Description

Gogs Allows Cross-Repository Comment Deletion via DeleteComment

IDOR: Cross-Repository Comment Deletion via DeleteComment

Summary

The POST /:owner/:repo/issues/comments/:id/delete endpoint does not verify that the comment belongs to the repository specified in the URL. This allows a repository administrator to delete comments from any other repository by supplying arbitrary comment IDs, bypassing authorization controls.

Vulnerability Details

Root Cause

The vulnerability exists due to insufficient authorization validation in the comment deletion flow:

1. Missing Repository Ownership Check in DeleteComment

In internal/route/repo/issue.go, the function retrieves a comment by ID without verifying repository ownership:

func DeleteComment(c *context.Context) {
    comment, err := database.GetCommentByID(c.ParamsInt64(":id"))
    if err != nil {
        c.NotFoundOrError(err, "get comment by ID")
        return
    }

    // Only checks if user is comment poster OR admin of the CURRENT repo (from URL)...
Show more

2. Database Layer Performs No Authorization

In internal/database/comment.go, the deletion function performs no repository validation:

func DeleteCommentByID(doer *User, id int64) error {
    comment, err := GetCommentByID(id)
    if err != nil {
        if IsErrCommentNotExist(err) {
            return nil
        }
        return err
    }...
Show more

Proof of Concept

Prerequisites

Two users: Alice (attacker) and Bob (victim)

Alice is admin of alice/attacker-repo

Bob has created an issue with a comment on bob/victim-repo

Attacker needs to obtain the comment ID from victim's repository (e.g., ID: 42)

HTTP Request

POST /alice/attacker-repo/issues/comments/42/delete HTTP/1.1
Host: gogs.example.com
Cookie: i_like_gogs=<alice_session_token>

Mitigation

Aliases

References