Skip to content

Commit 5d7b9c9

Browse files
yeikelyeikel
committed
fix: public github release downloads should not be authenticated
1 parent 72f780a commit 5d7b9c9

File tree

2 files changed

+33
-0
lines changed

2 files changed

+33
-0
lines changed

internal/handlers/git_server.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -323,6 +323,10 @@ func getCredentialsForRequest(r *http.Request, credentials *gitCredentialsMap, e
323323
return nil
324324
}
325325

326+
if isPublicGitHubDownload(host, r.URL.Path) {
327+
return nil
328+
}
329+
326330
// Get credentials for the host that not unscoped to specific repositories.
327331
hostCreds := credentials.get(host)
328332
credsForRequest := hostCreds.getCredentialsForRepo(allReposScopeIdentifier)
@@ -343,6 +347,12 @@ func getCredentialsForRequest(r *http.Request, credentials *gitCredentialsMap, e
343347
return credsForRequest
344348
}
345349

350+
// GitHub release download URLs are public
351+
// and do not require authentication
352+
func isPublicGitHubDownload(host string, path string) bool {
353+
return host == "github.com" && strings.Contains(path, "/releases/download/")
354+
}
355+
346356
// HandleResponse handles retrying failed auth responses with alternate credentials
347357
// when there are multiple tokens configured for the git server.
348358
//

internal/handlers/git_server_test.go

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,29 @@ func TestGitServerHandler(t *testing.T) {
124124
"valid github request")
125125
}
126126

127+
func TestGitServerPublicReleaseDownload(t *testing.T) {
128+
installationCred := testGitSourceCred("github.com", "x-access-token", "v1.token")
129+
gheCred := testGitSourceCred("ghe.some-corp.com", "x-access-token", "corp")
130+
131+
credentials := config.Credentials{
132+
installationCred,
133+
gheCred,
134+
}
135+
handler := NewGitServerHandler(credentials, nil)
136+
137+
req := httptest.NewRequest("HEAD", "https://github.com/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip", nil)
138+
req, _ = handler.HandleRequest(req, nil)
139+
assertUnauthenticated(t, req, "Public github.com release downloads should not be authenticated")
140+
141+
req = httptest.NewRequest("HEAD", "https://ghe.some-corp.com/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip", nil)
142+
req, _ = handler.HandleRequest(req, nil)
143+
assertHasBasicAuth(t, req,
144+
gheCred.GetString("username"),
145+
gheCred.GetString("password"),
146+
"valid github request")
147+
148+
}
149+
127150
func TestGitServerHandler_AuthenticatedAccessToGitHubRepos(t *testing.T) {
128151
installationToken1 := "v1.token1"
129152
privateRepo1Cred := testGitSourceCred("github.com", "x-access-token", installationToken1, withAccessibleRepos([]string{"github/private-repo-1"}))

0 commit comments

Comments
 (0)