Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test if LFS object is accessible #16865

Merged
merged 3 commits into from
Aug 31, 2021
Merged

Test if LFS object is accessible #16865

merged 3 commits into from
Aug 31, 2021

Conversation

KN4CK3R
Copy link
Member

@KN4CK3R KN4CK3R commented Aug 29, 2021

This PR adds a accessibility check before linking LFS objects between repositories.

@6543 6543 added type/bug topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! labels Aug 29, 2021
@6543 6543 added this to the 1.16.0 milestone Aug 29, 2021
zeripath
zeripath reviewed Aug 29, 2021
View reviewed changes
services/lfs/server.go
ctx.Resp.WriteHeader(http.StatusOK)
return

uploadOrVerify := func() error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be better to just unfold this.

Although it would require some slight duplication of error messages we'd be able to work out from the error where the problem occurred much more easily.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Aug 29, 2021
@codecov-commenter
Copy link

Codecov Report

❗ No coverage uploaded for pull request base (main@d985d4b). Click here to learn what that means.
The diff coverage is 56.25%.

Impacted file tree graph

@@           Coverage Diff           @@
##             main   #16865   +/-   ##
=======================================
  Coverage        ?   45.46%           
=======================================
  Files           ?      762           
  Lines           ?    86125           
  Branches        ?        0           
=======================================
  Hits            ?    39161           
  Misses          ?    40651           
  Partials        ?     6313
Impacted Files Coverage Δ
services/lfs/server.go 68.40% <56.25%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d985d4b...6a6ce8a. Read the comment docs.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Aug 30, 2021
6543
6543 approved these changes Aug 31, 2021
View reviewed changes
Copy link
Member

@6543 6543 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

backportable patch - but we should refactor aka unfold!

@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Aug 31, 2021
@zeripath zeripath merged commit 2bb3200 into go-gitea:main Aug 31, 2021
@zeripath
Copy link
Contributor

please send backport

6543 pushed a commit to 6543-forks/gitea that referenced this pull request Aug 31, 2021
@KN4CK3R @6543
Test if LFS object is accessible (go-gitea#16865)
396cee3 
* Test if object is accessible.

* Added more logging.
@6543 6543 mentioned this pull request Aug 31, 2021
Merged
@6543
Copy link
Member

6543 commented Aug 31, 2021

-> #16904

@6543 6543 added the backport/done All backports for this PR have been created label Aug 31, 2021
6543 added a commit that referenced this pull request Aug 31, 2021
@6543 @KN4CK3R
Test if LFS object is accessible (#16865) (#16904)
cbe3ca5 
* Test if object is accessible.

* Added more logging.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
zeripath added a commit to zeripath/gitea that referenced this pull request Sep 2, 2021
@zeripath
Changelog 1.15.1
979b1ad 
## [1.15.1](https://github.com/go-gitea/gitea/releases/tag/v1.15.1) - 2021-09-02

* BUGFIXES
  * Allow BASIC authentication access to /:owner/:repo/releases/download/* (go-gitea#16916) (go-gitea#16923)
  * Prevent leave changes dialogs due to autofill fields (go-gitea#16912) (go-gitea#16920)
  * Ignore review comment when ref commit is missed (go-gitea#16905) (go-gitea#16919)
  * Fix wrong attachment removal (go-gitea#16915) (go-gitea#16917)
  * Gitlab Migrator: dont ignore reactions of last request (go-gitea#16903) (go-gitea#16913)
  * Correctly return the number of Repositories for Organizations (go-gitea#16807) (go-gitea#16911)
  * Test if LFS object is accessible (go-gitea#16865) (go-gitea#16904)
  * Fix git.Blob.DataAsync(): close pipe since we return a NopCloser (go-gitea#16899) (go-gitea#16900)
  * Fix dump and restore respository (go-gitea#16698) (go-gitea#16898)
  * Repare and Improve GetDiffRangeWithWhitespaceBehavior (go-gitea#16894) (go-gitea#16895)
  * Fix wiki raw commit diff/patch view (go-gitea#16891) (go-gitea#16892)
  * Ensure wiki repos are all closed (go-gitea#16886) (go-gitea#16888)
  * List limited and private orgs if authenticated on API (go-gitea#16866) (go-gitea#16879)
  * Simplify split diff view generation and remove JS dependency (go-gitea#16775) (go-gitea#16863)
  * Ensure that the default visibility is set on the user create page (go-gitea#16845) (go-gitea#16862)
  * In Render tolerate not being passed a context (go-gitea#16842) (go-gitea#16858)
  * Upgrade xorm to v1.2.2 (go-gitea#16663) & Add test to ensure that dumping of login sources remains correct (go-gitea#16847) (go-gitea#16848)
  * Report the correct number of pushes on the feeds (go-gitea#16811) (go-gitea#16822)
  * Add primary_key to issue_index (go-gitea#16813) (go-gitea#16820)
  * Prevent NPE on empty commit (go-gitea#16812) (go-gitea#16819)
  * Fix branch pagination error (go-gitea#16805) (go-gitea#16816)
  * Add missing return to handleSettingRemoteAddrError (go-gitea#16794) (go-gitea#16795)
  * Remove spurious / from issues.opened_by (go-gitea#16793)
  * Ensure that template compilation panics are sent to the logs (go-gitea#16788) (go-gitea#16792)
  * Update caddyserver/certmagic (go-gitea#16789) (go-gitea#16790)

