Clone repo using access tokens validate user against external authentication source #5701
Description
Using access tokens to clone a repo (for example in droneci) with an user with external authentication, you can block your external account because your are doing failed authentications with the token to this external authentication. Also you can send the access token as the user to the external authentication source.
The use of the external authentication source in an clone with access tokens is commented in: #4952
Feel free to close this issue if is considered duplicate, I opened the issued because I think this is a problem.
- Gitea version (or commit ref): 1.7.0rc2
- Git version: 2.20.1
- Operating system: Fedora 29
- Database (use
[x]):- PostgreSQL
- MySQL
- MSSQL
- SQLite
- Can you reproduce the bug at https://try.gitea.io:
- Yes (provide example URL)
- No
- Not relevant
- Log gist:
Description
When you clone a repo using access tokens, for example if your are using drone:
git clone https://{USER}:{TOKEN}@gitea.domain.org/test/test.git
If the external authentication source (for example LDAP) has a account locking mechanism you can block your password.
And if you use the other form with the x-oauth-basic as a password:
git clone https://{TOKEN}:[email protected]/test/test.git
You are not blocking the account, but You are sending the token to the external authentication source as the user. I think that this is a problem because this token will be in the logs of the external authentication system.
When you clone a repo with:
git clone https://{USER}:{TOKEN}@gitea.domain.org/test/test.git
or
git clone https://{TOKEN}:[email protected]/test/test.git
you are doing two calls:
GET /test/test.git/info/refs?service=git-upload-pack
POST /test/test.git/git-upload-pack
and with every call you are done two authentications to the external authentication source, in total 4.
You can block you external account very quickly.
The problem is that modules/context/context.go:Contexter is execute in every http request and
it's calling modules/auth/auth.go:SignedInUser that calls models/login_source.go:UserSignIn that do the external authentication.
If the path is a repo routers/repo/http.go:HTTP is called, and that function calls
models/login_source.go:UserSignIn before check if user or password is a token.
Fix
Without doing big changes in the authentication code:
modules/auth/auth.go:SignedInUser calls SignedInID to check with IsAPIPath if this is an api path. I don't see an easy way to do check if this is a repo call and do something similar with the token in SignedInID. SignedInUser is called inside a macaron middleware Contexter so it's called for every route. Any Idea?
Change in routers/repo/http.go:HTTP the check if the user or password is an access token before the call to UserSignIn
How to reproduce:
- Use an user that validates against a external authentication source.
- Create a new private repository
- Add a new application under your profile settings
- Try to clone the repository using the application's token
git clone https://{USER}:{TOKEN}@gitea.domain.org/test/test.git - You see four invalid authentications in the external authentication system.