From 4270aaaaa07e14b4d3cfbbd1b74bf7de19222976 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: May 14 2018 16:48:11 +0000
Subject: Make API endpoint for creating new git branch have its own ACL


Basically, that API endpoint was relying on the modify_project ACL which
is a public ACL so users can update descriptions of their projects.
It's also an ACL that can be created with non-project specific API token
thus making anyone's API token with this ACL able to create new git
branches in any project.

This fixes CVE: CVE-2018-1002151

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/api/project.py b/pagure/api/project.py
index 70d2dcf..5272c2f 100644
--- a/pagure/api/project.py
+++ b/pagure/api/project.py
@@ -1226,7 +1226,7 @@ def api_generate_acls(repo, username=None, namespace=None):
 @API.route('/fork/<username>/<repo>/git/branch', methods=['POST'])
 @API.route('/fork/<username>/<namespace>/<repo>/git/branch',
            methods=['POST'])
-@api_login_required(acls=['modify_project'])
+@api_login_required(acls=['create_branch'])
 @api_method
 def api_new_branch(repo, username=None, namespace=None):
     """
@@ -1274,6 +1274,10 @@ def api_new_branch(repo, username=None, namespace=None):
     if not project:
         raise pagure.exceptions.APIError(404, error_code=APIERROR.ENOPROJECT)
 
+    if flask.g.token.project and project != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
+
     # Check if it's JSON or form data
     if flask.request.headers.get('Content-Type') == 'application/json':
         # Set force to True to ignore the mimetype. Set silent so that None is
diff --git a/pagure/default_config.py b/pagure/default_config.py
index f783cb4..1432164 100644
--- a/pagure/default_config.py
+++ b/pagure/default_config.py
@@ -283,6 +283,7 @@ ACLS = {
     'modify_project': 'Modify an existing project',
     'generate_acls_project': 'Generate the Gitolite ACLs on a project',
     'commit_flag': 'Flag a commit',
+    'create_branch': 'Create a git branch on a project',
 }
 
 # List of ACLs which a regular user is allowed to associate to an API token
@@ -307,6 +308,7 @@ ADMIN_API_ACLS = [
     'pull_request_merge',
     'generate_acls_project',
     'commit_flag',
+    'create_branch',
 ]
 
 # Bootstrap URLS