aniani/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2024-11-02 08:57:32 -04:00
Code

Allow Token/Basic auth on raw paths (#15987)

Browse Source 
It appears that people have been using token authentication to navigate to raw paths
and recent changes have broken this. Whilst ideally these paths would not be being used
like this - it was not the intention to be a breaking change.

This PR restores access to these paths.

Fix #13772

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2021-05-27 19:46:11 +01:00 committed by GitHub
parent b27a9d43a5
commit 6d6a65cf5c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/auth/sso/basic.go
View File

@ -51,7 +51,7 @@ func (b *Basic) IsEnabled() bool {
func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
// Basic authentication should only fire on API, Download or on Git or LFSPaths
if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
return nil
}

2
modules/auth/sso/reverseproxy.go
View File

@ -78,7 +78,7 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
}
// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
if sess.Get("uid").(int64) != user.ID {
handleSignIn(w, req, sess, user)
}

6
modules/auth/sso/sso.go
View File

@ -104,11 +104,11 @@ func isAttachmentDownload(req *http.Request) bool {
return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
}
var gitPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/))`)
var gitRawPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|raw/)`)
var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
func isGitOrLFSPath(req *http.Request) bool {
if gitPathRe.MatchString(req.URL.Path) {
func isGitRawOrLFSPath(req *http.Request) bool {
if gitRawPathRe.MatchString(req.URL.Path) {
return true
}
if setting.LFS.StartServer {

16
modules/auth/sso/sso_test.go
View File

@ -12,7 +12,7 @@ import (
"code.gitea.io/gitea/modules/setting"
)
func Test_isGitOrLFSPath(t *testing.T) {
func Test_isGitRawOrLFSPath(t *testing.T) {
tests := []struct {
path string
@ -63,6 +63,10 @@ func Test_isGitOrLFSPath(t *testing.T) {
"/owner/repo/objects/pack/pack-0123456789abcdef0123456789abcdef0123456.idx",
true,
},
{
"/owner/repo/raw/branch/foo/fanaso",
true,
},
{
"/owner/repo/stars",
false,
@ -98,11 +102,11 @@ func Test_isGitOrLFSPath(t *testing.T) {
t.Run(tt.path, func(t *testing.T) {
req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil)
setting.LFS.StartServer = false
if got := isGitOrLFSPath(req); got != tt.want {
if got := isGitRawOrLFSPath(req); got != tt.want {
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
}
setting.LFS.StartServer = true
if got := isGitOrLFSPath(req); got != tt.want {
if got := isGitRawOrLFSPath(req); got != tt.want {
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
}
})
@ -111,11 +115,11 @@ func Test_isGitOrLFSPath(t *testing.T) {
t.Run(tt, func(t *testing.T) {
req, _ := http.NewRequest("POST", tt, nil)
setting.LFS.StartServer = false
if got := isGitOrLFSPath(req); got != setting.LFS.StartServer {
t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitPathRe.MatchString(tt))
if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawPathRe.MatchString(tt))
}
setting.LFS.StartServer = true
if got := isGitOrLFSPath(req); got != setting.LFS.StartServer {
if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer)
}
})