Allow BASIC authentication access to /:owner/:repo/releases/download/* (#16916) (#16923)

Backport #16916

Duplicate #15987 to allow access to releases download through BASIC authentication.

Fix #16914

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2021-09-02 17:34:49 +01:00 committed by GitHub
parent 8f300781ad
commit ceae89c8c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 14 additions and 10 deletions

View File

@ -80,11 +80,11 @@ func isAttachmentDownload(req *http.Request) bool {
return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET" return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
} }
var gitRawPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|raw/)`) var gitRawReleasePathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/))`)
var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`) var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
func isGitRawOrLFSPath(req *http.Request) bool { func isGitRawReleaseOrLFSPath(req *http.Request) bool {
if gitRawPathRe.MatchString(req.URL.Path) { if gitRawReleasePathRe.MatchString(req.URL.Path) {
return true return true
} }
if setting.LFS.StartServer { if setting.LFS.StartServer {

View File

@ -83,6 +83,10 @@ func Test_isGitRawOrLFSPath(t *testing.T) {
"/owner/repo/commit/123456789012345678921234567893124567894", "/owner/repo/commit/123456789012345678921234567893124567894",
false, false,
}, },
{
"/owner/repo/releases/download/tag/repo.tar.gz",
true,
},
} }
lfsTests := []string{ lfsTests := []string{
"/owner/repo/info/lfs/", "/owner/repo/info/lfs/",
@ -102,11 +106,11 @@ func Test_isGitRawOrLFSPath(t *testing.T) {
t.Run(tt.path, func(t *testing.T) { t.Run(tt.path, func(t *testing.T) {
req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil) req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil)
setting.LFS.StartServer = false setting.LFS.StartServer = false
if got := isGitRawOrLFSPath(req); got != tt.want { if got := isGitRawReleaseOrLFSPath(req); got != tt.want {
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want) t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
} }
setting.LFS.StartServer = true setting.LFS.StartServer = true
if got := isGitRawOrLFSPath(req); got != tt.want { if got := isGitRawReleaseOrLFSPath(req); got != tt.want {
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want) t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
} }
}) })
@ -115,11 +119,11 @@ func Test_isGitRawOrLFSPath(t *testing.T) {
t.Run(tt, func(t *testing.T) { t.Run(tt, func(t *testing.T) {
req, _ := http.NewRequest("POST", tt, nil) req, _ := http.NewRequest("POST", tt, nil)
setting.LFS.StartServer = false setting.LFS.StartServer = false
if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer { if got := isGitRawReleaseOrLFSPath(req); got != setting.LFS.StartServer {
t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawPathRe.MatchString(tt)) t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawReleasePathRe.MatchString(tt))
} }
setting.LFS.StartServer = true setting.LFS.StartServer = true
if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer { if got := isGitRawReleaseOrLFSPath(req); got != setting.LFS.StartServer {
t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer) t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer)
} }
}) })

View File

@ -49,7 +49,7 @@ func (b *Basic) Free() error {
// Returns nil if header is empty or validation fails. // Returns nil if header is empty or validation fails.
func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User { func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
// Basic authentication should only fire on API, Download or on Git or LFSPaths // Basic authentication should only fire on API, Download or on Git or LFSPaths
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) { if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawReleaseOrLFSPath(req) {
return nil return nil
} }

View File

@ -78,7 +78,7 @@ func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store Da
} }
// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session // Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) { if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawReleaseOrLFSPath(req) {
if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) { if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) {
handleSignIn(w, req, sess, user) handleSignIn(w, req, sess, user)
} }