From eac5cb9a6406c58e92669bb2d7fb9d4f4d25431d Mon Sep 17 00:00:00 2001 From: forgejo-backport-action Date: Wed, 18 Mar 2026 21:48:07 +0100 Subject: [PATCH] [v14.0/forgejo] fix: prevent container registry headers from leaking into other registries (#11737) **Backport:** https://codeberg.org/forgejo/forgejo/pulls/11733 https://codeberg.org/forgejo/forgejo/issues/11711 discovered that headers from the container registry are leaking into the other registries. That was introduced by https://codeberg.org/forgejo/forgejo/pulls/11393. This PR fixes the problem and adds a regression test to the Maven repository. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Tests for JavaScript changes (can be removed for Go changes) - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. *The decision if the pull request will be shown in the release notes is up to the mergers / release team.* The content of the `release-notes/.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead. Co-authored-by: Andreas Ahlenstorf Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11737 Reviewed-by: Andreas Ahlenstorf Co-authored-by: forgejo-backport-action Co-committed-by: forgejo-backport-action --- routers/api/packages/api.go | 23 +++++++++++++++---- .../api_packages_container_test.go | 2 +- tests/integration/api_packages_maven_test.go | 14 +++++++++++ 3 files changed, 34 insertions(+), 5 deletions(-) diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index b430589cd2..b22df7637e 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -120,6 +120,24 @@ func verifyAuth(r *web.Route, authMethods []auth.Method) { } authGroup := auth.NewGroup(authMethods...) + r.Use(func(ctx *context.Context) { + var err error + ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) + if err != nil { + log.Info("Failed to verify user: %v", err) + ctx.Error(http.StatusUnauthorized, "authGroup.Verify") + return + } + ctx.IsSigned = ctx.Doer != nil + }) +} + +func verifyContainerAuth(r *web.Route, authMethods []auth.Method) { + if setting.Service.EnableReverseProxyAuth { + authMethods = append(authMethods, &auth.ReverseProxy{}) + } + authGroup := auth.NewGroup(authMethods...) + r.Use(func(ctx *context.Context) { var err error ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) @@ -781,10 +799,7 @@ func ContainerRoutes() *web.Route { r.Use(context.PackageContexter()) - verifyAuth(r, []auth.Method{ - &auth.Basic{}, - &container.Auth{}, - }) + verifyContainerAuth(r, []auth.Method{&auth.Basic{}, &container.Auth{}}) r.Get("", container.ReqContainerAccess, container.DetermineSupport) r.Group("/token", func() { diff --git a/tests/integration/api_packages_container_test.go b/tests/integration/api_packages_container_test.go index c688679a67..d6aed416aa 100644 --- a/tests/integration/api_packages_container_test.go +++ b/tests/integration/api_packages_container_test.go @@ -172,7 +172,7 @@ func TestPackageContainer(t *testing.T) { req := NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL)) // Setting the header explicitly instead of using AddBasicAuth to supply an invalid password. - req.Request.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("user2:very-invalid"))) + req.SetBasicAuth("user2", "very-invalid") resp := MakeRequest(t, req, http.StatusUnauthorized) assert.Equal(t, authenticate, resp.Header().Values("WWW-Authenticate")) diff --git a/tests/integration/api_packages_maven_test.go b/tests/integration/api_packages_maven_test.go index 9490d52890..74e7883443 100644 --- a/tests/integration/api_packages_maven_test.go +++ b/tests/integration/api_packages_maven_test.go @@ -254,6 +254,20 @@ func TestPackageMaven(t *testing.T) { resp := MakeRequest(t, req, http.StatusOK) assert.NotContains(t, resp.Body.String(), "Internal server error") }) + + t.Run("Invalid credentials", func(t *testing.T) { + req := NewRequest(t, "HEAD", fmt.Sprintf("%s/%s/%s", root, packageVersion, filename)) + req.SetBasicAuth(user.Name, "invalid") + resp := MakeRequest(t, req, http.StatusUnauthorized) + + // Verify that headers from other package endpoints do not leak into the Maven registry. That Forgejo responds + // with 401 Unauthorized without including any WWW-Authenticate header is *wrong*, though. + assert.Empty(t, resp.Header().Values("WWW-Authenticate")) + + // Verify that the request would work with correct credentials. + req.AddBasicAuth(user.Name) + MakeRequest(t, req, http.StatusOK) + }) } func TestPackageMavenConcurrent(t *testing.T) {