Skip to content

Commit 9c0ad82

Browse files
GiteaBotlunny
GiteaBot
and
lunny
authored
fix: Add missed token scope checking (#37735) (#37757)
Backport #37735 by @lunny Follow #37698 Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
1 parent 58597cc commit 9c0ad82

2 files changed

Lines changed: 51 additions & 3 deletions

File tree

routers/web/repo/repo.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -364,6 +364,10 @@ func RedirectDownload(ctx *context.Context) {
364364

365365
// Download an archive of a repository
366366
func Download(ctx *context.Context) {
367+
if !checkDownloadTokenScope(ctx) {
368+
return
369+
}
370+
367371
aReq, err := archiver_service.NewRequest(ctx.Repo.Repository, ctx.Repo.GitRepo, ctx.PathParam("*"), ctx.FormStrings("path"))
368372
if err != nil {
369373
if errors.Is(err, util.ErrInvalidArgument) {
@@ -389,6 +393,10 @@ func Download(ctx *context.Context) {
389393
// a request that's already in-progress, but the archiver service will just
390394
// kind of drop it on the floor if this is the case.
391395
func InitiateDownload(ctx *context.Context) {
396+
if !checkDownloadTokenScope(ctx) {
397+
return
398+
}
399+
392400
paths := ctx.FormStrings("path")
393401
if setting.Repository.StreamArchives || len(paths) > 0 {
394402
ctx.JSON(http.StatusOK, map[string]any{

tests/integration/download_test.go

Lines changed: 43 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import (
1717

1818
type downloadScopeCase struct {
1919
name string
20+
method string
2021
url string
2122
withScope int
2223
publicOnlyOK bool
@@ -88,68 +89,107 @@ func TestDownloadRepoContentTokenScopes(t *testing.T) {
8889
publicOnlyToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadRepository, auth_model.AccessTokenScopePublicOnly)
8990

9091
cases := []downloadScopeCase{
92+
{
93+
name: "PublicArchiveDownload",
94+
method: http.MethodGet,
95+
url: "/user2/repo1/archive/master.tar.gz",
96+
withScope: http.StatusOK,
97+
publicOnlyOK: true,
98+
},
99+
{
100+
name: "PrivateArchiveDownload",
101+
method: http.MethodGet,
102+
url: "/user2/repo2/archive/master.tar.gz",
103+
withScope: http.StatusOK,
104+
publicOnlyOK: false,
105+
},
106+
{
107+
name: "PublicArchiveInitiate",
108+
method: http.MethodPost,
109+
url: "/user2/repo1/archive/master.tar.gz",
110+
withScope: http.StatusOK,
111+
publicOnlyOK: true,
112+
},
113+
{
114+
name: "PrivateArchiveInitiate",
115+
method: http.MethodPost,
116+
url: "/user2/repo2/archive/master.tar.gz",
117+
withScope: http.StatusOK,
118+
publicOnlyOK: false,
119+
},
91120
{
92121
name: "PublicRawBlob",
122+
method: http.MethodGet,
93123
url: "/user2/repo1/raw/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f",
94124
withScope: http.StatusOK,
95125
publicOnlyOK: true,
96126
},
97127
{
98128
name: "PublicRawBranch",
129+
method: http.MethodGet,
99130
url: "/user2/repo1/raw/branch/master/README.md",
100131
withScope: http.StatusOK,
101132
publicOnlyOK: true,
102133
},
103134
{
104135
name: "PublicRawTag",
136+
method: http.MethodGet,
105137
url: "/user2/repo1/raw/tag/v1.1/README.md",
106138
withScope: http.StatusOK,
107139
publicOnlyOK: true,
108140
},
109141
{
110142
name: "PublicRawCommit",
143+
method: http.MethodGet,
111144
url: "/user2/repo1/raw/commit/65f1bf27bc3bf70f64657658635e66094edbcb4d/README.md",
112145
withScope: http.StatusOK,
113146
publicOnlyOK: true,
114147
},
115148
{
116149
name: "PublicMediaBlob",
150+
method: http.MethodGet,
117151
url: "/user2/repo1/media/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f",
118152
withScope: http.StatusOK,
119153
publicOnlyOK: true,
120154
},
121155
{
122156
name: "PublicMediaBranch",
157+
method: http.MethodGet,
123158
url: "/user2/repo1/media/branch/master/README.md",
124159
withScope: http.StatusOK,
125160
publicOnlyOK: true,
126161
},
127162
{
128163
name: "PublicMediaTag",
164+
method: http.MethodGet,
129165
url: "/user2/repo1/media/tag/v1.1/README.md",
130166
withScope: http.StatusOK,
131167
publicOnlyOK: true,
132168
},
133169
{
134170
name: "PublicMediaCommit",
171+
method: http.MethodGet,
135172
url: "/user2/repo1/media/commit/65f1bf27bc3bf70f64657658635e66094edbcb4d/README.md",
136173
withScope: http.StatusOK,
137174
publicOnlyOK: true,
138175
},
139176
{
140177
name: "PrivateRawBranch",
178+
method: http.MethodGet,
141179
url: "/user2/repo2/raw/branch/master/test.xml",
142180
withScope: http.StatusOK,
143181
publicOnlyOK: false,
144182
},
145183
{
146184
name: "PrivateRawBlob",
185+
method: http.MethodGet,
147186
url: "/user2/repo2/raw/blob/6395b68e1feebb1e4c657b4f9f6ba2676a283c0b",
148187
withScope: http.StatusOK,
149188
publicOnlyOK: false,
150189
},
151190
{
152191
name: "PrivateMediaBranch",
192+
method: http.MethodGet,
153193
url: "/user2/repo2/media/branch/master/test.xml",
154194
withScope: http.StatusOK,
155195
publicOnlyOK: false,
@@ -158,14 +198,14 @@ func TestDownloadRepoContentTokenScopes(t *testing.T) {
158198

159199
for _, tc := range cases {
160200
t.Run(tc.name, func(t *testing.T) {
161-
MakeRequest(t, NewRequest(t, "GET", tc.url).AddTokenAuth(miscToken), http.StatusForbidden)
162-
MakeRequest(t, NewRequest(t, "GET", tc.url).AddTokenAuth(ownerReadToken), tc.withScope)
201+
MakeRequest(t, NewRequest(t, tc.method, tc.url).AddTokenAuth(miscToken), http.StatusForbidden)
202+
MakeRequest(t, NewRequest(t, tc.method, tc.url).AddTokenAuth(ownerReadToken), tc.withScope)
163203

164204
publicOnlyStatus := http.StatusForbidden
165205
if tc.publicOnlyOK {
166206
publicOnlyStatus = tc.withScope
167207
}
168-
MakeRequest(t, NewRequest(t, "GET", tc.url).AddTokenAuth(publicOnlyToken), publicOnlyStatus)
208+
MakeRequest(t, NewRequest(t, tc.method, tc.url).AddTokenAuth(publicOnlyToken), publicOnlyStatus)
169209
})
170210
}
171211
}

0 commit comments

Comments
 (0)