From 2d4c10b8e4f32d8e3f5c3b3a5e4365d80c22cbbe Mon Sep 17 00:00:00 2001
From: Andrew Thornton <art27@cantab.net>
Date: Wed, 26 May 2021 19:43:24 +0100
Subject: [PATCH] Allow Token/Basic auth on raw paths

It appears that people have been using token authentication to navigate to raw paths
and recent changes have broken this. Whilst ideally these paths would not be being used
like this - it was not the intention to be a breaking change.

This PR restores access to these paths.

Fix #13772

Signed-off-by: Andrew Thornton <art27@cantab.net>
---
 modules/auth/sso/basic.go        |  2 +-
 modules/auth/sso/reverseproxy.go |  2 +-
 modules/auth/sso/sso.go          |  6 +++---
 modules/auth/sso/sso_test.go     | 16 ++++++++++------
 4 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/modules/auth/sso/basic.go b/modules/auth/sso/basic.go
index a18e127ff93f..555128812851 100644
--- a/modules/auth/sso/basic.go
+++ b/modules/auth/sso/basic.go
@@ -51,7 +51,7 @@ func (b *Basic) IsEnabled() bool {
 func (b *Basic) VerifyAuthData(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) *models.User {
 
 	// Basic authentication should only fire on API, Download or on Git or LFSPaths
-	if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
+	if middleware.IsInternalPath(req) || !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
 		return nil
 	}
 
diff --git a/modules/auth/sso/reverseproxy.go b/modules/auth/sso/reverseproxy.go
index d4fae9d5f425..f8d17a3cf5a7 100644
--- a/modules/auth/sso/reverseproxy.go
+++ b/modules/auth/sso/reverseproxy.go
@@ -78,7 +78,7 @@ func (r *ReverseProxy) VerifyAuthData(req *http.Request, w http.ResponseWriter,
 	}
 
 	// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
-	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitOrLFSPath(req) {
+	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrLFSPath(req) {
 		if sess.Get("uid").(int64) != user.ID {
 			handleSignIn(w, req, sess, user)
 		}
diff --git a/modules/auth/sso/sso.go b/modules/auth/sso/sso.go
index 2f949cb0f858..8543ceb2ffc0 100644
--- a/modules/auth/sso/sso.go
+++ b/modules/auth/sso/sso.go
@@ -104,11 +104,11 @@ func isAttachmentDownload(req *http.Request) bool {
 	return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
 }
 
-var gitPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/))`)
+var gitRawPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|raw/)`)
 var lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
 
-func isGitOrLFSPath(req *http.Request) bool {
-	if gitPathRe.MatchString(req.URL.Path) {
+func isGitRawOrLFSPath(req *http.Request) bool {
+	if gitRawPathRe.MatchString(req.URL.Path) {
 		return true
 	}
 	if setting.LFS.StartServer {
diff --git a/modules/auth/sso/sso_test.go b/modules/auth/sso/sso_test.go
index b6a7f099e3a2..e57788f35aec 100644
--- a/modules/auth/sso/sso_test.go
+++ b/modules/auth/sso/sso_test.go
@@ -12,7 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 )
 
-func Test_isGitOrLFSPath(t *testing.T) {
+func Test_isGitRawOrLFSPath(t *testing.T) {
 
 	tests := []struct {
 		path string
@@ -63,6 +63,10 @@ func Test_isGitOrLFSPath(t *testing.T) {
 			"/owner/repo/objects/pack/pack-0123456789abcdef0123456789abcdef0123456.idx",
 			true,
 		},
+		{
+			"/owner/repo/raw/branch/foo/fanaso",
+			true,
+		},
 		{
 			"/owner/repo/stars",
 			false,
@@ -98,11 +102,11 @@ func Test_isGitOrLFSPath(t *testing.T) {
 		t.Run(tt.path, func(t *testing.T) {
 			req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil)
 			setting.LFS.StartServer = false
-			if got := isGitOrLFSPath(req); got != tt.want {
+			if got := isGitRawOrLFSPath(req); got != tt.want {
 				t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
 			}
 			setting.LFS.StartServer = true
-			if got := isGitOrLFSPath(req); got != tt.want {
+			if got := isGitRawOrLFSPath(req); got != tt.want {
 				t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
 			}
 		})
@@ -111,11 +115,11 @@ func Test_isGitOrLFSPath(t *testing.T) {
 		t.Run(tt, func(t *testing.T) {
 			req, _ := http.NewRequest("POST", tt, nil)
 			setting.LFS.StartServer = false
-			if got := isGitOrLFSPath(req); got != setting.LFS.StartServer {
-				t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitPathRe.MatchString(tt))
+			if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
+				t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawPathRe.MatchString(tt))
 			}
 			setting.LFS.StartServer = true
-			if got := isGitOrLFSPath(req); got != setting.LFS.StartServer {
+			if got := isGitRawOrLFSPath(req); got != setting.LFS.StartServer {
 				t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer)
 			}
 		})