loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

fix: consider HEAD requests to be pulls (#6750)

Previously an anonymous GET request to e.g.
https://codeberg.org/forgejo/forgejo/HEAD was allowed, as GET requests
are considered pulls and those don't need authentication for a public
repository, but a HEAD request to the same URL was rejected with a 401.
Since the result of a HEAD request is a subset of the result of a GET
request it is safe to allow HEAD as well.

This isn't really a practical issue for Forgejo itself, but I have encountered this in https://codeberg.org/forgejo-aneksajo/forgejo-aneksajo/issues/40. Since the fix isn't git-annex specific I am proposing it here.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
- [ ] in their respective `*_test.go` for unit tests.
- [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [X] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6750
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Matthias Riße <m.risse@fz-juelich.de>
Co-committed-by: Matthias Riße <m.risse@fz-juelich.de>

authored by

Matthias Riße
Matthias Riße
and committed by
Earl Warren
7f4f3434 5961db5a

+136 -1
+1 -1
routers/web/repo/githttp.go
··· 78 78 strings.HasSuffix(ctx.Req.URL.Path, "git-upload-archive") { 79 79 isPull = true 80 80 } else { 81 - isPull = ctx.Req.Method == "GET" 81 + isPull = ctx.Req.Method == "GET" || ctx.Req.Method == "HEAD" 82 82 } 83 83 84 84 var accessMode perm.AccessMode
+135
tests/integration/git_smart_http_test.go
··· 1 1 // Copyright 2021 The Gitea Authors. All rights reserved. 2 + // Copyright 2025 The Forgejo Authors. All rights reserved. 2 3 // SPDX-License-Identifier: MIT 3 4 4 5 package integration 5 6 6 7 import ( 8 + "fmt" 7 9 "io" 8 10 "net/http" 9 11 "net/url" 10 12 "testing" 13 + 14 + auth_model "code.gitea.io/gitea/models/auth" 15 + "code.gitea.io/gitea/models/db" 16 + "code.gitea.io/gitea/models/perm" 17 + unit_model "code.gitea.io/gitea/models/unit" 18 + "code.gitea.io/gitea/models/unittest" 19 + user_model "code.gitea.io/gitea/models/user" 20 + "code.gitea.io/gitea/tests" 11 21 12 22 "github.com/stretchr/testify/assert" 13 23 "github.com/stretchr/testify/require" ··· 67 77 }) 68 78 } 69 79 } 80 + 81 + // Test that the git http endpoints have the same authentication behavior irrespective of if it is a GET or a HEAD request. 82 + func TestGitHTTPSameStatusCodeForGetAndHeadRequests(t *testing.T) { 83 + defer tests.PrepareTestEnv(t)() 84 + 85 + owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}) 86 + user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) 87 + 88 + type caseType struct { 89 + User *user_model.User 90 + IsCollaborator bool 91 + RepoIsPrivate bool 92 + Endpoint string 93 + ExpectedStatusCode int 94 + } 95 + cases := []caseType{ 96 + {owner, false, false, "HEAD", 200}, 97 + {owner, false, false, "git-receive-pack", 405}, 98 + {owner, false, false, "git-upload-pack", 405}, 99 + {owner, false, false, "info/refs", 200}, 100 + {owner, false, false, "objects/info/alternates", 404}, 101 + {owner, false, false, "objects/info/http-alternates", 404}, 102 + {owner, false, false, "objects/info/packs", 200}, 103 + {owner, false, true, "HEAD", 200}, 104 + {owner, false, true, "git-receive-pack", 405}, 105 + {owner, false, true, "git-upload-pack", 405}, 106 + {owner, false, true, "info/refs", 200}, 107 + {owner, false, true, "objects/info/alternates", 404}, 108 + {owner, false, true, "objects/info/http-alternates", 404}, 109 + {owner, false, true, "objects/info/packs", 200}, 110 + {user2, false, false, "HEAD", 200}, 111 + {user2, false, false, "git-receive-pack", 405}, 112 + {user2, false, false, "git-upload-pack", 405}, 113 + {user2, false, false, "info/refs", 200}, 114 + {user2, false, false, "objects/info/alternates", 404}, 115 + {user2, false, false, "objects/info/http-alternates", 404}, 116 + {user2, false, false, "objects/info/packs", 