Check the token's owner and repository when registering a runner (#30406) (#30412)

Zettat123 · web-flow · commit 55990ebf9240 · 2024-04-11T11:29:53.000Z
Backport #30406 Fix #30378
diff --git a/models/organization/org.go b/models/organization/org.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"strings"
 
+	actions_model "code.gitea.io/gitea/models/actions"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -401,6 +402,8 @@ func DeleteOrganization(ctx context.Context, org *Organization) error {
 		&TeamUnit{OrgID: org.ID},
 		&TeamInvite{OrgID: org.ID},
 		&secret_model.Secret{OwnerID: org.ID},
+		&actions_model.ActionRunner{OwnerID: org.ID},
+		&actions_model.ActionRunnerToken{OwnerID: org.ID},
 	); err != nil {
 		return fmt.Errorf("DeleteBeans: %w", err)
 	}
diff --git a/routers/api/actions/runner/runner.go b/routers/api/actions/runner/runner.go
@@ -9,6 +9,8 @@ import (
 	"net/http"
 
 	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/actions"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/util"
@@ -54,6 +56,18 @@ func (s *Service) Register(
 		return nil, errors.New("runner registration token has been invalidated, please use the latest one")
 	}
 
+	if runnerToken.OwnerID > 0 {
+		if _, err := user_model.GetUserByID(ctx, runnerToken.OwnerID); err != nil {
+			return nil, errors.New("owner of the token not found")
+		}
+	}
+
+	if runnerToken.RepoID > 0 {
+		if _, err := repo_model.GetRepositoryByID(ctx, runnerToken.RepoID); err != nil {
+			return nil, errors.New("repository of the token not found")
+		}
+	}
+
 	labels := req.Msg.Labels
 	// TODO: agent_labels should be removed from pb after Gitea 1.20 released.
 	// Old version runner's agent_labels slice is not empty and labels slice is empty.
diff --git a/services/repository/delete.go b/services/repository/delete.go
@@ -164,6 +164,7 @@ func DeleteRepositoryDirectly(ctx context.Context, doer *user_model.User, uid, r
 		&actions_model.ActionScheduleSpec{RepoID: repoID},
 		&actions_model.ActionSchedule{RepoID: repoID},
 		&actions_model.ActionArtifact{RepoID: repoID},
+		&actions_model.ActionRunnerToken{RepoID: repoID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %w", err)
 	}
diff --git a/services/user/delete.go b/services/user/delete.go
@@ -92,6 +92,7 @@ func deleteUser(ctx context.Context, u *user_model.User, purge bool) (err error)
 		&pull_model.ReviewState{UserID: u.ID},
 		&user_model.Redirect{RedirectUserID: u.ID},
 		&actions_model.ActionRunner{OwnerID: u.ID},
+		&actions_model.ActionRunnerToken{OwnerID: u.ID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -164,6 +164,7 @@ func DeleteRepositoryDirectly(ctx context.Context, doer *user_model.User, uid, r`
`164`	`164`	`&actions_model.ActionScheduleSpec{RepoID: repoID},`
`165`	`165`	`&actions_model.ActionSchedule{RepoID: repoID},`
`166`	`166`	`&actions_model.ActionArtifact{RepoID: repoID},`
	`167`	`+ &actions_model.ActionRunnerToken{RepoID: repoID},`
`167`	`168`	`); err != nil {`
`168`	`169`	`return fmt.Errorf("deleteBeans: %w", err)`
`169`	`170`	`}`
Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,7 @@ func deleteUser(ctx context.Context, u *user_model.User, purge bool) (err error)`
`92`	`92`	`&pull_model.ReviewState{UserID: u.ID},`
`93`	`93`	`&user_model.Redirect{RedirectUserID: u.ID},`
`94`	`94`	`&actions_model.ActionRunner{OwnerID: u.ID},`
	`95`	`+ &actions_model.ActionRunnerToken{OwnerID: u.ID},`
`95`	`96`	`); err != nil {`
`96`	`97`	`return fmt.Errorf("deleteBeans: %w", err)`
`97`	`98`	`}`