fix: guard POST keywords & allow co-maintainers to see keyword form

This addresses a severe security issue, which is omitted from this git message for obscurity purposes. Otherwise, it allows co-maintainers to see the keyword form when viewing a package they co-maintain. Closes #378 Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2022-08-15 13:57:32 -07:00 · 2022-08-15 13:57:32 -07:00 · 7a52da5587
commit 7a52da5587
parent 7b047578fd
4 changed files with 28 additions and 5 deletions
--- a/aurweb/routers/pkgbase.py
+++ b/aurweb/routers/pkgbase.py
@ -96,6 +96,12 @@ async def pkgbase_keywords(request: Request, name: str,
                           keywords: str = Form(default=str())):
    pkgbase = get_pkg_or_base(name, PackageBase)

+    approved = [pkgbase.Maintainer] + [c.User for c in pkgbase.comaintainers]
+    has_cred = creds.has_credential(request.user, creds.PKGBASE_SET_KEYWORDS,
+                                    approved=approved)
+    if not has_cred:
+        return Response(status_code=HTTPStatus.UNAUTHORIZED)
+
    # Lowercase all keywords. Our database table is case insensitive,
    # and providing CI duplicates of keywords is erroneous.
    keywords = set(k.lower() for k in keywords.split())
--- a/templates/partials/packages/details.html
+++ b/templates/partials/packages/details.html
@ -33,10 +33,10 @@
            </td>
        </tr>
    {% endif %}
-    {% if pkgbase.keywords.count() or request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer]) %}
+    {% if pkgbase.keywords.count() or request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer] + comaintainers) %}
        <tr>
            <th>{{ "Keywords" | tr }}:</th>
-            {% if request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer]) %}
+            {% if request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer] + comaintainers) %}
            <td>
                <form method="post"
                      action="/pkgbase/{{ pkgbase.Name }}/keywords"
--- a/test/test_pkgbase_routes.py
+++ b/test/test_pkgbase_routes.py
@ -1378,7 +1378,8 @@ def test_pkgbase_keywords(client: TestClient, user: User, package: Package):
    keywords = root.xpath('//a[@class="keyword"]')
    assert len(keywords) == 0

-    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    maint = package.PackageBase.Maintainer
+    cookies = {"AURSID": maint.login(Request(), "testPassword")}
    post_endpoint = f"{endpoint}/keywords"
    with client as request:
        resp = request.post(post_endpoint, data={
@ -1408,7 +1409,8 @@ def test_pkgbase_empty_keywords(client: TestClient, user: User, package: Package
    keywords = root.xpath('//a[@class="keyword"]')
    assert len(keywords) == 0

-    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    maint = package.PackageBase.Maintainer
+    cookies = {"AURSID": maint.login(Request(), "testPassword")}
    post_endpoint = f"{endpoint}/keywords"
    with client as request:
        resp = request.post(post_endpoint, data={
@ -1426,3 +1428,16 @@ def test_pkgbase_empty_keywords(client: TestClient, user: User, package: Package
    expected = ["abc", "bar", "foo", "test"]
    for i, keyword in enumerate(keywords):
        assert keyword.text.strip() == expected[i]
+
+
+def test_unauthorized_pkgbase_keywords(client: TestClient, package: Package):
+    with db.begin():
+        user = db.create(User, Username="random_user", Email="random_user",
+                         Passwd="testPassword")
+
+    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    with client as request:
+        pkgbase = package.PackageBase
+        endp = f"/pkgbase/{pkgbase.Name}/keywords"
+        response = request.post(endp, cookies=cookies)
+    assert response.status_code == HTTPStatus.UNAUTHORIZED
--- a/test/test_templates.py
+++ b/test/test_templates.py
@ -282,7 +282,8 @@ def test_package_details(user: User, package: Package):
        "git_clone_uri_anon": GIT_CLONE_URI_ANON,
        "git_clone_uri_priv": GIT_CLONE_URI_PRIV,
        "pkgbase": package.PackageBase,
-        "pkg": package
+        "pkg": package,
+        "comaintainers": [],
    })

    base = base_template("partials/packages/details.html")
@ -316,6 +317,7 @@ def test_package_details_filled(user: User, package: Package):
        "git_clone_uri_priv": GIT_CLONE_URI_PRIV,
        "pkgbase": package.PackageBase,
        "pkg": package,
+        "comaintainers": [],
        "licenses": package.package_licenses,
        "provides": package.package_relations.filter(
            PackageRelation.RelTypeID == PROVIDES_ID),