Security audit of Forgejo reveals numerous critical vulnerabilities
By
jvoisin
Crackles when you bite it. Shows the baker did the work.
Summary
Security researcher Julien Voisin (jvoisin) conducted a security audit of Forgejo, the Git hosting platform that Fedora recently migrated to from Pagure. The audit revealed numerous critical security vulnerabilities including Server-Side Request Forgery (SSRF) in many places, lack of Content Security Policy (CSP) and Trusted-Types, insecure JavaScript templating, cryptographic malpractices, flaws in authentication mechanisms (OAuth2, OTP, session/access handling, post-compromise recovery), denial-of-service vulnerabilities, information leaks, and Time-of-Check Time-of-Use (TOCTOU) issues. The researcher found a significant number of vulnerabilities in just one evening of work.
Key quotes
· 2 pulledThe results aren't pretty to be honest: SSRF in a lot of places, no CSP/Trusted-Types, a bit of ghetto templating in javascript, cryptographic malpractices, overlooks in the authentication mechanisms (OAuth2, OTP, sessions/access handling, post-compromission recovery, …), a bunch of low-hanging DoS, information leak all over the place, various TOCTOU, …
All in all, it took me one evening after work to find a good amount of vulnerabilities (adding to the one I go
