[v14.0/forgejo] fix: prevent container registry headers from leaking into other registries (#11737)

**Backport:** https://codeberg.org/forgejo/forgejo/pulls/11733 https://codeberg.org/forgejo/forgejo/issues/11711 discovered that headers from the container registry are leaking into the other registries. That was introduced by https://codeberg.org/forgejo/forgejo/pulls/11393. This PR fixes the problem and adds a regression test to the Maven repository. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Tests for JavaScript changes (can be removed for Go changes) - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. *The decision if the pull request will be shown in the release notes is up to the mergers / release team.* The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead. Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11737 Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2026-05-12 22:10:25 +00:00 · 2026-03-18 21:48:07 +01:00 · 2026-03-18 21:48:07 +01:00 · eac5cb9a64
commit eac5cb9a64
parent a2f9fb501f
3 changed files with 34 additions and 5 deletions
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@ -120,6 +120,24 @@ func verifyAuth(r *web.Route, authMethods []auth.Method) {
 	}
 	authGroup := auth.NewGroup(authMethods...)

+	r.Use(func(ctx *context.Context) {
+		var err error
+		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
+		if err != nil {
+			log.Info("Failed to verify user: %v", err)
+			ctx.Error(http.StatusUnauthorized, "authGroup.Verify")
+			return
+		}
+		ctx.IsSigned = ctx.Doer != nil
+	})
+}
+
+func verifyContainerAuth(r *web.Route, authMethods []auth.Method) {
+	if setting.Service.EnableReverseProxyAuth {
+		authMethods = append(authMethods, &auth.ReverseProxy{})
+	}
+	authGroup := auth.NewGroup(authMethods...)
+
 	r.Use(func(ctx *context.Context) {
 		var err error
 		ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
@ -781,10 +799,7 @@ func ContainerRoutes() *web.Route {

 	r.Use(context.PackageContexter())

-	verifyAuth(r, []auth.Method{
-		&auth.Basic{},
-		&container.Auth{},
-	})
+	verifyContainerAuth(r, []auth.Method{&auth.Basic{}, &container.Auth{}})

 	r.Get("", container.ReqContainerAccess, container.DetermineSupport)
 	r.Group("/token", func() {
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@ -172,7 +172,7 @@ func TestPackageContainer(t *testing.T) {

 			req := NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL))
 			// Setting the header explicitly instead of using AddBasicAuth to supply an invalid password.
-			req.Request.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("user2:very-invalid")))
+			req.SetBasicAuth("user2", "very-invalid")
 			resp := MakeRequest(t, req, http.StatusUnauthorized)

 			assert.Equal(t, authenticate, resp.Header().Values("WWW-Authenticate"))
--- a/tests/integration/api_packages_maven_test.go
+++ b/tests/integration/api_packages_maven_test.go
@ -254,6 +254,20 @@ func TestPackageMaven(t *testing.T) {
 		resp := MakeRequest(t, req, http.StatusOK)
 		assert.NotContains(t, resp.Body.String(), "Internal server error")
 	})
+
+	t.Run("Invalid credentials", func(t *testing.T) {
+		req := NewRequest(t, "HEAD", fmt.Sprintf("%s/%s/%s", root, packageVersion, filename))
+		req.SetBasicAuth(user.Name, "invalid")
+		resp := MakeRequest(t, req, http.StatusUnauthorized)
+
+		// Verify that headers from other package endpoints do not leak into the Maven registry. That Forgejo responds
+		// with 401 Unauthorized without including any WWW-Authenticate header is *wrong*, though.
+		assert.Empty(t, resp.Header().Values("WWW-Authenticate"))
+
+		// Verify that the request would work with correct credentials.
+		req.AddBasicAuth(user.Name)
+		MakeRequest(t, req, http.StatusOK)
+	})
 }

 func TestPackageMavenConcurrent(t *testing.T) {