#3057 retrieve webhook with repo_id

This prevents user retrieve arbitrary webhook by changing URL to access webhook from other unauthorized repositories.
2025-10-31 21:28:11 +09:00 · 2016-07-08 13:57:09 +08:00
parent e30c701386
commit d62ab49978
6 changed files with 9 additions and 9 deletions
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@ Gogs - Go Git Service [![Build Status](https://travis-ci.org/gogits/gogs.svg?bra

 ![](https://github.com/gogits/gogs/blob/master/public/img/gogs-large-resize.png?raw=true)

-##### Current tip version: 0.9.37 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)
+##### Current tip version: 0.9.38 (see [Releases](https://github.com/gogits/gogs/releases) for binary versions)

 | Web | UI  | Preview  |
 |:-------------:|:-------:|:-------:|
--- a/gogs.go
+++ b/gogs.go
@@ -17,7 +17,7 @@ import (
 	"github.com/gogits/gogs/modules/setting"
 )

-const APP_VER = "0.9.37.0708"
+const APP_VER = "0.9.38.0708"

 func init() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
--- a/models/webhook.go
+++ b/models/webhook.go
@@ -174,10 +174,10 @@ func CreateWebhook(w *Webhook) error {
 	return err
 }

-// GetWebhookByID returns webhook by given ID.
-func GetWebhookByID(id int64) (*Webhook, error) {
+// GetWebhookByID returns webhook of repository by given ID.
+func GetWebhookByID(repoID, id int64) (*Webhook, error) {
 	w := new(Webhook)
-	has, err := x.Id(id).Get(w)
+	has, err := x.Id(id).And("repo_id=?", repoID).Get(w)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -548,7 +548,7 @@ func (t *HookTask) deliver() {
 		}

 		// Update webhook last delivery status.
-		w, err := GetWebhookByID(t.HookID)
+		w, err := GetWebhookByID(t.RepoID, t.HookID)
 		if err != nil {
 			log.Error(5, "GetWebhookByID: %v", err)
 			return
--- a/routers/api/v1/repo/hook.go
+++ b/routers/api/v1/repo/hook.go
@@ -98,7 +98,7 @@ func CreateHook(ctx *context.APIContext, form api.CreateHookOption) {

 // https://github.com/gogits/go-gogs-client/wiki/Repositories#edit-a-hook
 func EditHook(ctx *context.APIContext, form api.EditHookOption) {
-	w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
+	w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrWebhookNotExist(err) {
 			ctx.Status(404)
--- a/routers/repo/webhook.go
+++ b/routers/repo/webhook.go
@@ -220,7 +220,7 @@ func checkWebhook(ctx *context.Context) (*OrgRepoCtx, *models.Webhook) {
 	}
 	ctx.Data["BaseLink"] = orCtx.Link

-	w, err := models.GetWebhookByID(ctx.ParamsInt64(":id"))
+	w, err := models.GetWebhookByID(ctx.Repo.Repository.ID, ctx.ParamsInt64(":id"))
 	if err != nil {
 		if models.IsErrWebhookNotExist(err) {
 			ctx.Handle(404, "GetWebhookByID", nil)
--- a/templates/.VERSION
+++ b/templates/.VERSION
@@ -1 +1 @@
-0.9.37.0708
+0.9.38.0708