admin: use POST to run operations (#5997)

* admin: use POST to run operations

Fixed CSRF reported by Wenxu Wu of Tencent's Xuanwu Lab.

* Update CHANGELOG

Author: unknwon

CHANGELOG.md

@@ -40,6 +40,7 @@ All notable changes to Gogs are documented in this file.
 - [Security] Potential ability to delete files outside a repository.
 - [Security] Potential ability to set primary email on others' behalf from their verified emails.
 - [Security] Potential XSS attack via `.ipynb`. [#5170](https://github.com/gogs/gogs/issues/5170)
+- [Security] Potential CSRF attack in admin panel. [#5367](https://github.com/gogs/gogs/issues/5367)
 - [Security] Potential RCE on mirror repositories. [#5767](https://github.com/gogs/gogs/issues/5767)
 - [Security] Potential XSS attack with raw markdown API. [#5907](https://github.com/gogs/gogs/pull/5907)
 - Open/close milestone redirects to a 404 page. [#5677](https://github.com/gogs/gogs/issues/5677)

conf/locale/locale_en-US.ini

@@ -1034,6 +1034,7 @@ dashboard.system_status = System Monitor Status
 dashboard.statistic_info = GIN database has <b>%d</b> users, <b>%d</b> organizations, <b>%d</b> public keys, <b>%d</b> repositories, <b>%d</b> watches, <b>%d</b> stars, <b>%d</b> actions, <b>%d</b> accesses, <b>%d</b> issues, <b>%d</b> comments, <b>%d</b> social accounts, <b>%d</b> follows, <b>%d</b> mirrors, <b>%d</b> releases, <b>%d</b> login sources, <b>%d</b> webhooks, <b>%d</b> milestones, <b>%d</b> labels, <b>%d</b> hook tasks, <b>%d</b> teams, <b>%d</b> update tasks, <b>%d</b> attachments.
 dashboard.operation_name = Operation Name
 dashboard.operation_switch = Switch
+dashboard.select_operation_to_run = Please select operation to run
 dashboard.operation_run = Run
 dashboard.clean_unbind_oauth = Clean unbound OAuthes
 dashboard.clean_unbind_oauth_success = All unbind OAuthes have been deleted successfully.

internal/assets/conf/conf_gen.go

@@ -280,7 +280,7 @@ func runWeb(c *cli.Context) error {
 
 	// ***** START: Admin *****
 	m.Group("/admin", func() {
-		m.Get("", admin.Dashboard)
+		m.Combo("").Get(admin.Dashboard).Post(admin.Operation) // "/admin"
 		m.Get("/config", admin.Config)
 		m.Post("/config/test_mail", admin.SendTestMail)
 		m.Get("/monitor", admin.Monitor)

internal/assets/templates/templates_gen.go

@@ -11,7 +11,6 @@ import (
 	"time"
 
 	"github.com/json-iterator/go"
-	"github.com/unknwon/com"
 
 	"github.com/G-Node/gogs/internal/conf"
 	"github.com/G-Node/gogs/internal/context"
@@ -110,68 +109,11 @@ func updateSystemStatus() {
 	sysStatus.NumGC = m.NumGC
 }
 
-// Operation types.
-type AdminOperation int
-
-const (
-	CLEAN_INACTIVATE_USER AdminOperation = iota + 1
-	CLEAN_REPO_ARCHIVES
-	CLEAN_MISSING_REPOS
-	GIT_GC_REPOS
-	SYNC_SSH_AUTHORIZED_KEY
-	SYNC_REPOSITORY_HOOKS
-	REINIT_MISSING_REPOSITORY
-	REBUILD_SEARCH_INDEX
-)
-
 func Dashboard(c *context.Context) {
 	c.Title("admin.dashboard")
 	c.PageIs("Admin")
 	c.PageIs("AdminDashboard")
 
