Authentication mechanism absence or evasion In gogs.io/gogs
Description
Gogs has a Protected Branch Deletion Bypass in Web Interface
Summary
An access control bypass vulnerability in Gogs web interface allows any repository collaborator with Write permissions to delete protected branches (including the default branch) by sending a direct POST request, completely bypassing the branch protection mechanism. This vulnerability enables privilege escalation from Write to Admin level, allowing low-privilege users to perform dangerous operations that should be restricted to administrators only.
Although Git Hook layer correctly prevents protected branch deletion via SSH push, the web interface deletion operation does not trigger Git Hooks, resulting in complete bypass of protection mechanisms.
Details
Affected Component
File: internal/route/repo/branch.go
Function: DeleteBranchPost (lines 110-155)
Route Configuration: internal/cmd/web.go:589
m.Post("/delete/*", reqSignIn, reqRepoWriter, repo.DeleteBranchPost)
Root Cause
The DeleteBranchPost function performs the following checks when deleting a branch:
✅ User authentication (reqSignIn)
✅ Write permission check (reqRepoWriter)
✅ Branch existence verification
✅ CommitID matching (optional parameter)
❌ Missing protected branch check
❌ Missing default branch check
While the UI layer (internal/route/repo/issue.go:646-658) correctly checks protected branch status and hides the delete button, attackers can directly construct POST requests to bypass UI restrictions.
Vulnerable Code
Vulnerable implementation (internal/route/repo/branch.go:110-155):
func DeleteBranchPost(c *context.Context) { branchName := c.Params("*") commitID := c.Query("commit") defer func() { redirectTo := c.Query("redirect_to") if !tool.IsSameSiteURLPath(redirectTo) { redirectTo = c.Repo.RepoLink...
Correct implementation in Git Hook (internal/cmd/hook.go:122-125):
// check and deletion if newCommitID == git.EmptyID { fail(fmt.Sprintf("Branch '%s' is protected from deletion", branchName), "") }
Correct UI layer check (internal/route/repo/issue.go:646-658):
protectBranch, err := database.GetProtectBranchOfRepoByName(pull.BaseRepoID, pull.HeadBranch) if err != nil { if !database.IsErrBranchNotExist(err) { c.Error(err, "get protect branch of repository by name") return } } else { branchProtected = protectBranch.Protected...
PoC
Prerequisites
Have Write permissions to the target repository (collaborator or team member)
Target repository has protected branches configured (e.g., main, master, develop)
Access to Gogs web interface
Send Malicious POST Request
# Directly send DELETE request bypassing UI protection curl -X POST \ -b cookies.txt \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "_csrf=YOUR_CSRF_TOKEN" \ "https://gogs.example.com/username/repo/branches/delete/main"
Impact
Bypass branch protection mechanism: The core function of protected branches is to prevent deletion, and this vulnerability completely undermines this mechanism
Delete default branch: Can cause repository to become inaccessible (git clone/pull failures)
Bypass code review: After deleting protected branch, can push new branch bypassing Pull Request requirements
Privilege escalation: Writer permission users can perform operations that should only be allowed for Admins
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 0.14.1 |
Aliases
References