repo: improve authz for resources (#8119)

https://github.com/gogs/gogs/security/advisories/GHSA-jj5m-h57j-5gv7

internal/route/api/v1/repo/issue_comment.go

@@ -88,6 +88,17 @@ func EditIssueComment(c *context.APIContext, form api.EditIssueCommentOption) {
 		return
 	}
 
+	issue, err := database.GetIssueByID(comment.IssueID)
+	if err != nil {
+		c.NotFoundOrError(err, "get issue by ID")
+		return
+	}
+
+	if issue.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
 	if c.User.ID != comment.PosterID && !c.Repo.IsAdmin() {
 		c.Status(http.StatusForbidden)
 		return
@@ -112,6 +123,17 @@ func DeleteIssueComment(c *context.APIContext) {
 		return
 	}
 
+	issue, err := database.GetIssueByID(comment.IssueID)
+	if err != nil {
+		c.NotFoundOrError(err, "get issue by ID")
+		return
+	}
+
+	if issue.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
 	if c.User.ID != comment.PosterID && !c.Repo.IsAdmin() {
 		c.Status(http.StatusForbidden)
 		return

internal/route/api/v1/repo/key.go

@@ -45,6 +45,11 @@ func GetDeployKey(c *context.APIContext) {
 		return
 	}
 
+	if key.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
 	if err = key.GetContent(); err != nil {
 		c.Error(err, "get content")
 		return
@@ -94,7 +99,18 @@ func CreateDeployKey(c *context.APIContext, form api.CreateKeyOption) {
 
 // https://github.com/gogs/go-gogs-client/wiki/Repositories-Deploy-Keys#remove-a-deploy-key
 func DeleteDeploykey(c *context.APIContext) {
-	if err := database.DeleteDeployKey(c.User, c.ParamsInt64(":id")); err != nil {
+	key, err := database.GetDeployKeyByID(c.ParamsInt64(":id"))
+	if err != nil {
+		c.NotFoundOrError(err, "get deploy key by ID")
+		return
+	}
+
+	if key.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
+	if err := database.DeleteDeployKey(c.User, key.ID); err != nil {
 		if database.IsErrKeyAccessDenied(err) {
 			c.ErrorStatus(http.StatusForbidden, errors.New("You do not have access to this key"))
 		} else {

internal/route/repo/issue.go

@@ -926,6 +926,17 @@ func UpdateCommentContent(c *context.Context) {
 		return
 	}
 
+	issue, err := database.GetIssueByID(comment.IssueID)
+	if err != nil {
+		c.NotFoundOrError(err, "get issue by ID")
+		return
+	}
+
+	if issue.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
 	if c.UserID() != comment.PosterID && !c.Repo.IsAdmin() {
 		c.NotFound()
 		return
@@ -959,6 +970,17 @@ func DeleteComment(c *context.Context) {
 		return
 	}
 
+	issue, err := database.GetIssueByID(comment.IssueID)
+	if err != nil {
+		c.NotFoundOrError(err, "get issue by ID")
+		return
+	}
+
+	if issue.RepoID != c.Repo.Repository.ID {
+		c.NotFound()
+		return
+	}
+
 	if c.UserID() != comment.PosterID && !c.Repo.IsAdmin() {
 		c.NotFound()
 		return