Gogs Repository Content Modification Vulnerability via Read-Only Token

A vulnerability in Gogs, an open-source self-hosted Git service, allows users to modify repository contents using a read-only access token. This issue affects Gogs versions through 0.13.3. The vulnerability arises because the endpoint 'PUT /repos/:owner/:repo/contents/*' does not require write permissions and can be accessed with read permissions only, through the 'repoAssignment()' function. After bypassing the permission check, the 'PutContents()' function calls 'UpdateRepoFile()', leading to the creation of a commit and execution of 'git push'. Consequently, a token with read-only permissions can be exploited to alter repository files.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of repository contents, allowing for source code tampering, injection of backdoors, and compromise of release artifacts and distributed packages.

Reproduction

To reproduce this vulnerability, first obtain a valid access token with read-only permissions for a target repository, either a public repository or one where the user is a collaborator with read access. Then, send a 'PUT' request to the '/repos/:owner/:repo/contents/*' endpoint to update an arbitrary file. The server will process the request, create a commit, and perform a 'git push' on behalf of the user, effectively modifying the repository content despite the read-only permission.

Remediation

Users can upgrade to Gogs versions 0.13.4 or 0.14.0+dev to address this vulnerability.