Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improved git http semantics and repo obfuscation #94

Merged
merged 1 commit into from
Sep 7, 2023
Merged

Improved git http semantics and repo obfuscation #94

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 13 additions & 15 deletions internal/web/git_http.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,30 +47,28 @@ func gitHttp(ctx echo.Context) error {

gist := getData(ctx, "gist").(*db.Gist)

// Shows basic auth if :
// - user wants to push the gist
// - user wants to clone a private gist
// - gist is not found (obfuscation)
// - admin setting to require login is set to true
noAuth := (ctx.QueryParam("service") == "git-upload-pack" ||
isInfoRefs := strings.HasSuffix(route.gitUrl, "/info/refs$")

isPull := ctx.QueryParam("service") == "git-upload-pack" ||
strings.HasSuffix(ctx.Request().URL.Path, "git-upload-pack") ||
ctx.Request().Method == "GET") &&
gist.Private != 2 &&
gist.ID != 0 &&
!getData(ctx, "RequireLogin").(bool)
ctx.Request().Method == "GET" && !isInfoRefs

repositoryPath := git.RepositoryPath(gist.User.Username, gist.Uuid)

if _, err := os.Stat(repositoryPath); os.IsNotExist(err) {
if err != nil {
log.Info().Err(err).Msg("Repository directory does not exist")
return errorRes(404, "Repository directory does not exist", err)
}
}

ctx.Set("repositoryPath", repositoryPath)

// Requires Basic Auth if we push the repository
if noAuth {
// Shows basic auth if :
// - user wants to push the gist
// - user wants to clone/pull a private gist
// - gist is not found (obfuscation)
// - admin setting to require login is set to true
if isPull && gist.Private != 2 && gist.ID != 0 && !getData(ctx, "RequireLogin").(bool) {
return route.handler(ctx)
}

Expand All @@ -90,15 +88,15 @@ func gitHttp(ctx echo.Context) error {
}

if gist.ID == 0 {
return errorRes(404, "Not found", nil)
return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
}

if ok, err := argon2id.verify(authPassword, gist.User.Password); !ok || gist.User.Username != authUsername {
if err != nil {
return errorRes(500, "Cannot verify password", err)
}
log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
return errorRes(404, "Not found", nil)
return plainText(ctx, 404, "Check your credentials or make sure you have access to the Gist")
}

return route.handler(ctx)
Expand Down