Fix attachment download bug (go-gitea#27486)

lunny · web-flow · commit 5c9fbcca00ca · 2023-10-10T15:33:56.000Z
diff --git a/services/auth/auth.go b/services/auth/auth.go
@@ -36,12 +36,16 @@ func isContainerPath(req *http.Request) bool {
 }
 
 var (
-	gitRawReleasePathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/))`)
-	lfsPathRe           = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
+	gitRawOrAttachPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/)|(?:attachments/))`)
+	lfsPathRe            = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
 )
 
-func isGitRawReleaseOrLFSPath(req *http.Request) bool {
-	if gitRawReleasePathRe.MatchString(req.URL.Path) {
+func isGitRawOrAttachPath(req *http.Request) bool {
+	return gitRawOrAttachPathRe.MatchString(req.URL.Path)
+}
+
+func isGitRawOrAttachOrLFSPath(req *http.Request) bool {
+	if isGitRawOrAttachPath(req) {
 		return true
 	}
 	if setting.LFS.StartServer {
diff --git a/services/auth/auth_test.go b/services/auth/auth_test.go
@@ -85,6 +85,10 @@ func Test_isGitRawOrLFSPath(t *testing.T) {
 			"/owner/repo/releases/download/tag/repo.tar.gz",
 			true,
 		},
+		{
+			"/owner/repo/attachments/6d92a9ee-5d8b-4993-97c9-6181bdaa8955",
+			true,
+		},
 	}
 	lfsTests := []string{
 		"/owner/repo/info/lfs/",
@@ -104,11 +108,11 @@ func Test_isGitRawOrLFSPath(t *testing.T) {
 		t.Run(tt.path, func(t *testing.T) {
 			req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil)
 			setting.LFS.StartServer = false
-			if got := isGitRawReleaseOrLFSPath(req); got != tt.want {
+			if got := isGitRawOrAttachOrLFSPath(req); got != tt.want {
 				t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
 			}
 			setting.LFS.StartServer = true
-			if got := isGitRawReleaseOrLFSPath(req); got != tt.want {
+			if got := isGitRawOrAttachOrLFSPath(req); got != tt.want {
 				t.Errorf("isGitOrLFSPath() = %v, want %v", got, tt.want)
 			}
 		})
@@ -117,11 +121,11 @@ func Test_isGitRawOrLFSPath(t *testing.T) {
 		t.Run(tt, func(t *testing.T) {
 			req, _ := http.NewRequest("POST", tt, nil)
 			setting.LFS.StartServer = false
-			if got := isGitRawReleaseOrLFSPath(req); got != setting.LFS.StartServer {
-				t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawReleasePathRe.MatchString(tt))
+			if got := isGitRawOrAttachOrLFSPath(req); got != setting.LFS.StartServer {
+				t.Errorf("isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawOrAttachPathRe.MatchString(tt))
 			}
 			setting.LFS.StartServer = true
-			if got := isGitRawReleaseOrLFSPath(req); got != setting.LFS.StartServer {
+			if got := isGitRawOrAttachOrLFSPath(req); got != setting.LFS.StartServer {
 				t.Errorf("isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer)
 			}
 		})
diff --git a/services/auth/basic.go b/services/auth/basic.go
@@ -42,7 +42,7 @@ func (b *Basic) Name() string {
 // Returns nil if header is empty or validation fails.
 func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
 	// Basic authentication should only fire on API, Download or on Git or LFSPaths
-	if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawReleaseOrLFSPath(req) {
+	if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
 		return nil, nil
 	}
 
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
@@ -127,7 +127,7 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string, store Dat
 func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
 	// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
 	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
-		!gitRawReleasePathRe.MatchString(req.URL.Path) {
+		!isGitRawOrAttachPath(req) {
 		return nil, nil
 	}
 
diff --git a/services/auth/reverseproxy.go b/services/auth/reverseproxy.go
@@ -117,7 +117,7 @@ func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store Da
 	}
 
