Disallow access to project archive in release unless authorized user has read access #9535

New Issue

Closed

opened 2025-11-02 08:42:08 -06:00 by GiteaMirror · 6 comments

GiteaMirror commented 2025-11-02 08:42:08 -06:00

Owner

Copy Link

Originally created by @cleandesign-contrib on GitHub (Sep 8, 2022).

Feature Description

The current security model of gitea has a certain bit of granularity that allows a user to be restricted from viewing the source code of a project, but allowed to access and download its releases.

This is great, because a CI bot can take the project and post a release, creating an effective security fire-gap.

However, every release comes with an automatically generated master.zip and master.tar.gz links, which effectively means that if one has access to the releases, then one has access to the entire contents of the project (minus .git history).

Would adding the following code here possibly be a solution to this problem?

if !canReadFiles(ctx.Repo) {
        ctx.Error(http.StatusForbidden, "Access Denied", repo_model.ErrUserDoesNotHaveAccessToRepo{
            UserID:   ctx.Doer.ID,
            RepoName: ctx.Repo.Repository.LowerName,
        })
        return
    }

Screenshots

No response

Originally created by @cleandesign-contrib on GitHub (Sep 8, 2022). ### Feature Description The current [security model](https://docs.gitea.io/en-us/permissions/) of gitea has a certain bit of granularity that allows a user to be restricted from viewing the source code of a project, but allowed to access and download its releases. This is great, because a CI bot can take the project and post a release, creating an effective security fire-gap. However, every release comes with an automatically generated `master.zip` and `master.tar.gz` links, which effectively means that if one has access to the releases, then one has access to the entire contents of the project (minus `.git` history). Would adding the following code [here](https://github.com/go-gitea/gitea/blob/4562d40fcead66e54525f710875377ebf7c4766e/routers/api/v1/repo/file.go#L314) possibly be a solution to this problem? ```go if !canReadFiles(ctx.Repo) { ctx.Error(http.StatusForbidden, "Access Denied", repo_model.ErrUserDoesNotHaveAccessToRepo{ UserID: ctx.Doer.ID, RepoName: ctx.Repo.Repository.LowerName, }) return } ``` ### Screenshots _No response_

GiteaMirror added the issue/needs-feedback label 2025-11-02 08:42:09 -06:00

GiteaMirror closed this issue 2025-11-02 08:42:09 -06:00

GiteaMirror commented 2025-11-02 08:42:10 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Sep 8, 2022):

If you have tried, I think we have done that. For release archives, you must have read permission to Code. This has been implemented but if it's not, it should be a bug.

@lunny commented on GitHub (Sep 8, 2022): If you have tried, I think we have done that. For release archives, you must have read permission to Code. This has been implemented but if it's not, it should be a bug.

GiteaMirror commented 2025-11-02 08:42:10 -06:00

Author

Owner

Copy Link

@cleandesign-contrib commented on GitHub (Sep 8, 2022):

Hi @lunny: then this is a bug.

There's also an additional bug in that it appears DISABLE_DOWNLOAD_SOURCE_ARCHIVES has been orphaned as a configuration setting. Would you like me to split that out into a separate bug?

@cleandesign-contrib commented on GitHub (Sep 8, 2022): Hi @lunny: then this is a bug. There's also an additional bug in that it appears `DISABLE_DOWNLOAD_SOURCE_ARCHIVES` has been orphaned as a configuration setting. Would you like me to split that out into a separate bug?

GiteaMirror commented 2025-11-02 08:42:10 -06:00

Author

Owner

Copy Link

@noerw commented on GitHub (Sep 8, 2022):

There's also an additional bug in that it appears DISABLE_DOWNLOAD_SOURCE_ARCHIVES has been orphaned as a configuration setting. Would you like me to split that out into a separate bug?

This is not true, see bb0ff77e46/routers/web/web.go (L293)

@noerw commented on GitHub (Sep 8, 2022): > There's also an additional bug in that it appears DISABLE_DOWNLOAD_SOURCE_ARCHIVES has been orphaned as a configuration setting. Would you like me to split that out into a separate bug? This is not true, see https://github.com/go-gitea/gitea/blob/bb0ff77e461ae080b1722701aea74010ff71e0ae/routers/web/web.go#L293

GiteaMirror commented 2025-11-02 08:42:10 -06:00

Author

Owner

Copy Link

@noerw commented on GitHub (Sep 8, 2022):

However, every release comes with an automatically generated master.zip and master.tar.gz links, which effectively means that if one has access to the releases, then one has access to the entire contents of the project (minus .git history).

@cleandesign-contrib I can't reproduce this in current 1.18.0+dev-402 (52c2ef790). What gitea version are you referring to?

@noerw commented on GitHub (Sep 8, 2022): > However, every release comes with an automatically generated master.zip and master.tar.gz links, which effectively means that if one has access to the releases, then one has access to the entire contents of the project (minus .git history). @cleandesign-contrib I can't reproduce this in current `1.18.0+dev-402` (52c2ef790). What gitea version are you referring to?

GiteaMirror commented 2025-11-02 08:42:10 -06:00

Author

Owner

Copy Link

@cleandesign-contrib commented on GitHub (Sep 8, 2022):

@noerw do you have access to the security email account for gitea? Because I have sent an email there which may or may not be related to this.

(I have confirmed the issue with two independent developers in our organization that were able to reproduce it)

@cleandesign-contrib commented on GitHub (Sep 8, 2022): @noerw do you have access to the security email account for gitea? Because I have sent an email there which may or may not be related to this. (I have confirmed the issue with two independent developers in our organization that were able to reproduce it)

GiteaMirror commented 2025-11-02 08:42:11 -06:00

Author

Owner

Copy Link

@techknowlogick commented on GitHub (Sep 8, 2022):

per your email you are using 1.15.0, this version is very out of date. please update to latest stable and try again. closing this, but please update the email thread if you still continue to receive the same issue.

@techknowlogick commented on GitHub (Sep 8, 2022): per your email you are using `1.15.0`, this version is very out of date. please update to latest stable and try again. closing this, but please update the email thread if you still continue to receive the same issue.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/needs-feedback

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#9535