Remove CSRF check for Git HTTP packs (#408)

2025-02-12 01:48:02 -05:00 · 2025-01-20 03:18:28 +01:00 · 2025-01-20 03:18:28 +01:00 · 662f553d37
commit 662f553d37
parent a752e0561d
2 changed files with 14 additions and 2 deletions
--- a/internal/web/context/context.go
+++ b/internal/web/context/context.go
@ -28,11 +28,14 @@ type Context struct {
 }

 func NewContext(c echo.Context, sessionPath string) *Context {
-	return &Context{
+	ctx := &Context{
 		Context: c,
 		data:    make(echo.Map),
 		store:   NewStore(sessionPath),
 	}
+
+	ctx.SetRequest(ctx.Request().WithContext(context.WithValue(ctx.Request().Context(), DataKeyStr, ctx.data)))
+	return ctx
 }

 func (ctx *Context) SetData(key string, value any) {
--- a/internal/web/server/middlewares.go
+++ b/internal/web/server/middlewares.go
@ -17,6 +17,7 @@ import (
 	"html/template"
 	"net/http"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"time"
 )
@ -61,7 +62,15 @@ func (s *Server) registerMiddlewares() {
 			Skipper: func(ctx echo.Context) bool {
 				/* skip CSRF for embeds */
 				gistName := ctx.Param("gistname")
-				return filepath.Ext(gistName) == ".js"
+
+				/* skip CSRF for git clients */
+				matchUploadPack, _ := regexp.MatchString("(.*?)/git-upload-pack$", ctx.Request().URL.Path)
+				matchReceivePack, _ := regexp.MatchString("(.*?)/git-receive-pack$", ctx.Request().URL.Path)
+				return filepath.Ext(gistName) == ".js" || matchUploadPack || matchReceivePack
+			},
+			ErrorHandler: func(err error, c echo.Context) error {
+				log.Info().Err(err).Msg("CSRF error")
+				return err
 			},
 		}))
 		s.echo.Use(Middleware(csrfInit).toEcho())