Skip to content

security: prevent deletion of protected and default branches via web UI#8124

Merged
unknwon merged 3 commits intomainfrom
fix/ghsa-2c6v-8r3v-gh6p
Jan 31, 2026
Merged

security: prevent deletion of protected and default branches via web UI#8124
unknwon merged 3 commits intomainfrom
fix/ghsa-2c6v-8r3v-gh6p

Conversation

@unknwon
Copy link
Member

@unknwon unknwon commented Jan 31, 2026
edited
Loading

Summary

  • Prevent deletion of protected branches via web UI POST request bypass
  • Prevent deletion of the default branch via web UI

Details

The DeleteBranchPost function in internal/route/repo/branch.go did not check if a branch is protected or is the default branch before allowing deletion. While the UI correctly hides the delete button for protected branches (in internal/route/repo/issue.go:641-654), attackers could bypass this by sending direct POST requests to /branches/delete/<branch>.

This vulnerability allows any repository collaborator with Write permissions to:

  • Delete protected branches (bypassing branch protection)
  • Delete the default branch (potentially causing repository access issues)

Changes

Added two checks before allowing branch deletion:

  1. Check if the branch is the repository's default branch
  2. Check if the branch has protection enabled via GetProtectBranchOfRepoByName

Also added the corresponding translation keys for the error messages.

Test plan

  • Verify normal branch deletion still works for non-protected, non-default branches
  • Verify attempting to delete the default branch returns an error
  • Verify attempting to delete a protected branch returns an error
  • Verify the error messages are displayed correctly

References

🤖 Generated with Claude Code

@unknwon @claude
security: prevent deletion of protected and default branches via web UI
717c037 
The DeleteBranchPost function did not check if a branch is protected or
is the default branch before allowing deletion. While the UI correctly
hides the delete button for protected branches, attackers could bypass
this by sending direct POST requests.

Added checks to prevent deletion of:
- The repository's default branch
- Branches with protection enabled

Ref: GHSA-2c6v-8r3v-gh6p

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@unknwon unknwon added this to the 0.14.0 milestone Jan 31, 2026
unknwon and others added 2 commits January 31, 2026 12:35
@unknwon @claude
fix: use consistent 'branches.' prefix for translation keys
8085015 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@unknwon @claude
chore: remove redundant comments
52f0599 
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@unknwon unknwon merged commit 7b7e38c into main Jan 31, 2026
11 checks passed
@unknwon unknwon deleted the fix/ghsa-2c6v-8r3v-gh6p branch January 31, 2026 17:51
@GoVulnBot GoVulnBot mentioned this pull request Feb 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.14.0

Development

Successfully merging this pull request may close these issues.

1 participant

@unknwon