Closed
Description
Description
Hi, I've been fuzzing Gitea with openapi-fuzzer and found, that sending a GET or PATCH request to api/v1/admin/hooks/{id} endpoint with non existing hook id causes the Gitea to respond with internal server error 500 status code. I'm unable to reproduce it in try.gitea.io because those endpoints require admin privileges.
GET
request & response
curl -X GET -H "Authorization: token $TOKEN" http://127.0.0.1:3000/api/v1/admin/hooks/x
{
"message": "webhook does not exist [id: 0]",
"url": "http://localhost:3000/api/swagger"
}
logs
2023/06/27 23:42:05 ...pi/v1/admin/hooks.go:77:GetHook() [E] [649b57ad] GetSystemOrDefaultWebhook: webhook does not exist [id: 0]
2023/06/27 23:42:05 [649b57ad] router: completed GET /api/v1/admin/hooks/x for 127.0.0.1:37898, 500 Internal Server Error in 40.0ms @ admin/hooks.go:57(admin.GetHook)
PATCH
request & response
curl -X PATCH -H "Authorization: token $TOKEN" http://127.0.0.1:3000/api/v1/admin/hooks/x
{
"message": "webhook does not exist [id: 0]",
"url": "http://localhost:3000/api/swagger"
}
logs
2023/06/27 23:42:55 ...api/v1/utils/hook.go:217:EditSystemHook() [E] [649b57df] GetSystemOrDefaultWebhook: webhook does not exist [id: 0]
2023/06/27 23:42:55 [649b57df] router: completed PATCH /api/v1/admin/hooks/x for 127.0.0.1:58622, 500 Internal Server Error in 28.9ms @ admin/hooks.go:116(admin.EditHook)
Gitea Version
1.19.3
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
linux
How are you running Gitea?
- I downloaded Gitea from Github releases
- I run it from command-line.
- I did not use a package or systemd
Database
SQLite