows {
|
||||||
run := &actions_model.ActionRun{
|
run := &actions_model.ActionRun{
|
||||||
Title: strings.SplitN(commit.CommitMessage, "\n", 2)[0],
|
Title: strings.SplitN(commit.CommitMessage, "\n", 2)[0],
|
||||||
|
|
@ -161,7 +176,7 @@ func notify(ctx context.Context, input *notifyInput) error {
|
||||||
TriggerUserID: input.Doer.ID,
|
TriggerUserID: input.Doer.ID,
|
||||||
Ref: ref,
|
Ref: ref,
|
||||||
CommitSHA: commit.ID.String(),
|
CommitSHA: commit.ID.String(),
|
||||||
IsForkPullRequest: input.PullRequest != nil && input.PullRequest.IsFromFork(),
|
IsForkPullRequest: isForkPullRequest,
|
||||||
Event: input.Event,
|
Event: input.Event,
|
||||||
EventPayload: string(p),
|
EventPayload: string(p),
|
||||||
Status: actions_model.StatusWaiting,
|
Status: actions_model.StatusWaiting,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue