Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Protected file patterns" in Branch protections can be bypassed #33370

Closed
chrizel opened this issue Jan 23, 2025 · 1 comment · Fixed by #33298
Closed

"Protected file patterns" in Branch protections can be bypassed #33370

chrizel opened this issue Jan 23, 2025 · 1 comment · Fixed by #33298
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented type/bug
Milestone
1.23.2

Comments

@chrizel
Copy link

chrizel commented Jan 23, 2025

Description

I want to use "Protected file patterns" to prevent normal developers with write access to the repo from creating any commits under ~/.gitea/** so they won't be able to create or change workflows. Like mentioned under #25423 I'm using the pattern .gitea/**/*.*;.github/**/*.* for this, which seems to work fine. When testing the protected file patterns logic I've found a way so a normal user can bypass it and can still change protected files.

Steps to reproduce:

  1. Create new repository
  2. Add file hello with dummy content and commit to main
  3. Go to repository settings -> Branches and add new Branch protection rule
  4. Define the following Branch protection configuration:
  • Protected Branch Name Pattern: *
  • Protected file patterns (separated using semicolon ';'): hello
  • Enable push
  • Other settings should be with default configuration
  1. Save Branch protection rule
  2. Go to the code in the main branch and edit the hello file
  3. Commit directly to the main branch is not possible because of the branch protection -> that's correct
  4. Now select "Create a new branch for this commit and start a pull request" at the bottom and "Commit Changes"
  5. A new branch was created with a change to hello, therefore bypassing the branch protection rule

Expected behavior:
I would have expected that step 8 would fail because of the branch protection I'm not allowed to edit the hello file on any branch, even on new branches. But it created the commit without any error.

The same behavior can also be reproduced with the Git CLI when pushing a new branch with a new name to Gitea. I would have expected for the branch protection rule with file patterns to reject this new branch.

Gitea Version

1.23.1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Downloaded version, but it can also be reproduced with https://demo.gitea.com/

Database

MySQL/MariaDB
@Zettat123 Zettat123 added the issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented label Jan 26, 2025
@Zettat123
Copy link
Contributor

This bug will be fixed by #33298

@Zettat123 Zettat123 mentioned this issue Jan 26, 2025
Merged
@lunny lunny added this to the 1.23.2 milestone Jan 26, 2025
@lunny lunny closed this as completed in a9577e0 Jan 28, 2025
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Jan 28, 2025
@Zettat123 @GiteaBot
Fix GetCommitBranchStart bug (go-gitea#33298)
107d891 
Fix go-gitea#33265
Fix go-gitea#33370

This PR also fixes some bugs in `TestGitGeneral`.
@GiteaBot GiteaBot mentioned this issue Jan 28, 2025
Merged
silverwind pushed a commit that referenced this issue Feb 1, 2025
@GiteaBot @Zettat123
@lunny @wxiaoguang
Fix GetCommitBranchStart bug (#33298) (#33421)
ebac324 
Backport #33298 by Zettat123

Fix #33265
Fix #33370

This PR also fixes some bugs in `TestGitGeneral`.

---------

Co-authored-by: Zettat123 <[email protected]>
Co-authored-by: Lunny Xiao <[email protected]>
Co-authored-by: wxiaoguang <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented type/bug
Projects
None yet
Milestone
1.23.2
Development

Successfully merging a pull request may close this issue.

Fix GetCommitBranchStart bug Zettat123/gitea
3 participants
@chrizel @lunny @Zettat123