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Sep 2, 2021
Merged
zeripath added a commit that referenced this pull request Sep 2, 2021
@zeripath
Changelog 1.15.1 (#16925)
3365611 
## [1.15.1](https://github.com/go-gitea/gitea/releases/tag/v1.15.1) - 2021-09-02

* BUGFIXES
  * Allow BASIC authentication access to /:owner/:repo/releases/download/* (#16916) (#16923)
  * Prevent leave changes dialogs due to autofill fields (#16912) (#16920)
  * Ignore review comment when ref commit is missed (#16905) (#16919)
  * Fix wrong attachment removal (#16915) (#16917)
  * Gitlab Migrator: dont ignore reactions of last request (#16903) (#16913)
  * Correctly return the number of Repositories for Organizations (#16807) (#16911)
  * Test if LFS object is accessible (#16865) (#16904)
  * Fix git.Blob.DataAsync(): close pipe since we return a NopCloser (#16899) (#16900)
  * Fix dump and restore respository (#16698) (#16898)
  * Repare and Improve GetDiffRangeWithWhitespaceBehavior (#16894) (#16895)
  * Fix wiki raw commit diff/patch view (#16891) (#16892)
  * Ensure wiki repos are all closed (#16886) (#16888)
  * List limited and private orgs if authenticated on API (#16866) (#16879)
  * Simplify split diff view generation and remove JS dependency (#16775) (#16863)
  * Ensure that the default visibility is set on the user create page (#16845) (#16862)
  * In Render tolerate not being passed a context (#16842) (#16858)
  * Upgrade xorm to v1.2.2 (#16663) & Add test to ensure that dumping of login sources remains correct (#16847) (#16848)
  * Report the correct number of pushes on the feeds (#16811) (#16822)
  * Add primary_key to issue_index (#16813) (#16820)
  * Prevent NPE on empty commit (#16812) (#16819)
  * Fix branch pagination error (#16805) (#16816)
  * Add missing return to handleSettingRemoteAddrError (#16794) (#16795)
  * Remove spurious / from issues.opened_by (#16793)
  * Ensure that template compilation panics are sent to the logs (#16788) (#16792)
  * Update caddyserver/certmagic (#16789) (#16790)

Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath added a commit to zeripath/gitea that referenced this pull request Sep 2, 2021
@zeripath
Changelog 1.15.1 (go-gitea#16925)
ef53521 
## [1.15.1](https://github.com/go-gitea/gitea/releases/tag/v1.15.1) - 2021-09-02

