Skip to content

Commit 6d6a65c

Browse files
zeripathzeripath
authored
Allow Token/Basic auth on raw paths (#15987)
It appears that people have been using token authentication to navigate to raw paths and recent changes have broken this. Whilst ideally these paths would not be being used like this - it was not the intention to be a breaking change. This PR restores access to these paths. Fix #13772 Signed-off-by: Andrew Thornton <art27@cantab.net>
1 parent b27a9d4 commit 6d6a65c

File tree

4 files changed

+15
-11
lines changed

4 files changed

+15
-11
lines changed

modules/auth/sso/basic.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ func (b *Basic) IsEnabled() bool {
5151
func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
5252

5353
// Basic authentication should only fire on API, Download or on Git or LFSPaths
54-
if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
54+
if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
5555
return nil
5656
}
5757

modules/auth/sso/reverseproxy.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,7 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
7878
}
7979

8080
// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
81-
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
81+
if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
8282
if sess.Get("uid").(int64) != user.ID {
8383
handleSignIn(w, req, sess, user)
8484
}

modules/auth/sso/sso.go

+3-3
Original file line numberDiff line numberDiff line change
@@ -104,11 +104,11 @@ func isAttachmentDownload(req *http.Request) bool {
104104
return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
105105
}
106106

107-
var gitPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/))`)
107+
var gitRawPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|raw/)`)
108108
var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
109109

110-
func isGitOrLFSPath(req *http.Request) bool {
111-
if gitPathRe.MatchString(req.URL.Path) {
110+
func isGitRawOrLFSPath(req *http.Request) bool {
111+
if gitRawPathRe.MatchString(req.URL.Path) {
112112
return true
113113
}
114114
if setting.LFS.StartServer {

modules/auth/sso/sso_test.go

+10-6
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ import (
1212
"code.gitea.io/gitea/modules/setting"
1313
)
1414

15-
func Test_isGitOrLFSPath(t *testing.T) {
15+
func Test_isGitRawOrLFSPath(t *testing.T) {
1616

1717
tests := []struct {
1818
path string
@@ -63,6 +63,10 @@ func Test_isGitOrLFSPath(t *testing.T) {
6363
"/owner/repo/objects/pack/pack-0123456789abcdef0123456789abcdef0123456.idx",
6464
true,
6565
},
66+
{
67+
"/owner/repo/raw/branch/foo/fanaso",
68+
true,
69+
},
6670
{
6771
"/owner/repo/stars",
6872
false,
@@ -98,11 +102,11 @@ func Test_isGitOrLFSPath(t *testing.T) {
98102
t.Run(tt.path, func(t *testing.T) {
99103
req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil)
100104
setting.LFS.StartServer = false
101-
if got := isGitOrLFSPath(req); got != tt.want {
105+
if got := isGitRawOrLFSPath(req); got != tt.want {
102106
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
103107
}
104108
setting.LFS.StartServer = true
105-
if got := isGitOrLFSPath(req); got != tt.want {
109+
if got := isGitRawOrLFSPath(req); got != tt.want {
106110
t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
107111
}
108112
})
@@ -111,11 +115,11 @@ func Test_isGitOrLFSPath(t *testing.T) {
111115
t.Run(tt, func(t *testing.T) {
112116
req, _ := http.NewRequest("POST", tt, nil)
113117
setting.LFS.StartServer = false
114-
if got := isGitOrLFSPath(req); got != setting.LFS.StartServer {
115-
t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitPathRe.MatchString(tt))
118+
if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
119+
t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawPathRe.MatchString(tt))
116120
}
117121
setting.LFS.StartServer = true
118-
if got := isGitOrLFSPath(req); got != setting.LFS.StartServer {
122+
if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
119123
t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer)
120124
}
121125
})

0 commit comments

Comments
 (0)