 	// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
-	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawReleaseOrLFSPath(req) {
+	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
 		if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) {
 			handleSignIn(w, req, sess, user)
 		}
diff --git a/services/convert/attachment.go b/services/convert/attachment.go
@@ -4,10 +4,7 @@
 package convert
 
 import (
-	"strconv"
-
 	repo_model "code.gitea.io/gitea/models/repo"
-	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 )
 
@@ -16,12 +13,7 @@ func WebAssetDownloadURL(repo *repo_model.Repository, attach *repo_model.Attachm
 }
 
 func APIAssetDownloadURL(repo *repo_model.Repository, attach *repo_model.Attachment) string {
-	if attach.CustomDownloadURL != "" {
-		return attach.CustomDownloadURL
-	}
-
-	// /repos/{owner}/{repo}/releases/{id}/assets/{attachment_id}
-	return setting.AppURL + "api/repos/" + repo.FullName() + "/releases/" + strconv.FormatInt(attach.ReleaseID, 10) + "/assets/" + strconv.FormatInt(attach.ID, 10)
+	return attach.DownloadURL()
 }
 
 // ToAttachment converts models.Attachment to api.Attachment for API usage

Original file line number	Diff line number	Diff line change
`@@ -36,12 +36,16 @@ func isContainerPath(req *http.Request) bool {`
`36`	`36`	`}`
`37`	`37`
`38`	`38`	`var (`
`39`		- gitRawReleasePathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)\|(?:receive))-pack$)\|(?:info/refs$)\|(?:HEAD$)\|(?:objects/)\|(?:raw/)\|(?:releases/download/))`)
`40`		- lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
	`39`	+ gitRawOrAttachPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)\|(?:receive))-pack$)\|(?:info/refs$)\|(?:HEAD$)\|(?:objects/)\|(?:raw/)\|(?:releases/download/)\|(?:attachments/))`)
	`40`	+ lfsPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
`41`	`41`	`)`
`42`	`42`
`43`		`-func isGitRawReleaseOrLFSPath(req *http.Request) bool {`
`44`		`- if gitRawReleasePathRe.MatchString(req.URL.Path) {`
	`43`	`+func isGitRawOrAttachPath(req *http.Request) bool {`
	`44`	`+ return gitRawOrAttachPathRe.MatchString(req.URL.Path)`
	`45`	`+}`
	`46`	`+`
	`47`	`+func isGitRawOrAttachOrLFSPath(req *http.Request) bool {`
	`48`	`+ if isGitRawOrAttachPath(req) {`
`45`	`49`	`return true`
`46`	`50`	`}`
`47`	`51`	`if setting.LFS.StartServer {`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ func (b *Basic) Name() string {`
`42`	`42`	`// Returns nil if header is empty or validation fails.`
`43`	`43`	`func (b Basic) Verify(req http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {`
`44`	`44`	`// Basic authentication should only fire on API, Download or on Git or LFSPaths`
`45`		`- if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawReleaseOrLFSPath(req) {`
	`45`	`+ if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {`
`46`	`46`	`return nil, nil`
`47`	`47`	`}`
`48`	`48`
Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string, store Dat`
`127`	`127`	`func (o OAuth2) Verify(req http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {`
`128`	`128`	`// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs`
`129`	`129`	`if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&`
`130`		`- !gitRawReleasePathRe.MatchString(req.URL.Path) {`
	`130`	`+ !isGitRawOrAttachPath(req) {`
`131`	`131`	`return nil, nil`
`132`	`132`	`}`
`133`	`133`
Original file line number	Diff line number	Diff line change
`@@ -117,7 +117,7 @@ func (r ReverseProxy) Verify(req http.Request, w http.ResponseWriter, store Da`
`117`	`117`	`}`
`118`	`118`
`119`	`119`	`// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session`
`120`		`- if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawReleaseOrLFSPath(req) {`
	`120`	`+ if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {`
`121`	`121`	`if sess != nil && (sess.Get("uid") == nil \|\| sess.Get("uid").(int64) != user.ID) {`
`122`	`122`	`handleSignIn(w, req, sess, user)`
`123`	`123`	`}`