From 662f553d3782c342add7b010fd25c994159bc018 Mon Sep 17 00:00:00 2001
From: Thomas Miceli <27960254+thomiceli@users.noreply.github.com>
Date: Mon, 20 Jan 2025 03:18:28 +0100
Subject: [PATCH] Remove CSRF check for Git HTTP packs (#408)

---
 internal/web/context/context.go    |  5 ++++-
 internal/web/server/middlewares.go | 11 ++++++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/internal/web/context/context.go b/internal/web/context/context.go
index e10590e..9ea3c80 100644
--- a/internal/web/context/context.go
+++ b/internal/web/context/context.go
@@ -28,11 +28,14 @@ type Context struct {
 }
 
 func NewContext(c echo.Context, sessionPath string) *Context {
-	return &Context{
+	ctx := &Context{
 		Context: c,
 		data:    make(echo.Map),
 		store:   NewStore(sessionPath),
 	}
+
+	ctx.SetRequest(ctx.Request().WithContext(context.WithValue(ctx.Request().Context(), DataKeyStr, ctx.data)))
+	return ctx
 }
 
 func (ctx *Context) SetData(key string, value any) {
diff --git a/internal/web/server/middlewares.go b/internal/web/server/middlewares.go
index 4149848..52ba9a6 100644
--- a/internal/web/server/middlewares.go
+++ b/internal/web/server/middlewares.go
@@ -17,6 +17,7 @@ import (
 	"html/template"
 	"net/http"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"time"
 )
@@ -61,7 +62,15 @@ func (s *Server) registerMiddlewares() {
 			Skipper: func(ctx echo.Context) bool {
 				/* skip CSRF for embeds */
 				gistName := ctx.Param("gistname")
-				return filepath.Ext(gistName) == ".js"
+
+				/* skip CSRF for git clients */
+				matchUploadPack, _ := regexp.MatchString("(.*?)/git-upload-pack$", ctx.Request().URL.Path)
+				matchReceivePack, _ := regexp.MatchString("(.*?)/git-receive-pack$", ctx.Request().URL.Path)
+				return filepath.Ext(gistName) == ".js" || matchUploadPack || matchReceivePack
+			},
+			ErrorHandler: func(err error, c echo.Context) error {
+				log.Info().Err(err).Msg("CSRF error")
+				return err
 			},
 		}))
 		s.echo.Use(Middleware(csrfInit).toEcho())