Description

Gogs has authorization bypass in repository deletion API

Summary

The DELETE /api/v1/repos/:owner/:repo endpoint lacks necessary permission validation middleware. Consequently, any user with read access (including read-only collaborators) can delete the entire repository.

This vulnerability stems from the API route configuration only utilizing the repoAssignment() middleware (which only verifies read access) without enforcing reqRepoOwner() or reqRepoAdmin().

Details

vulnerability location:

Vulnerable Endpoint：DELETE /api/v1/repos/:owner/:repo

Routing configuration file: internal/route/api/v1/api.go (approximately line 253)

Function handling file: internal/route/api/v1/repo/repo.go (approximately lines 320-338)

Root Cause Analysis

Code Location 1: API Route Configuration (internal/route/api/v1/api.go ~ line 253)

// 当前的路由配置（存在漏洞）
m.Delete("", repo.Delete)  // 仅继承了外层的 repoAssignment() 中间件

Code Location 2: Delete Function Implementation (internal/route/api/v1/repo/repo.go ~ lines 320-338)

// Delete 函数内部没有额外的权限检查
func Delete(c *context.APIContext) {
    // 直接执行删除操作，未验证用户是否为所有者
    if err := models.DeleteRepository(c.User.ID, c.Repo.Repository.ID); err != nil {
        c.Error(500, "DeleteRepository", err)
        return
    }
    c.Status(204)...
Show more

Missing Permission Check Comparison with route configurations for other sensitive operations:

// Webhooks 管理（正确实现）
m.Group("/hooks", func() {
    m.Combo("").
        Get(repo.ListHooks).
        Post(bind(api.CreateHookOption{}), repo.CreateHook)
}, reqRepoAdmin())  // ✅ 使用了权限中间件

// 部署密钥管理（正确实现）...
Show more

Data Flow Path

API Request Path: DELETE /api/v1/repos/:owner/:repo

Route Handling: The outer middleware repoAssignment() verifies that the user has read access (Passed).

Execution: The system directly executes the repo.Delete() function.

Permission Check: The reqRepoOwner() middleware check is missing.

Internal Validation: There is no permission validation inside the Delete() function either.

Result: Any user with read permission can delete the repository.

PoC

Prerequisites

A running Gogs instance.

The attacker's account is added as a collaborator to the target repository (Read access is sufficient).

The attacker possesses a valid API access token.

The target repository exists and is accessible.

📜 Test Steps (Bash)

Verify Gogs service is running curl -I http://localhost:10880

Create test accounts and repository

Owner account: owner / owner123456

Read-only account: victim / victim123456

Test repository: owner/delete-test

Add 'victim' as a read-only collaborator Perform this via the Web UI or API

Obtain API token for 'victim' curl -X POST http://localhost:10880/api/v1/users/victim/tokens
-u victim:victim123456
-H "Content-Type: application/json"
-d '{"name":"test-token"}'

Resource deleted

Web UI：Target repository deletion successful

📜 PoC Script

#!/bin/bash

# ============ 配置信息 ============
GOGS_URL="http://localhost:10880"
TARGET_REPO="owner/delete-test"
VICTIM_TOKEN="your_victim_read_only_token_here"

# ============ 执行攻击 ============...
Show more

Impact

Vulnerability Type: Broken Access Control (CWE-284)

Description: A critical authorization bypass vulnerability exists in the Gogs API. The access control mechanism fails to properly validate permissions for destructive operations.

Consequences: An authenticated attacker with low-level privileges (e.g., a collaborator with Read-Only access) can exploit this vulnerability to issue unauthorized DELETE requests. This allows the attacker to permanently delete entire repositories, resulting in the immediate loss of all source code, git history, issues, and wiki documentation.

Severity: This vulnerability poses a critical risk to data integrity and availability, potentially leading to irreversible data loss and significant operational disruption for affected organizations.

The Core Risk: Privilege Escalation & Data Destruction The most critical aspect of this vulnerability is the violation of the Principle of Least Privilege. It allows a user with the lowest level of access (Read-Only) to execute the most destructive action possible (Delete).

Mitigation

Aliases

References