Merge commit from fork

Due to how `WebhookPermission.get_scopes` is written, any unhandled endpoint
will result in an empty list being returned, and thus no access control
being performed. This is the right thing for `/api/webhooks/events`, but not
so much for every other endpoint.

changelog.d/20240902_144949_roman_sec_webhooks_access_control.md

@@ -0,0 +1,4 @@
+### Security
+
+- Fixed a missing authorization vulnerability in webhook delivery endpoints
+  (<https://github.com/cvat-ai/cvat/security/advisories/GHSA-p3c9-m7jr-jxxj>)

cvat/apps/webhooks/permissions.py

@@ -58,6 +58,10 @@ def get_scopes(request, view, obj):
             ('update', 'PUT'): Scopes.UPDATE,
             ('list', 'GET'): Scopes.LIST,
             ('retrieve', 'GET'): Scopes.VIEW,
+            ('ping', 'POST'): Scopes.UPDATE,
+            ('deliveries', 'GET'): Scopes.VIEW,
+            ('retrieve_delivery', 'GET'): Scopes.VIEW,
+            ('redelivery', 'POST'): Scopes.UPDATE,
         }.get((view.action, request.method))
 
         scopes = []

tests/python/rest_api/test_webhooks_sender.py

@@ -656,6 +656,34 @@ def test_webhook_create_and_delete_comment(self, issues, jobs, tasks):
         )
 
 
+@pytest.mark.usefixtures("restore_db_per_class")
+class TestGetWebhookDeliveries:
+    def test_not_project_staff_cannot_get_webhook(self, projects, users):
+        user, project = next(
+            (user, project)
+            for user in users
+            if "user" in user["groups"]
+            for project in projects
+            if project["owner"]["id"] != user["id"]
+        )
+
+        webhook = create_webhook(["create:task"], "project", project_id=project["id"])
+        owner = next(user for user in users if user["id"] == project["owner"]["id"])
+
+        response = post_method(owner["username"], f"webhooks/{webhook['id']}/ping", {})
+        assert response.status_code == HTTPStatus.OK
+
+        delivery_id = response.json()["id"]
+
+        response = get_method(user["username"], f"webhooks/{webhook['id']}/deliveries")
+        assert response.status_code == HTTPStatus.FORBIDDEN
+
+        response = get_method(
+            user["username"], f"webhooks/{webhook['id']}/deliveries/{delivery_id}"
+        )
+        assert response.status_code == HTTPStatus.FORBIDDEN
+
+
 @pytest.mark.usefixtures("restore_db_per_function")
 class TestWebhookPing:
     def test_ping_webhook(self, projects):
@@ -680,6 +708,20 @@ def test_ping_webhook(self, projects):
             == {}
         )
 
+    def test_not_project_staff_cannot_ping(self, projects, users):
+        user, project = next(
+            (user, project)
+            for user in users
+            if "user" in user["groups"]
+            for project in projects
+            if project["owner"]["id"] != user["id"]
+        )
+
+        webhook = create_webhook(["create:task"], "project", project_id=project["id"])
+
+        response = post_method(user["username"], f"webhooks/{webhook['id']}/ping", {})
+        assert response.status_code == HTTPStatus.FORBIDDEN
+
 
 @pytest.mark.usefixtures("restore_db_per_function")
 class TestWebhookRedelivery:
@@ -727,3 +769,25 @@ def test_webhook_redelivery(self, projects):
             )
             == {}
         )
+
+    def test_not_project_staff_cannot_redeliver(self, projects, users):
+        user, project = next(
+            (user, project)
+            for user in users
+            if "user" in user["groups"]
+            for project in projects
+            if project["owner"]["id"] != user["id"]
+        )
+
+        webhook = create_webhook(["create:task"], "project", project_id=project["id"])
+        owner = next(user for user in users if user["id"] == project["owner"]["id"])
+
+        response = post_method(owner["username"], f"webhooks/{webhook['id']}/ping", {})
+        assert response.status_code == HTTPStatus.OK
+
+        delivery_id = response.json()["id"]
+
+        response = post_method(
+            user["username"], f"webhooks/{webhook['id']}/deliveries/{delivery_id}/redelivery", {}
+        )
+        assert response.status_code == HTTPStatus.FORBIDDEN