Skip to content

Commit

Permalink
fixed vulnerabilities on deleting release (#399)
Browse files Browse the repository at this point in the history
  • Loading branch information
@lunny
lunny authored Dec 16, 2016
1 parent 8aeeed0 commit 15c3d14
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
9 changes: 8 additions & 1 deletion models/release.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ func UpdateRelease(gitRepo *git.Repository, rel *Release) (err error) {
}

// DeleteReleaseByID deletes a release and corresponding Git tag by given ID.
func DeleteReleaseByID(id int64) error {
func DeleteReleaseByID(id int64, u *User) error {
rel, err := GetReleaseByID(id)
if err != nil {
return fmt.Errorf("GetReleaseByID: %v", err)
Expand All @@ -200,6 +200,13 @@ func DeleteReleaseByID(id int64) error {
return fmt.Errorf("GetRepositoryByID: %v", err)
}

has, err := HasAccess(u, repo, AccessModeWrite)
if err != nil {
return fmt.Errorf("HasAccess: %v", err)
} else if !has {
return fmt.Errorf("DeleteReleaseByID: permission denied")
}

_, stderr, err := process.ExecDir(-1, repo.RepoPath(),
fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID),
"git", "tag", "-d", rel.TagName)
Expand Down
2 changes: 1 addition & 1 deletion routers/repo/release.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -296,7 +296,7 @@ func EditReleasePost(ctx *context.Context, form auth.EditReleaseForm) {

// DeleteRelease delete a release
func DeleteRelease(ctx *context.Context) {
if err := models.DeleteReleaseByID(ctx.QueryInt64("id")); err != nil {
if err := models.DeleteReleaseByID(ctx.QueryInt64("id"), ctx.User); err != nil {
ctx.Flash.Error("DeleteReleaseByID: " + err.Error())
} else {
ctx.Flash.Success(ctx.Tr("repo.release.deletion_success"))
Expand Down

0 comments on commit 15c3d14

Please sign in to comment.