GOGS/Gitea Fix Critical API Auth By-Pass

I subscribe to updates from the forums and wasn’t alerted to this critical issue.

Manasseh Zhou reported a critical session bypass issue in the go-marcaron framework which impacts Gogs 0.11.86 @ 2019-01-30 and Gitea < 1.5.4.
Because of missing access checks; an attacker can log into any account and run arbitrary commands on an effected server.

This was reported as CVE-2018-18926 and CVE-2018-18925
Manasseh provides a detailed breakdown of the issue on his site.

Gogs and Gitea users should update immediately to the latest release.

On a side note; I’m concerned about the timeline here. This issue was first reported to the Gogs project in late 2018 and opened as a github issue in Aug. of 2019 which finally got the attention of unknwon and was resolved two days later. Gitea fixed this issue in Oct. of 2018.
I will be looking into other tools to internally host our git repositories.

Moving from gitolite to gogs

Problem: You have a ton of git repositories in gitolite and you’d like to switch to the github-esq gui provided by gogs.

Gogs is super easy to get setupĀ and has thoughtfully added tools which make it useful for a private intranet type setup. It has not however come up with a great way of mass-importing git repositories from another tool.

The web interface include a “migration” tool which can be completed one at a time. I had 150 git repos to migrate so I added a repo and then polked at the database

Gogs also uses bare repositories just like gitolite. Loading them into gogs is as easy as rsync’ing them into the gogs-repo directory and adding some rows to the gogs database so gogs knows how to administer them.

I made a script to help me with that task. Note I’m using mysql as my database and my repos default to private.

With this, it took about a second to import all these repos. I did find one other person who had batch imported repos and chose to do it with curl but I couldn’t get it to work. All in all, it took about 4 days to figure out how to get gogs setup and get all the repos into it. Hopefully this script makes that process much quicker for you.