Skip to content

Fix Gitea API unauthenticated access and upgrade to 1.26.0#1597

Open
LukasCuperDT wants to merge 3 commits into
mainfrom
fix/gitea-api-require-auth
Open

Fix Gitea API unauthenticated access and upgrade to 1.26.0#1597
LukasCuperDT wants to merge 3 commits into
mainfrom
fix/gitea-api-require-auth

Conversation

@LukasCuperDT

@LukasCuperDT LukasCuperDT commented Apr 24, 2026

Copy link
Copy Markdown
Contributor

Security Fix

Vulnerability: GET /api/v1/repos/issues/search returns private organization data (employee names, private repo names, issue details) without authentication.

Impact: HIGH — PII exposure, private repo enumeration (88+ repos), OTC service infrastructure mapping visible to unauthenticated users.

Changes

  • Enable [api] section in app.ini.j2 (was commented out as ;[api], so settings were falling under [mailer])
  • Set REQUIRE_SIGNIN_VIEW = true in [api] section to require authentication for all API endpoints
  • Upgrade Gitea from 1.24.0 to 1.26.0 (includes security fixes: bounded PageSize in ListUnadoptedRepositories, and many bug fixes)

Files Changed

  • playbooks/roles/gitea/templates/app.ini.j2 — uncomment [api] header, set REQUIRE_SIGNIN_VIEW = true
  • inventory/service/group_vars/gitea.yaml — version 1.26.0 + new checksum
  • playbooks/roles/gitea/defaults/main.yaml — version 1.26.0 + new checksum

Testing

After merge and Ansible deployment, verify:

# Should return 401/403 instead of 200
curl -s -o /dev/null -w '%{http_code}' 'https://gitea.eco.tsi-dev.otc-service.com/api/v1/repos/issues/search'

@LukasCuperDT
Fix Gitea API unauthenticated access and upgrade to 1.26.0
66f477c 
- Enable [api] section header (was commented out as ;[api])
- Set REQUIRE_SIGNIN_VIEW = true in [api] section to prevent
  unauthenticated API access to private repository data
- Upgrade Gitea from 1.24.0 to 1.26.0 with updated checksum

Security: GET /api/v1/repos/issues/search was returning private
org data (employee names, private repo names) without authentication.
SebastianGode
SebastianGode previously approved these changes Apr 24, 2026
View reviewed changes
@LukasCuperDT
Set REQUIRE_SIGNIN_VIEW=true in [service] section
04a56c3 
The [api] REQUIRE_SIGNIN_VIEW is not effective in Gitea 1.24.0.
Setting it in [service] section forces authentication for all
access including the vulnerable /api/v1/repos/issues/search endpoint.
SebastianGode
SebastianGode previously approved these changes Apr 24, 2026
View reviewed changes
@LukasCuperDT
Remove Gitea version upgrade, keep only security fix
b895f9d 
Revert gitea_version back to 1.24.0 - version upgrade should be
done in a separate PR after proper testing.
@LukasCuperDT LukasCuperDT force-pushed the fix/gitea-api-require-auth branch from e4ec2cb to b895f9d Compare April 24, 2026 09:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tischrei tischrei tischrei approved these changes

@SebastianGode SebastianGode SebastianGode approved these changes

@otcbot otcbot Awaiting requested review from otcbot otcbot is a code owner

@vladimirhasko vladimirhasko Awaiting requested review from vladimirhasko vladimirhasko is a code owner

@sgmv sgmv Awaiting requested review from sgmv sgmv is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LukasCuperDT @tischrei @SebastianGode