From 4e5aa5f3ce0f341610378b35cdc987b8a5feb4fb Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Sun, 28 Jun 2026 02:37:49 -0500 Subject: [PATCH] fix: revert accidental secret scanning code from security fix branch The pre-receive hook had security scanning code from the wrong feature branch (feature/secret-scanning-clean). Restoring to the correct state with only upstream security cherry-picks. Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd --- routers/private/hook_pre_receive.go | 66 ++++++++++++----------------- 1 file changed, 27 insertions(+), 39 deletions(-) diff --git a/routers/private/hook_pre_receive.go b/routers/private/hook_pre_receive.go index 0da5d3a65b..f42ef69274 100644 --- a/routers/private/hook_pre_receive.go +++ b/routers/private/hook_pre_receive.go @@ -26,7 +26,6 @@ import ( "code.mokoconsulting.tech/MokoConsulting/MokoGitea/services/agit" gitea_context "code.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context" pull_service "code.mokoconsulting.tech/MokoConsulting/MokoGitea/services/pull" - security_service "code.mokoconsulting.tech/MokoConsulting/MokoGitea/services/security" ) type preReceiveContext struct { @@ -41,9 +40,6 @@ type preReceiveContext struct { canCreatePullRequest bool checkedCanCreatePullRequest bool - canWriteCode bool - checkedCanWriteCode bool - protectedTags []*git_model.ProtectedTag gotProtectedTags bool @@ -51,24 +47,36 @@ type preReceiveContext struct { opts *private.HookOptions - branchName string + // this context should only contain shared variables, mutable variables like "current branch name" shouldn't be put here + canWriteCodeUnitCached *bool } -// CanWriteCode returns true if pusher can write code -func (ctx *preReceiveContext) CanWriteCode() bool { - if !ctx.checkedCanWriteCode { - if !ctx.loadPusherAndPermission() { - return false +func (ctx *preReceiveContext) canWriteCodeUnit() bool { + if ctx.canWriteCodeUnitCached == nil { + var canWrite bool + if ctx.loadPusherAndPermission() { + canWrite = ctx.userPerm.CanWrite(unit.TypeCode) || ctx.deployKeyAccessMode >= perm_model.AccessModeWrite } - ctx.canWriteCode = issues_model.CanMaintainerWriteToBranch(ctx, ctx.userPerm, ctx.branchName, ctx.user) || ctx.deployKeyAccessMode >= perm_model.AccessModeWrite - ctx.checkedCanWriteCode = true + ctx.canWriteCodeUnitCached = &canWrite } - return ctx.canWriteCode + return *ctx.canWriteCodeUnitCached } -// AssertCanWriteCode returns true if pusher can write code -func (ctx *preReceiveContext) AssertCanWriteCode() bool { - if !ctx.CanWriteCode() { +// canWriteCodeRef returns true if pusher can write to the code ref (branch/tag/commit) +func (ctx *preReceiveContext) canWriteCodeRef(refFullName git.RefName) bool { + if ctx.canWriteCodeUnit() { + return true + } + // then check whether if the pusher is a maintainer who can write the PR author's head repo branch + if !refFullName.IsBranch() { + return false + } + return issues_model.CanMaintainerWriteToBranch(ctx, ctx.userPerm, refFullName.BranchName(), ctx.user) +} + +// assertCanWriteRef returns true if pusher can write to the code ref, otherwise it responds with 403 Forbidden and returns false +func (ctx *preReceiveContext) assertCanWriteRef(refFullName git.RefName) bool { + if !ctx.canWriteCodeRef(refFullName) { if ctx.Written() { return false } @@ -130,7 +138,7 @@ func HookPreReceive(ctx *gitea_context.PrivateContext) { case git.DefaultFeatures().SupportProcReceive && refFullName.IsFor(): preReceiveFor(ourCtx, refFullName) default: - ourCtx.AssertCanWriteCode() + ourCtx.assertCanWriteRef(refFullName) } if ctx.Written() { return @@ -142,9 +150,8 @@ func HookPreReceive(ctx *gitea_context.PrivateContext) { func preReceiveBranch(ctx *preReceiveContext, oldCommitID, newCommitID string, refFullName git.RefName) { branchName := refFullName.BranchName() - ctx.branchName = branchName - if !ctx.AssertCanWriteCode() { + if !ctx.assertCanWriteRef(refFullName) { return } @@ -152,25 +159,6 @@ func preReceiveBranch(ctx *preReceiveContext, oldCommitID, newCommitID string, r gitRepo := ctx.Repo.GitRepo objectFormat := ctx.Repo.GetObjectFormat() - if newCommitID != objectFormat.EmptyObjectID().String() { - newCommit, err := gitRepo.GetCommit(newCommitID) - if err != nil { - log.Error("Secret scan: failed to get commit %s in %-v: %v", newCommitID[:12], repo, err) - } else { - if findings := security_service.ScanPushForSecrets(ctx, repo.ID, newCommit); len(findings) > 0 { - msg := fmt.Sprintf("Push rejected: %d secret(s) detected in commit %s", len(findings), newCommitID[:12]) - for _, f := range findings { - msg += fmt.Sprintf("\n - %s in %s:%d", f.Title, f.FilePath, f.LineNumber) - } - log.Warn("Secret scan blocked push to %s in %-v: %d findings", branchName, repo, len(findings)) - ctx.JSON(http.StatusForbidden, private.Response{ - UserMsg: msg, - }) - return - } - } - } - defaultBranch := repo.DefaultBranch if ctx.opts.IsWiki && repo.DefaultWikiBranch != "" { defaultBranch = repo.DefaultWikiBranch @@ -441,7 +429,7 @@ func preReceiveBranch(ctx *preReceiveContext, oldCommitID, newCommitID string, r } func preReceiveTag(ctx *preReceiveContext, refFullName git.RefName) { - if !ctx.AssertCanWriteCode() { + if !ctx.assertCanWriteRef(refFullName) { return }