mirrors/git-pages
1
0
Fork 0
mirror of https://codeberg.org/git-pages/git-pages.git synced 2026-05-21 22:51:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add [limits].allowed-repository-url-prefixes configuration option.

Browse Source 
This is useful to limit updates to a specific Git forge.
Naturally, enabling this option disables updates from archive.
This commit is contained in:
Catherine
2025-10-09 13:18:44 +00:00
parent 2d603db810
commit e0b659f668
2 changed files with 29 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/auth.go
View File

@@ -417,22 +417,40 @@ func AuthorizeRepository(repoURL string, auth *Authorization) error {
return nil // any
}
repoURL = strings.ToLower(repoURL)
if config.Limits.AllowedRepositoryURLPrefixes != nil {
allowedPrefix := false
for _, allowedRepoURLPrefix := range config.Limits.AllowedRepositoryURLPrefixes {
if strings.HasPrefix(repoURL, strings.ToLower(allowedRepoURLPrefix)) {
allowedPrefix = true
break
}
}
if !allowedPrefix {
return AuthError{
http.StatusUnauthorized,
fmt.Sprintf("clone URL not in prefix allowlist %v",
config.Limits.AllowedRepositoryURLPrefixes),
}
}
}
allowed := false
for _, allowedRepoURL := range auth.repoURLs {
if strings.EqualFold(repoURL, allowedRepoURL) {
if repoURL == strings.ToLower(allowedRepoURL) {
allowed = true
break
}
}
if allowed {
return nil
} else {
if !allowed {
return AuthError{
http.StatusUnauthorized,
fmt.Sprintf("clone URL not in allowlist %v", auth.repoURLs),
}
}
return nil
}
// The purpose of `allowRepoURLs` is to make sure that only authorized content is deployed
@@ -466,6 +484,10 @@ func AuthorizeUpdateFromArchive(r *http.Request) (*Authorization, error) {
return auth, nil
}
if config.Limits.AllowedRepositoryURLPrefixes != nil {
return nil, AuthError{http.StatusUnauthorized, "updating from archive not allowed"}
}
// DNS challenge gives absolute authority.
auth, err := authorizeDNSChallenge(r)
if err != nil && IsUnauthorized(err) {

2
src/config.go
View File

@@ -103,6 +103,8 @@ type LimitsConfig struct {
MaxHeapSizeRatio float64 `toml:"max-heap-size-ratio" default:"0.5"`
// List of domains unconditionally forbidden for uploads.
ForbiddenDomains []string `toml:"forbidden-domains"`
// List of allowed repository URL prefixes. Setting this option prohibits uploading archives.
AllowedRepositoryURLPrefixes []string `toml:"allowed-repository-url-prefixes"`
}
func (config *Config) DebugJSON() string {