* BUGFIXES
  * Allow BASIC authentication access to /:owner/:repo/releases/download/* (go-gitea#16916) (go-gitea#16923)
  * Prevent leave changes dialogs due to autofill fields (go-gitea#16912) (go-gitea#16920)
  * Ignore review comment when ref commit is missed (go-gitea#16905) (go-gitea#16919)
  * Fix wrong attachment removal (go-gitea#16915) (go-gitea#16917)
  * Gitlab Migrator: dont ignore reactions of last request (go-gitea#16903) (go-gitea#16913)
  * Correctly return the number of Repositories for Organizations (go-gitea#16807) (go-gitea#16911)
  * Test if LFS object is accessible (go-gitea#16865) (go-gitea#16904)
  * Fix git.Blob.DataAsync(): close pipe since we return a NopCloser (go-gitea#16899) (go-gitea#16900)
  * Fix dump and restore respository (go-gitea#16698) (go-gitea#16898)
  * Repare and Improve GetDiffRangeWithWhitespaceBehavior (go-gitea#16894) (go-gitea#16895)
  * Fix wiki raw commit diff/patch view (go-gitea#16891) (go-gitea#16892)
  * Ensure wiki repos are all closed (go-gitea#16886) (go-gitea#16888)
  * List limited and private orgs if authenticated on API (go-gitea#16866) (go-gitea#16879)
  * Simplify split diff view generation and remove JS dependency (go-gitea#16775) (go-gitea#16863)
  * Ensure that the default visibility is set on the user create page (go-gitea#16845) (go-gitea#16862)
  * In Render tolerate not being passed a context (go-gitea#16842) (go-gitea#16858)
  * Upgrade xorm to v1.2.2 (go-gitea#16663) & Add test to ensure that dumping of login sources remains correct (go-gitea#16847) (go-gitea#16848)
  * Report the correct number of pushes on the feeds (go-gitea#16811) (go-gitea#16822)
  * Add primary_key to issue_index (go-gitea#16813) (go-gitea#16820)
  * Prevent NPE on empty commit (go-gitea#16812) (go-gitea#16819)
  * Fix branch pagination error (go-gitea#16805) (go-gitea#16816)
  * Add missing return to handleSettingRemoteAddrError (go-gitea#16794) (go-gitea#16795)
  * Remove spurious / from issues.opened_by (go-gitea#16793)
  * Ensure that template compilation panics are sent to the logs (go-gitea#16788) (go-gitea#16792)
  * Update caddyserver/certmagic (go-gitea#16789) (go-gitea#16790)

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Sep 2, 2021
Merged
techknowlogick pushed a commit that referenced this pull request Sep 2, 2021
@zeripath
Changelog 1.15.1 (#16925) (#16929)
33af0c3 
## [1.15.1](https://github.com/go-gitea/gitea/releases/tag/v1.15.1) - 2021-09-02

* BUGFIXES
  * Allow BASIC authentication access to /:owner/:repo/releases/download/* (#16916) (#16923)
  * Prevent leave changes dialogs due to autofill fields (#16912) (#16920)
  * Ignore review comment when ref commit is missed (#16905) (#16919)
  * Fix wrong attachment removal (#16915) (#16917)
  * Gitlab Migrator: dont ignore reactions of last request (#16903) (#16913)
  * Correctly return the number of Repositories for Organizations (#16807) (#16911)
  * Test if LFS object is accessible (#16865) (#16904)
  * Fix git.Blob.DataAsync(): close pipe since we return a NopCloser (#16899) (#16900)
  * Fix dump and restore respository (#16698) (#16898)
  * Repare and Improve GetDiffRangeWithWhitespaceBehavior (#16894) (#16895)
  * Fix wiki raw commit diff/patch view (#16891) (#16892)
  * Ensure wiki repos are all closed (#16886) (#16888)
  * List limited and private orgs if authenticated on API (#16866) (#16879)
  * Simplify split diff view generation and remove JS dependency (#16775) (#16863)
  * Ensure that the default visibility is set on the user create page (#16845) (#16862)
  * In Render tolerate not being passed a context (#16842) (#16858)
  * Upgrade xorm to v1.2.2 (#16663) & Add test to ensure that dumping of login sources remains correct (#16847) (#16848)
  * Report the correct number of pushes on the feeds (#16811) (#16822)
  * Add primary_key to issue_index (#16813) (#16820)
  * Prevent NPE on empty commit (#16812) (#16819)
  * Fix branch pagination error (#16805) (#16816)
  * Add missing return to handleSettingRemoteAddrError (#16794) (#16795)
  * Remove spurious / from issues.opened_by (#16793)
  * Ensure that template compilation panics are sent to the logs (#16788) (#16792)
  * Update caddyserver/certmagic (#16789) (#16790)

Signed-off-by: Andrew Thornton <art27@cantab.net>
@KN4CK3R KN4CK3R deleted the fix-lfs-upload branch September 6, 2021 18:28
@go-gitea go-gitea locked and limited conversation to collaborators Oct 19, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@6543 6543 6543 approved these changes

@zeripath zeripath zeripath approved these changes

Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.16.0
Development

Successfully merging this pull request may close these issues.
5 participants
@KN4CK3R @codecov-commenter @zeripath @6543 @GiteaBot