Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Container packages ignore REQUIRE_SIGNIN_VIEW #28875

Closed
Shuenhoy opened this issue Jan 21, 2024 · 5 comments · Fixed by #28877
Closed

Container packages ignore REQUIRE_SIGNIN_VIEW #28875

Shuenhoy opened this issue Jan 21, 2024 · 5 comments · Fixed by #28877
Labels
topic/packages type/bug
Milestone
1.21.5

Comments

@Shuenhoy
Copy link

Description

Our site has enabled REQUIRE_SIGNIN_VIEW, however, we can still docker pull a public image.
This problem had been reported in #20863 and #20873 seemed to have fixed this for other types of package, but not for container.

Gitea Version

1.21.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

docker

Database

PostgreSQL
@KN4CK3R
Copy link
Member

KN4CK3R commented Jan 21, 2024

It does not ignore that flag:

gitea/modules/context/package.go

Lines 95 to 98 in 1df06e3

func determineAccessMode(ctx *Base, pkg *Package, doer *user_model.User) (perm.AccessMode, error) {
if setting.Service.RequireSignInView && doer == nil {
return perm.AccessModeNone, nil
}

Did you perform a docker logout?

@KN4CK3R KN4CK3R added issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail and removed type/bug labels Jan 21, 2024
@Shuenhoy
Copy link
Author

Hi @KN4CK3R, please check this snapshot:

image

Or am I missing something and the login information can be stored somewhere else?

@KN4CK3R KN4CK3R added type/bug and removed issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail labels Jan 21, 2024
@KN4CK3R
Copy link
Member

KN4CK3R commented Jan 21, 2024

No, my bad... The container registry uses the internal ghost user for anonymous requests and the ghost user is not nil. Therefore the test does not return no access rights... I will send a fix soon.

@KN4CK3R KN4CK3R mentioned this issue Jan 21, 2024
Merged
@KN4CK3R
Copy link
Member

KN4CK3R commented Jan 21, 2024

Fixed in #28877. Thank you for the report.

@lunny lunny added this to the 1.21.5 milestone Jan 21, 2024
KN4CK3R added a commit that referenced this issue Jan 21, 2024
@KN4CK3R
Prevent anonymous container access if RequireSignInView is enabled (#…
caad931 
…28877)

Fixes #28875

If `RequireSignInView` is enabled, the ghost user has no access rights.
GiteaBot pushed a commit to GiteaBot/gitea that referenced this issue Jan 21, 2024
@KN4CK3R @GiteaBot
Prevent anonymous container access if RequireSignInView is enabled (g…
04a07d8 
…o-gitea#28877)

Fixes go-gitea#28875

If `RequireSignInView` is enabled, the ghost user has no access rights.
@GiteaBot GiteaBot mentioned this issue Jan 21, 2024
Merged
KN4CK3R added a commit that referenced this issue Jan 21, 2024
@GiteaBot @KN4CK3R
Prevent anonymous container access if RequireSignInView is enabled (#…
b7c944b 
…28877) (#28882)

Backport #28877 by @KN4CK3R

Fixes #28875

If `RequireSignInView` is enabled, the ghost user has no access rights.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
henrygoodman pushed a commit to henrygoodman/gitea that referenced this issue Jan 31, 2024
@KN4CK3R @henrygoodman
Prevent anonymous container access if RequireSignInView is enabled (g…
a5ed6bc 
…o-gitea#28877)

Fixes go-gitea#28875

If `RequireSignInView` is enabled, the ghost user has no access rights.
Ma27 added a commit to Ma27/nixpkgs that referenced this issue Feb 1, 2024
@Ma27
gitea: prevent unauthorized access to containers from public repos if…
b1a29ef 
… REQUIRE_SIGNIN_VIEW is set

The issue got fixed in 1.21, but we still have 1.20 on 23.11.
See go-gitea/gitea#28875 / go-gitea/gitea#28875
@Ma27 Ma27 mentioned this issue Feb 1, 2024
Merged
13 tasks
silverwind pushed a commit to silverwind/gitea that referenced this issue Feb 20, 2024
@KN4CK3R @silverwind
Prevent anonymous container access if RequireSignInView is enabled (g…
c43d032 
…o-gitea#28877)

Fixes go-gitea#28875

If `RequireSignInView` is enabled, the ghost user has no access rights.
@github-actions GitHub Actions
Copy link

Automatically locked because of our CONTRIBUTING guidelines

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
topic/packages type/bug
Projects
None yet
Milestone
1.21.5
Development

Successfully merging a pull request may close this issue.

Prevent anonymous container access if RequireSignInView is enabled KN4CK3R/gitea
3 participants
@lunny @KN4CK3R @Shuenhoy