Skip to content

"Protected file patterns" in Branch protections can be bypassed #33370

Closed
@chrizel

Description

@chrizel

Description

I want to use "Protected file patterns" to prevent normal developers with write access to the repo from creating any commits under ~/.gitea/** so they won't be able to create or change workflows. Like mentioned under #25423 I'm using the pattern .gitea/**/*.*;.github/**/*.* for this, which seems to work fine. When testing the protected file patterns logic I've found a way so a normal user can bypass it and can still change protected files.

Steps to reproduce:

  1. Create new repository
  2. Add file hello with dummy content and commit to main
  3. Go to repository settings -> Branches and add new Branch protection rule
  4. Define the following Branch protection configuration:
  • Protected Branch Name Pattern: *
  • Protected file patterns (separated using semicolon ';'): hello
  • Enable push
  • Other settings should be with default configuration
  1. Save Branch protection rule
  2. Go to the code in the main branch and edit the hello file
  3. Commit directly to the main branch is not possible because of the branch protection -> that's correct
  4. Now select "Create a new branch for this commit and start a pull request" at the bottom and "Commit Changes"
  5. A new branch was created with a change to hello, therefore bypassing the branch protection rule

Expected behavior:
I would have expected that step 8 would fail because of the branch protection I'm not allowed to edit the hello file on any branch, even on new branches. But it created the commit without any error.

The same behavior can also be reproduced with the Git CLI when pushing a new branch with a new name to Gitea. I would have expected for the branch protection rule with file patterns to reject this new branch.

Gitea Version

1.23.1

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Downloaded version, but it can also be reproduced with https://demo.gitea.com/

Database

MySQL/MariaDB

Metadata

Metadata

Assignees

No one assigned

    Labels

    issue/confirmedIssue has been reviewed and confirmed to be present or accepted to be implementedtype/bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions