problem: internal communication requires a shared secret #12387

New issue

Open

opened 2026-05-03 01:20:08 +02:00 by Gusted · 0 comments

Gusted commented

2026-05-03 01:20:08 +02:00

(Migrated from codeberg.org)

Does your problem still exist on the latest Forgejo version?

Yes, the problem still exists (tested locally with the latest development version)

About your usage of Forgejo

Contributor of Forgejo
Member of the Forgejo security team.
Self-hosts Forgejo.
Co-Maintainer of Codeberg.org's Forgejo instance.

Problem description

This is issue was created as part of https://floss.social/@forgejo/116494296646568723.

There's a list of routes that only should be accessed internally.

codeberg.org/forgejo/forgejo@b6658076a9/routers/private/internal.go (L50-L85)

They are not accessible unless you have the INTERNAL_TOKEN which is set in the app.ini file.

If you happen to be able to get the INTERNAL_TOKEN these routes can be accessed as they are exposed over HTTP (assuming you didn't set).

There's no real requirement for them to be exposed over HTTP, the callers of these APIs are expected to be on the same machine (CLI usage, git hooks execution).

Potential workarounds

Bind these routes to the loopback interface. But still requires a INTERNAL_TOKEN.
Listen on a UNIX (available on all platforms Forgejo support) socket only accessible by the forgejo user. Usage of INTERNAL_TOKEN could be dropped here.

Forgejo Version

N/A

Other details about your environment (software names and versions)

N/A

Solutions

Accepted solutions to address this problem will go here

### Does your problem still exist on the latest Forgejo version? Yes, the problem still exists (tested locally with the latest development version) ### About your usage of Forgejo Contributor of Forgejo Member of the Forgejo security team. Self-hosts Forgejo. Co-Maintainer of Codeberg.org's Forgejo instance. ### Problem description This is issue was created as part of https://floss.social/@forgejo/116494296646568723. --- There's a list of routes that only should be accessed internally. https://codeberg.org/forgejo/forgejo/src/commit/b6658076a96977cc1bc6d0b141d881d4589b74bf/routers/private/internal.go#L50-L85 They are not accessible unless you have the `INTERNAL_TOKEN` which is set in the `app.ini` file. If you happen to be able to get the `INTERNAL_TOKEN` these routes can be accessed as they are exposed over HTTP (assuming you didn't set). There's no real requirement for them to be exposed over HTTP, the callers of these APIs are expected to be on the same machine (CLI usage, git hooks execution). ### Potential workarounds - Bind these routes to the loopback interface. But still requires a `INTERNAL_TOKEN`. - Listen on a UNIX (available on all platforms Forgejo support) socket only accessible by the forgejo user. Usage of `INTERNAL_TOKEN` could be dropped here. ### Forgejo Version N/A ### Other details about your environment (software names and versions) N/A ### Solutions *Accepted solutions to address this problem will go here*

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

sleepy/forgejo#12387

No description provided.

Rows
Columns