Gogs Access Token Exposure Vulnerability

A vulnerability in Gogs API versions prior to 0.14.2 allows access tokens to be sent via URL query parameters, such as 'token' and 'access_token'. This can lead to unintentional exposure of tokens through logs, browser history, and referrer headers. The issue arises because the API still checks for tokens in the query parameters before verifying the 'Authorization' header', allowing authenticated requests to be processed with potentially leaked tokens.

Impact

Exposed access tokens can be captured from URL query parameters and reused until revoked, creating a risk of unauthorized access.

Reproduction

The vulnerability can be reproduced by sending a request to the Gogs API with an access token included in the URL query parameters. The API will accept the token, but it will also be logged and could be leaked through browser history or referrer headers.

Remediation

Users are advised to update to Gogs version 0.14.2 or later, where this vulnerability has been patched. Additionally, tokens should be sent using the 'Authorization' header' instead of as query parameters.