Improved git http semantics and repo obfuscation (#94)

This commit is contained in:
Thomas Miceli 2023-09-07 11:46:34 +02:00 committed by GitHub
parent 3e83700fc2
commit 977fc9db28
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -47,30 +47,28 @@ func gitHttp(ctx echo.Context) error {
gist := getData(ctx, "gist").(*db.Gist) gist := getData(ctx, "gist").(*db.Gist)
// Shows basic auth if : isInfoRefs := strings.HasSuffix(route.gitUrl, "/info/refs$")
// - user wants to push the gist
// - user wants to clone a private gist isPull := ctx.QueryParam("service") == "git-upload-pack" ||
// - gist is not found (obfuscation)
// - admin setting to require login is set to true
noAuth := (ctx.QueryParam("service") == "git-upload-pack" ||
strings.HasSuffix(ctx.Request().URL.Path, "git-upload-pack") || strings.HasSuffix(ctx.Request().URL.Path, "git-upload-pack") ||
ctx.Request().Method == "GET") && ctx.Request().Method == "GET" && !isInfoRefs
gist.Private != 2 &&
gist.ID != 0 &&
!getData(ctx, "RequireLogin").(bool)
repositoryPath := git.RepositoryPath(gist.User.Username, gist.Uuid) repositoryPath := git.RepositoryPath(gist.User.Username, gist.Uuid)
if _, err := os.Stat(repositoryPath); os.IsNotExist(err) { if _, err := os.Stat(repositoryPath); os.IsNotExist(err) {
if err != nil { if err != nil {
log.Info().Err(err).Msg("Repository directory does not exist")
return errorRes(404, "Repository directory does not exist", err) return errorRes(404, "Repository directory does not exist", err)
} }
} }
ctx.Set("repositoryPath", repositoryPath) ctx.Set("repositoryPath", repositoryPath)
// Requires Basic Auth if we push the repository // Shows basic auth if :
if noAuth { // - user wants to push the gist
// - user wants to clone/pull a private gist
// - gist is not found (obfuscation)
// - admin setting to require login is set to true
if isPull && gist.Private != 2 && gist.ID != 0 && !getData(ctx, "RequireLogin").(bool) {
return route.handler(ctx) return route.handler(ctx)
} }
@ -90,7 +88,7 @@ func gitHttp(ctx echo.Context) error {
} }
if gist.ID == 0 { if gist.ID == 0 {
return errorRes(404, "Not found", nil) return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
} }
if ok, err := argon2id.verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername { if ok, err := argon2id.verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername {
@ -98,7 +96,7 @@ func gitHttp(ctx echo.Context) error {
return errorRes(500, "Cannot verify password", err) return errorRes(500, "Cannot verify password", err)
} }
log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP()) log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
return errorRes(404, "Not found", nil) return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
} }
return route.handler(ctx) return route.handler(ctx)