fix: prevent container registry headers from leaking into other registries (#11733)

https://codeberg.org/forgejo/forgejo/issues/11711 discovered that headers from the container registry are leaking into the other registries. That was introduced by https://codeberg.org/forgejo/forgejo/pulls/11393. This PR fixes the problem and adds a regression test to the Maven repository. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests for Go changes (can be removed for JavaScript changes) - I added test coverage for Go changes... - [ ] in their respective `*_test.go` for unit tests. - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I ran... - [x] `make pr-go` before pushing ### Tests for JavaScript changes (can be removed for Go changes) - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change. - [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change. *The decision if the pull request will be shown in the release notes is up to the mergers / release team.* The content of the `release-notes/<pull request number>.md` file will serve as the basis for the release notes. If the file does not exist, the title of the pull request will be used instead. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11733 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org> Co-authored-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch> Co-committed-by: Andreas Ahlenstorf <andreas@ahlenstorf.ch>
2026-05-12 22:10:25 +00:00 · 2026-03-18 20:17:50 +01:00 · 2026-03-18 20:17:50 +01:00 · f0657b38a5
commit f0657b38a5
parent 28e0af25b4
3 changed files with 34 additions and 5 deletions
--- a/tests/integration/api_packages_container_test.go
+++ b/tests/integration/api_packages_container_test.go
@ -180,7 +180,7 @@ func TestPackageContainer(t *testing.T) {

 			req := NewRequest(t, "GET", fmt.Sprintf("%sv2/token", setting.AppURL))
 			// Setting the header explicitly instead of using AddBasicAuth to supply an invalid password.
-			req.Request.Header.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte("user2:very-invalid")))
+			req.SetBasicAuth("user2", "very-invalid")
 			resp := MakeRequest(t, req, http.StatusUnauthorized)

 			assert.Equal(t, authenticate, resp.Header().Values("WWW-Authenticate"))
--- a/tests/integration/api_packages_maven_test.go
+++ b/tests/integration/api_packages_maven_test.go
@ -254,6 +254,20 @@ func TestPackageMaven(t *testing.T) {
 		resp := MakeRequest(t, req, http.StatusOK)
 		assert.NotContains(t, resp.Body.String(), "Internal server error")
 	})
+
+	t.Run("Invalid credentials", func(t *testing.T) {
+		req := NewRequest(t, "HEAD", fmt.Sprintf("%s/%s/%s", root, packageVersion, filename))
+		req.SetBasicAuth(user.Name, "invalid")
+		resp := MakeRequest(t, req, http.StatusUnauthorized)
+
+		// Verify that headers from other package endpoints do not leak into the Maven registry. That Forgejo responds
+		// with 401 Unauthorized without including any WWW-Authenticate header is *wrong*, though.
+		assert.Empty(t, resp.Header().Values("WWW-Authenticate"))
+
+		// Verify that the request would work with correct credentials.
+		req.AddBasicAuth(user.Name)
+		MakeRequest(t, req, http.StatusOK)
+	})
 }

 func TestPackageMavenConcurrent(t *testing.T) {