search

woodpecker-ci / woodpecker

Woodpecker is a simple yet powerful CI/CD engine with great extensibility.
https://woodpecker-ci.org
Apache License 2.0
3.88k stars 345 forks source link

Enhance token checking #3842

Closed anbraten closed 1 week ago

anbraten commented 1 week ago

Tokens will now always be checked for their specific types. This wasn't directly a security risk as text was previously either a username like anbraten and a repo-name anbraten/test and as users wont have / in their name their should be no risks that a user was able to use their token to authenticate a repo-hook. New tokens are using user-id and repo-id further minimizing the risk. However it seems to be a good practice to check the actual token type and therefore it is now a required part of Parse and ParseRequest.

Extracted from #3822

woodpecker-bot commented 1 week ago

Deployment of preview was torn down