-	// Run operation.
-	op, _ := com.StrTo(c.Query("op")).Int()
-	if op > 0 {
-		var err error
-		var success string
-
-		switch AdminOperation(op) {
-		case CLEAN_INACTIVATE_USER:
-			success = c.Tr("admin.dashboard.delete_inactivate_accounts_success")
-			err = db.DeleteInactivateUsers()
-		case CLEAN_REPO_ARCHIVES:
-			success = c.Tr("admin.dashboard.delete_repo_archives_success")
-			err = db.DeleteRepositoryArchives()
-		case CLEAN_MISSING_REPOS:
-			success = c.Tr("admin.dashboard.delete_missing_repos_success")
-			err = db.DeleteMissingRepositories()
-		case GIT_GC_REPOS:
-			success = c.Tr("admin.dashboard.git_gc_repos_success")
-			err = db.GitGcRepos()
-		case SYNC_SSH_AUTHORIZED_KEY:
-			success = c.Tr("admin.dashboard.resync_all_sshkeys_success")
-			err = db.RewriteAuthorizedKeys()
-		case SYNC_REPOSITORY_HOOKS:
-			success = c.Tr("admin.dashboard.resync_all_hooks_success")
-			err = db.SyncRepositoryHooks()
-		case REINIT_MISSING_REPOSITORY:
-			success = c.Tr("admin.dashboard.reinit_missing_repos_success")
-			err = db.ReinitMissingRepositories()
-		case REBUILD_SEARCH_INDEX:
-			// TODO: Add success message to locale files
-			success = "All repositories have been submitted to the indexing service successfully."
-			err = db.RebuildIndex()
-		}
-
-		if err != nil {
-			c.Flash.Error(err.Error())
-		} else {
-			c.Flash.Success(success)
-		}
-		c.RedirectSubpath("/admin")
-		return
-	}
-
 	c.Data["GitVersion"] = conf.Git.Version
 	c.Data["GoVersion"] = runtime.Version()
 	c.Data["BuildTime"] = conf.BuildTime
@@ -184,6 +126,55 @@ func Dashboard(c *context.Context) {
 	c.Success(DASHBOARD)
 }
 
+// Operation types.
+type AdminOperation int
+
+const (
+	CleanInactivateUser AdminOperation = iota + 1
+	CleanRepoArchives
+	CleanMissingRepos
+	GitGCRepos
+	SyncSSHAuthorizedKey
+	SyncRepositoryHooks
+	ReinitMissingRepository
+)
+
+func Operation(c *context.Context) {
+	var err error
+	var success string
+	switch AdminOperation(c.QueryInt("op")) {
+	case CleanInactivateUser:
+		success = c.Tr("admin.dashboard.delete_inactivate_accounts_success")
+		err = db.DeleteInactivateUsers()
+	case CleanRepoArchives:
+		success = c.Tr("admin.dashboard.delete_repo_archives_success")
+		err = db.DeleteRepositoryArchives()
+	case CleanMissingRepos:
+		success = c.Tr("admin.dashboard.delete_missing_repos_success")
+		err = db.DeleteMissingRepositories()
+	case GitGCRepos:
+		success = c.Tr("admin.dashboard.git_gc_repos_success")
+		err = db.GitGcRepos()
+	case SyncSSHAuthorizedKey:
+		success = c.Tr("admin.dashboard.resync_all_sshkeys_success")
+		err = db.RewriteAuthorizedKeys()
+	case SyncRepositoryHooks:
+		success = c.Tr("admin.dashboard.resync_all_hooks_success")
+		err = db.SyncRepositoryHooks()
+	case ReinitMissingRepository:
+		success = c.Tr("admin.dashboard.reinit_missing_repos_success")
+		err = db.ReinitMissingRepositories()
+	}
+
+	if err != nil {
+		c.Flash.Error(err.Error())
+	} else {
+		c.Flash.Success(success)
+	}
+	c.RedirectSubpath("/admin")
+	return
+}
+
 func SendTestMail(c *context.Context) {
 	emailAddr := c.Query("email")
 	// Send a test email to the user's email address and redirect back to Config