200}, 117 + {user2, false, true, "HEAD", 404}, 118 + {user2, false, true, "git-receive-pack", 405}, 119 + {user2, false, true, "git-upload-pack", 405}, 120 + {user2, false, true, "info/refs", 404}, 121 + {user2, false, true, "objects/info/alternates", 404}, 122 + {user2, false, true, "objects/info/http-alternates", 404}, 123 + {user2, false, true, "objects/info/packs", 404}, 124 + // user2 with IsCollaborator=true must come after IsCollaborator=false, because 125 + // the addition as a collaborator is not reset 126 + {user2, true, false, "HEAD", 200}, 127 + {user2, true, false, "git-receive-pack", 405}, 128 + {user2, true, false, "git-upload-pack", 405}, 129 + {user2, true, false, "info/refs", 200}, 130 + {user2, true, false, "objects/info/alternates", 404}, 131 + {user2, true, false, "objects/info/http-alternates", 404}, 132 + {user2, true, false, "objects/info/packs", 200}, 133 + {user2, true, true, "HEAD", 200}, 134 + {user2, true, true, "git-receive-pack", 405}, 135 + {user2, true, true, "git-upload-pack", 405}, 136 + {user2, true, true, "info/refs", 200}, 137 + {user2, true, true, "objects/info/alternates", 404}, 138 + {user2, true, true, "objects/info/http-alternates", 404}, 139 + {user2, true, true, "objects/info/packs", 200}, 140 + {nil, false, false, "HEAD", 200}, 141 + {nil, false, false, "git-receive-pack", 405}, 142 + {nil, false, false, "git-upload-pack", 405}, 143 + {nil, false, false, "info/refs", 200}, 144 + {nil, false, false, "objects/info/alternates", 404}, 145 + {nil, false, false, "objects/info/http-alternates", 404}, 146 + {nil, false, false, "objects/info/packs", 200}, 147 + {nil, false, true, "HEAD", 401}, 148 + {nil, false, true, "git-receive-pack", 405}, 149 + {nil, false, true, "git-upload-pack", 405}, 150 + {nil, false, true, "info/refs", 401}, 151 + {nil, false, true, "objects/info/alternates", 401}, 152 + {nil, false, true, "objects/info/http-alternates", 401}, 153 + {nil, false, true, "objects/info/packs", 401}, 154 + } 155 + 156 + caseToTestName := func(c caseType) string { 157 + var user string 158 + if c.User == nil { 159 + user = "nil" 160 + } else if c.User == owner { 161 + user = "owner" 162 + } else { 163 + user = c.User.Name 164 + } 165 + return fmt.Sprintf( 166 + "User=%s,IsCollaborator=%t,RepoIsPrivate=%t,Endpoint=%s,ExpectedStatusCode=%d", 167 + user, 168 + c.IsCollaborator, 169 + c.RepoIsPrivate, 170 + c.Endpoint, 171 + c.ExpectedStatusCode, 172 + ) 173 + } 174 + 175 + repo, _, f := tests.CreateDeclarativeRepo(t, owner, "get-and-head-requests", []unit_model.Type{unit_model.TypeCode}, nil, nil) 176 + defer f() 177 + 178 + for _, c := range cases { 179 + t.Run(caseToTestName(c), func(t *testing.T) { 180 + defer tests.PrintCurrentTest(t)() 181 + session := emptyTestSession(t) 182 + if c.User != nil { 183 + session = loginUser(t, c.User.Name) 184 + } 185 + if c.IsCollaborator { 186 + testCtx := NewAPITestContext(t, owner.Name, repo.Name, auth_model.AccessTokenScopeWriteRepository) 187 + doAPIAddCollaborator(testCtx, c.User.Name, perm.AccessModeRead)(t) 188 + } 189 + repo.IsPrivate = c.RepoIsPrivate 190 + _, err := db.GetEngine(db.DefaultContext).Cols("is_private").Update(repo) 191 + require.NoError(t, err) 192 + 193 + // Given the test parameters check that the endpoint returns the same status 194 + // code for both GET and HEAD, which needs to equal the test cases expected 195 + // status code 196 + getReq := NewRequestf(t, "GET", "%s/%s", repo.Link(), c.Endpoint) 197 + getResp := session.MakeRequest(t, getReq, NoExpectedStatus) 198 + headReq := NewRequestf(t, "HEAD", "%s/%s", repo.Link(), c.Endpoint) 199 + headResp := session.MakeRequest(t, headReq, NoExpectedStatus) 200 + require.Equal(t, getResp.Result().StatusCode, headResp.Result().StatusCode) 201 + require.Equal(t, c.ExpectedStatusCode, headResp.Result().StatusCode) 202 + }) 203 + } 204 + }