mirror/opengist
1
0
Fork 0
mirror of https://github.com/thomiceli/opengist.git synced 2025-01-03 16:22:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Improved git http semantics and repo obfuscation (#94)

Browse source
This commit is contained in:
Thomas Miceli 2023-09-07 11:46:34 +02:00 committed by GitHub
parent 3e83700fc2
commit 977fc9db28
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
internal/web/git_http.go
View file

@ -47,30 +47,28 @@ func gitHttp(ctx echo.Context) error {
gist := getData(ctx, "gist").(*db.Gist)
// Shows basic auth if :
// - user wants to push the gist
// - user wants to clone a private gist
// - gist is not found (obfuscation)
// - admin setting to require login is set to true
noAuth := (ctx.QueryParam("service") == "git-upload-pack" ||
isInfoRefs := strings.HasSuffix(route.gitUrl, "/info/refs$")
isPull := ctx.QueryParam("service") == "git-upload-pack" ||
strings.HasSuffix(ctx.Request().URL.Path, "git-upload-pack") ||
ctx.Request().Method == "GET") &&
gist.Private != 2 &&
gist.ID != 0 &&
!getData(ctx, "RequireLogin").(bool)
ctx.Request().Method == "GET" && !isInfoRefs
repositoryPath := git.RepositoryPath(gist.User.Username, gist.Uuid)
if _, err := os.Stat(repositoryPath); os.IsNotExist(err) {
if err != nil {
log.Info().Err(err).Msg("Repository directory does not exist")
return errorRes(404, "Repository directory does not exist", err)
}
}
ctx.Set("repositoryPath", repositoryPath)
// Requires Basic Auth if we push the repository
if noAuth {
// Shows basic auth if :
// - user wants to push the gist
// - user wants to clone/pull a private gist
// - gist is not found (obfuscation)
// - admin setting to require login is set to true
if isPull && gist.Private != 2 && gist.ID != 0 && !getData(ctx, "RequireLogin").(bool) {
return route.handler(ctx)
}
@ -90,7 +88,7 @@ func gitHttp(ctx echo.Context) error {
}
if gist.ID == 0 {
return errorRes(404, "Not found", nil)
return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
}
if ok, err := argon2id.verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername {
@ -98,7 +96,7 @@ func gitHttp(ctx echo.Context) error {
return errorRes(500, "Cannot verify password", err)
}
log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
return errorRes(404, "Not found", nil)
return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
}
return route.handler(ctx)