Can upload release attachment via API to a release that isn't of the repo, or user #8282

bobemoe · 2019-09-25T11:31:30Z

Gitea version (or commit ref): 1.10.0+dev-326-gc05b89a5a
Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Not relevant

Description

I have 2 repos: test and onemore. In the onemore repo I have a release ID 3281927. test has no releases.

Using the API I can upload a file to a release. This works great:

curl -X POST "https://bobemoe:[email protected]/api/v1/repos/bobemoe/onemore/releases/3281927/assets?name=test" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "attachment=@/home/bob/Downloads/Testing-2-150x150.png;type=image/png"

However if I get the wrong repo name, test rather than onemore it still uploads to the release in onemore Maybe there should be a permission check to make sure the release is part of the repo specified:

curl -X POST "https://bobemoe:[email protected]/api/v1/repos/bobemoe/test/releases/3281927/assets?name=test" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "attachment=@/home/bob/Downloads/Testing-2-150x150.png;type=image/png"

Additionally I can upload to a release that is probably owned by someone else: release 3281920!!

curl -X POST "https://bobemoe:[email protected]/api/v1/repos/bobemoe/test/releases/3281920/assets?name=test" -H "accept: application/json" -H "Content-Type: multipart/form-data" -F "attachment=@/home/bob/Downloads/Testing-2-150x150.png;type=image/png"

The file uploaded fine: https://try.gitea.io/attachments/182c448c-b3dc-41b0-b649-518819950ec2 but I have no idea whos repo/release that went to! cough :/

The text was updated successfully, but these errors were encountered:

stale · 2019-11-24T12:26:48Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

sapk · 2019-11-27T16:54:56Z

This is addressed in #7956 but not enough time to go through it currently.
I would have to check but the attachement would not be attached to a other release just stored without any link in this case.

lunny · 2024-02-29T08:29:30Z

This has been resolved by #28213

bobemoe changed the title ~~Can upload release attachment to a release that isn't of the repo, or user~~ Can upload release attachment via API to a release that isn't of the repo, or user Sep 25, 2019

guillep2k mentioned this issue Sep 25, 2019

Issue API and Attachments #3690

Closed

4 tasks

stale bot added the issue/stale label Nov 24, 2019

lunny added the type/proposal The new feature has not been accepted yet but needs to be discussed first. label Nov 27, 2019

stale bot removed the issue/stale label Nov 27, 2019

sapk added the issue/confirmed Issue has been reviewed and confirmed to be present or accepted to be implemented label Nov 27, 2019

noerw added modifies/api This PR adds API routes or modifies them type/bug and removed type/proposal The new feature has not been accepted yet but needs to be discussed first. labels May 30, 2021

lunny closed this as completed Feb 29, 2024

github-actions bot locked as resolved and limited conversation to collaborators Mar 11, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can upload release attachment via API to a release that isn't of the repo, or user #8282

Can upload release attachment via API to a release that isn't of the repo, or user #8282

bobemoe commented Sep 25, 2019

stale bot commented Nov 24, 2019

sapk commented Nov 27, 2019

lunny commented Feb 29, 2024

Can upload release attachment via API to a release that isn't of the repo, or user #8282

Can upload release attachment via API to a release that isn't of the repo, or user #8282

Comments

bobemoe commented Sep 25, 2019

Description

stale bot commented Nov 24, 2019

sapk commented Nov 27, 2019

lunny commented Feb 29, 2024