[security] Fix an issue with pull request preview authorization.

Pull request number was compared, but pull request owner and repository
name were not. As a result you could overwrite any preview site with
the matching PR number.

This functionality is feature-gated and there are no known usable
deployments at the moment.

V12-Ref: F-77256
This commit is contained in:
Catherine
2026-05-30 17:55:26 +00:00
parent 43088db596
commit 0849735f9e
+4
View File
@@ -619,6 +619,10 @@ func authorizeForgejoActionRun(repoURL string, forgeToken string, prNumber strin
if actionRun.PullRequest == nil {
return nil, AuthError{http.StatusUnauthorized, "workflow run not triggered by pull request"}
}
prOwner, prRepository := actionRun.PullRequest.OwnerName, actionRun.PullRequest.RepositoryName
if fmt.Sprintf("%s/%s.git", prOwner, prRepository) != parsedRepoURL.Path {
return nil, AuthError{http.StatusUnauthorized, "pull request repository does not match"}
}
if fmt.Sprintf("%d", actionRun.PullRequest.Number) != prNumber {
return nil, AuthError{http.StatusUnauthorized, "pull request number does not match"}
}