fix(sec): Forgejo Actions web routes (#6844)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6844 Reviewed-by: 0ko <0ko@noreply.codeberg.org>
This commit is contained in:
Earl Warren
commit
b44b5fa63e
16 changed files with 396 additions and 42 deletions
|
|
@ -282,27 +282,22 @@ func UpdateRunner(ctx context.Context, r *ActionRunner, cols ...string) error {
|
|||
}
|
||||
|
||||
// DeleteRunner deletes a runner by given ID.
|
||||
func DeleteRunner(ctx context.Context, id int64) error {
|
||||
runner, err := GetRunnerByID(ctx, id)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
func DeleteRunner(ctx context.Context, r *ActionRunner) error {
|
||||
// Replace the UUID, which was either based on the secret's first 16 bytes or an UUIDv4,
|
||||
// with a sequence of 8 0xff bytes followed by the little-endian version of the record's
|
||||
// identifier. This will prevent the deleted record's identifier from colliding with any
|
||||
// new record.
|
||||
b := make([]byte, 8)
|
||||
binary.LittleEndian.PutUint64(b, uint64(id))
|
||||
runner.UUID = fmt.Sprintf("ffffffff-ffff-ffff-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
|
||||
binary.LittleEndian.PutUint64(b, uint64(r.ID))
|
||||
r.UUID = fmt.Sprintf("ffffffff-ffff-ffff-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
|
||||
b[0], b[1], b[2], b[3], b[4], b[5], b[6], b[7])
|
||||
|
||||
err = UpdateRunner(ctx, runner, "UUID")
|
||||
err := UpdateRunner(ctx, r, "UUID")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
_, err = db.DeleteByID[ActionRunner](ctx, id)
|
||||
_, err = db.DeleteByID[ActionRunner](ctx, r.ID)
|
||||
return err
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ func TestDeleteRunner(t *testing.T) {
|
|||
require.NoError(t, unittest.PrepareTestDatabase())
|
||||
before := unittest.AssertExistsAndLoadBean(t, &ActionRunner{ID: recordID})
|
||||
|
||||
err := DeleteRunner(db.DefaultContext, recordID)
|
||||
err := DeleteRunner(db.DefaultContext, &ActionRunner{ID: recordID})
|
||||
require.NoError(t, err)
|
||||
|
||||
var after ActionRunner
|
||||
|
|
|
|||
|
|
@ -86,7 +86,7 @@ func FindVariables(ctx context.Context, opts FindVariablesOpts) ([]*ActionVariab
|
|||
}
|
||||
|
||||
func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error) {
|
||||
count, err := db.GetEngine(ctx).ID(variable.ID).Cols("name", "data").
|
||||
count, err := db.GetEngine(ctx).ID(variable.ID).Where("owner_id = ? AND repo_id = ?", variable.OwnerID, variable.RepoID).Cols("name", "data").
|
||||
Update(&ActionVariable{
|
||||
Name: variable.Name,
|
||||
Data: variable.Data,
|
||||
|
|
@ -94,11 +94,9 @@ func UpdateVariable(ctx context.Context, variable *ActionVariable) (bool, error)
|
|||
return count != 0, err
|
||||
}
|
||||
|
||||
func DeleteVariable(ctx context.Context, id int64) error {
|
||||
if _, err := db.DeleteByID[ActionVariable](ctx, id); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
func DeleteVariable(ctx context.Context, variableID, ownerID, repoID int64) (bool, error) {
|
||||
count, err := db.GetEngine(ctx).Table("action_variable").Where("id = ? AND owner_id = ? AND repo_id = ?", variableID, ownerID, repoID).Delete()
|
||||
return count != 0, err
|
||||
}
|
||||
|
||||
func GetVariablesOfRun(ctx context.Context, run *ActionRun) (map[string]string, error) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue