[Security] CSRF Vulnerability on API #2002

New Issue

Closed

opened 2025-11-02 04:20:44 -06:00 by GiteaMirror · 6 comments

GiteaMirror commented 2025-11-02 04:20:44 -06:00

Owner

Copy Link

Originally created by @ghost on GitHub (Jul 3, 2018).

• Gitea version (or commit ref): every version with swagger api
• Git version: not relevant
• Operating system: not relevant
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

Screenshots

Originally created by @ghost on GitHub (Jul 3, 2018). <!-- 1. Please speak English, this is the language all of us can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): every version with swagger api - Git version: not relevant - Operating system: not relevant - Database (use `[x]`): - [ ] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [x] Yes (provide example URL) - [ ] No - [ ] Not relevant - Log gist: ## Description ## Screenshots <!-- **If this issue involves the Web Interface, please include a screenshot** -->

GiteaMirror added the topic/security label 2025-11-02 04:20:44 -06:00

GiteaMirror closed this issue 2025-11-02 04:20:45 -06:00

GiteaMirror commented 2025-11-02 04:20:46 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Jul 4, 2018):

Because Gitea's UI are also using some APIs, so the APIs support many authorizations(session is one of them). But have you found any missing permissions checking? Could you send a security email to security@gitea.io?

@lunny commented on GitHub (Jul 4, 2018): Because Gitea's UI are also using some APIs, so the APIs support many authorizations(session is one of them). But have you found any missing permissions checking? Could you send a security email to security@gitea.io?

GiteaMirror commented 2025-11-02 04:20:46 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Jul 6, 2018):

I think you are right. Maybe we should use different routes for UI and APIs.

@lunny commented on GitHub (Jul 6, 2018): I think you are right. Maybe we should use different routes for UI and APIs.

GiteaMirror commented 2025-11-02 04:20:46 -06:00

Author

Owner

Copy Link

@techknowlogick commented on GitHub (Jul 6, 2018):

The way the WordPress API works is that if cookie auth is used (vs token auth), then a nonce has to be sent as well, the nonce is injected into the html template for JS to use and pass to the API and act as a second factor. (I've seen this approach in other implementations, it is just that WP is most well known)

Even if we did different routes for UI/API the UI ajax routes would still be affected.

More and more functionality is being built that uses the API (issue date, etc..) via the UI, and so we should work towards resolving the issue above.

@techknowlogick commented on GitHub (Jul 6, 2018): The way the WordPress API works is that if cookie auth is used (vs token auth), then a nonce has to be sent as well, the nonce is injected into the html template for JS to use and pass to the API and act as a second factor. (I've seen this approach in other implementations, it is just that WP is most well known) Even if we did different routes for UI/API the UI ajax routes would still be affected. More and more functionality is being built that uses the API (issue date, etc..) via the UI, and so we should work towards resolving the issue above.

GiteaMirror commented 2025-11-02 04:20:46 -06:00

Author

Owner

Copy Link

@techknowlogick commented on GitHub (Jul 7, 2018):

Perhaps we could use the CSRF token as a second factor

@techknowlogick commented on GitHub (Jul 7, 2018): Perhaps we could use the CSRF token as a second factor

GiteaMirror commented 2025-11-02 04:20:46 -06:00

Author

Owner

Copy Link

@techknowlogick commented on GitHub (Aug 9, 2018):

Anyone looking at this https://github.com/go-gitea/gitea/blob/master/routers/api/v1/api.go#L133 reqToken just validates that the user is signed in, not that they are using a valid token.

@techknowlogick commented on GitHub (Aug 9, 2018): Anyone looking at this https://github.com/go-gitea/gitea/blob/master/routers/api/v1/api.go#L133 `reqToken` just validates that the user is signed in, not that they are using a valid token.

GiteaMirror commented 2025-11-02 04:20:46 -06:00

Author

Owner

Copy Link

@beeonthego commented on GitHub (Sep 1, 2018):

Is someone working on this issue now? if not, I will prepare a PR and check whether a token (or basic auth) has been used to authenticate. the check can be added to reqToken handler. There are a few minor changes, non breaking.

@beeonthego commented on GitHub (Sep 1, 2018): Is someone working on this issue now? if not, I will prepare a PR and check whether a token (or basic auth) has been used to authenticate. the check can be added to reqToken handler. There are a few minor changes, non breaking.

GiteaMirror referenced this issue 2025-11-02 12:04:00 -06:00

[PR #2002] [MERGED] Add integration test for issue creating #16175

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#2002