github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-21 03:14:01 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

X-Total-Count on /orgs/{org}/repos?page=... API endpoint wrong #14478

New Issue
Open
opened 2025-11-02 11:14:00 -06:00 by GiteaMirror · 3 comments
GiteaMirror commented 2025-11-02 11:14:00 -06:00
Owner
Copy Link

Originally created by @splitt3r on GitHub (May 12, 2025).

Description

On /orgs/{org}/repos the total count header can be wron if the user can not see some of the orgs repos. Also the limit parameter can be wrong too in that situation.

Steps to reproduce:

  • Request to /orgs/{org}/repos?page=...
  • the header X-Total-Count says there are 100 repos
    • on page 10 there is a repo i'm not allowed to see so this page returns only limit -1 repos which is strange
    • and the total count is also wrong because i can only see 99 repos
  • and now i know that there is one repo i can't see which is also problematic security wise

355e9a9d54/routers/api/v1/user/repo.go (L50-L52)

The initial array is counted. But it should return the count of apiRepos which is the filtered list of repos.

Gitea Version

v1.23.7

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Ubuntu

How are you running Gitea?

Ubuntu package installation

Database

MySQL/MariaDB

Originally created by @splitt3r on GitHub (May 12, 2025). ### Description On `/orgs/{org}/repos` the total count header can be wron if the user can not see some of the orgs repos. Also the limit parameter can be wrong too in that situation. Steps to reproduce: - Request to /orgs/{org}/repos?page=... - the header X-Total-Count says there are 100 repos - on page 10 there is a repo i'm not allowed to see so this page returns only limit -1 repos which is strange - and the total count is also wrong because i can only see 99 repos - and now i know that there is one repo i can't see which is also problematic security wise https://github.com/go-gitea/gitea/blob/355e9a9d544aa2d3f3a17b06cdb2bf1ceb290fd7/routers/api/v1/user/repo.go#L50-L52 The initial array is counted. But it should return the count of `apiRepos` which is the filtered list of repos. ### Gitea Version v1.23.7 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System Ubuntu ### How are you running Gitea? Ubuntu package installation ### Database MySQL/MariaDB
GiteaMirror added the topic/apitype/bug labels 2025-11-02 11:14:00 -06:00
GiteaMirror commented 2025-11-02 11:14:01 -06:00
Author
Owner
Copy Link

@endo0911engineer commented on GitHub (May 30, 2025):

Hello,

I attempted to reproduce the issue described, but so far we have not been able to replicate it in our environment.

Environment:

・Gitea Version: 1.25.0

・Database: sqite3

・Number of repositories in the organization: 100 ( public99, 1 private)

API Request Example:

curl -i -H "Authorization: token [token]" "http://localhost:3000/api/v1/orgs/myorg/repos?page=10&limit=10"

Result:

・The X-Total-Count header returns 99 (or the expected value).

・The number of repositories returned in the response matches the specified limit=10 (or is as expected).

Currently, I have not confirmed the reported issue regarding discrepancies in total count or limit when there are restricted repositories in paginated responses.

If there are any additional conditions or specific environment configurations required to reproduce the issue, please kindly share them with us.

Thank you for your assistance.

@endo0911engineer commented on GitHub (May 30, 2025): Hello, I attempted to reproduce the issue described, but so far we have not been able to replicate it in our environment. Environment: ・Gitea Version: 1.25.0 ・Database: sqite3 ・Number of repositories in the organization: 100 ( public99, 1 private) API Request Example: curl -i -H "Authorization: token [token]" "http://localhost:3000/api/v1/orgs/myorg/repos?page=10&limit=10" Result: ・The X-Total-Count header returns 99 (or the expected value). ・The number of repositories returned in the response matches the specified limit=10 (or is as expected). Currently, I have not confirmed the reported issue regarding discrepancies in total count or limit when there are restricted repositories in paginated responses. If there are any additional conditions or specific environment configurations required to reproduce the issue, please kindly share them with us. Thank you for your assistance.
GiteaMirror commented 2025-11-02 11:14:01 -06:00
Author
Owner
Copy Link

@splitt3r commented on GitHub (May 30, 2025):

Thanks for your work. I will investige further and check if there are any other conditions i missed.

@splitt3r commented on GitHub (May 30, 2025): Thanks for your work. I will investige further and check if there are any other conditions i missed.
GiteaMirror commented 2025-11-02 11:14:01 -06:00
Author
Owner
Copy Link

@splitt3r commented on GitHub (Jun 2, 2025):

I gave it another try on another instance of mine. One thing I noticed is that repos are forced to be private on the instances I use.

Besides the owner team I created another group in the organization which has read access on two of the three repos. I created a user application token and send a request to /api/v1/orgs/my_test_org/repos via Postman. The JSON response contains two objects while the X-Total-Count header is 3.

@splitt3r commented on GitHub (Jun 2, 2025): I gave it another try on another instance of mine. One thing I noticed is that repos are forced to be private on the instances I use. Besides the owner team I created another group in the organization which has read access on two of the three repos. I created a user application token and send a request to /api/v1/orgs/my_test_org/repos via Postman. The JSON response contains two objects while the X-Total-Count header is 3.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label topic/api type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#14478
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?