Skip to content

fix(container): bind blob upload sessions to their creator#38242

Open
lunny wants to merge 3 commits into
go-gitea:mainfrom
lunny:lunny/fix_package_upload_creator
Open

fix(container): bind blob upload sessions to their creator#38242
lunny wants to merge 3 commits into
go-gitea:mainfrom
lunny:lunny/fix_package_upload_creator

Conversation

@lunny

@lunny lunny commented Jun 28, 2026

Copy link
Copy Markdown
Member

Summary

Bind container registry blob upload sessions to the authenticated user who created them.

Previously, blob upload session operations (GET, PATCH, PUT, DELETE) looked up the upload only by UUID. This meant that if a valid in-progress upload UUID was disclosed, another authenticated user could operate on that session as long as they had write access to their own registry namespace.

This change stores the upload creator on package_blob_upload and requires all blob upload session lookups to match both the session UUID and the authenticated user.

Changes

  • add creator_id to package_blob_upload
  • store the authenticated user when creating a blob upload session
  • require id + creator_id to resolve blob upload sessions
  • enforce this check for all blob upload session endpoints:
    • GET /blobs/uploads/<uuid>
    • PATCH /blobs/uploads/<uuid>
    • PUT /blobs/uploads/<uuid>
    • DELETE /blobs/uploads/<uuid>
  • add a migration for the new column
  • add regression coverage to ensure one user cannot access another user's upload session

Impact

This fixes an authorization gap in container registry blob upload session handling.

The issue affects only in-progress upload sessions and requires prior knowledge of a valid upload UUID. Because the UUID is a high-entropy random value, practical exploitability depends on disclosure through another channel rather than direct guessing. For that reason, this is best assessed as a medium-severity issue rather than a high-severity cross-namespace write primitive.

Compatibility

Existing completed package blobs and manifests are not affected.

Pre-upgrade in-progress blob upload sessions do not have creator ownership information and will no longer be resumable after upgrade. This is expected, since package_blob_upload stores transient upload state only.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jun 28, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an authorization gap in the container registry’s blob upload sessions by binding each in-progress upload UUID to the authenticated user who created it, preventing other authenticated users from operating on a leaked UUID in their own namespace.

Changes:

  • Add creator_id to package_blob_upload and persist the authenticated creator when a blob upload session is created.
  • Require (uuid, creator_id) to resolve blob upload sessions across GET/PATCH/PUT/DELETE session endpoints.
  • Add regression coverage ensuring a second user cannot operate on another user’s upload session UUID, plus a migration + migration test for the new column.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
tests/integration/api_packages_container_test.go Adds cross-user regression checks ensuring leaked upload UUIDs can’t be used by another authenticated user.
services/packages/container/blob_uploader.go Threads creatorID through blob uploader construction to enforce ownership on session loads.
routers/api/packages/container/container.go Stores creator on session creation and enforces creator match on all blob upload session endpoints.
models/packages/package_blob_upload.go Adds CreatorID to the model and updates create/get APIs to include creator binding.
models/migrations/v1_27/v343.go Adds migration to introduce the creator_id column for blob uploads.
models/migrations/v1_27/v343_test.go Adds migration test coverage for the new creator_id column.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread models/migrations/v1_27/v343_test.go Outdated
Comment on lines +33 to +40
func Test_AddCreatorIDToPackageBlobUpload(t *testing.T) {
x, deferable := migrationtest.PrepareTestEnv(t, 0, new(packageBlobUploadBeforeV342))
defer deferable()

_, err := x.Insert(&packageBlobUploadBeforeV342{
ID: "test-upload",
BytesReceived: 12,
})
Comment on lines +23 to +31
type packageBlobUploadAfterV342 struct {
ID string `xorm:"pk"`
CreatorID int64 `xorm:"INDEX NOT NULL DEFAULT 0"`
BytesReceived int64 `xorm:"NOT NULL DEFAULT 0"`
}

func (packageBlobUploadAfterV342) TableName() string {
return "package_blob_upload"
}

require.NoError(t, AddCreatorIDToPackageBlobUpload(x))

var pbu packageBlobUploadAfterV342
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. type/bug

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants