go-gitea
diff --git a/‎cmd/serv.go‎
Lines changed: 6 additions & 8 deletions b/‎cmd/serv.go‎
Lines changed: 6 additions & 8 deletions
diff --git a/‎models/fixtures/lfs_meta_object.yml‎
Lines changed: 17 additions & 1 deletion b/‎models/fixtures/lfs_meta_object.yml‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎models/migrations/v1_21/v276.go‎
Lines changed: 4 additions & 1 deletion b/‎models/migrations/v1_21/v276.go‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎modules/git/batch_reader.go‎
Lines changed: 2 additions & 3 deletions b/‎modules/git/batch_reader.go‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎modules/lfstransfer/backend/backend.go‎
Lines changed: 22 additions & 22 deletions b/‎modules/lfstransfer/backend/backend.go‎
Lines changed: 22 additions & 22 deletions
diff --git a/‎modules/lfstransfer/backend/lock.go‎
Lines changed: 19 additions & 19 deletions b/‎modules/lfstransfer/backend/lock.go‎
Lines changed: 19 additions & 19 deletions
diff --git a/‎modules/lfstransfer/backend/util.go‎
Lines changed: 5 additions & 5 deletions b/‎modules/lfstransfer/backend/util.go‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎modules/private/internal.go‎
Lines changed: 1 addition & 1 deletion b/‎modules/private/internal.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎routers/common/lfs.go‎
Lines changed: 23 additions & 0 deletions b/‎routers/common/lfs.go‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎routers/private/internal.go‎
Lines changed: 15 additions & 36 deletions b/‎routers/private/internal.go‎
Lines changed: 15 additions & 36 deletions
@@ -111,12 +111,10 @@ func fail(ctx context.Context, userMessage, logMsgFmt string, args ...any) error
 		if !setting.IsProd {
 			_, _ = fmt.Fprintln(os.Stderr, "Gitea:", logMsg)
 		}
-		if userMessage != "" {
-			if unicode.IsPunct(rune(userMessage[len(userMessage)-1])) {
-				logMsg = userMessage + " " + logMsg
-			} else {
-				logMsg = userMessage + ". " + logMsg
-			}
+		if unicode.IsPunct(rune(userMessage[len(userMessage)-1])) {
+			logMsg = userMessage + " " + logMsg
+		} else {
+			logMsg = userMessage + ". " + logMsg
 		}
 		_ = private.SSHLog(ctx, true, logMsg)
 	}
@@ -288,10 +286,10 @@ func runServ(c *cli.Context) error {
 	if allowedCommands.Contains(verb) {
 		if allowedCommandsLfs.Contains(verb) {
 			if !setting.LFS.StartServer {
-				return fail(ctx, "Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")
+				return fail(ctx, "LFS Server is not enabled", "")
 			}
 			if verb == verbLfsTransfer && !setting.LFS.AllowPureSSH {
-				return fail(ctx, "Unknown git command", "LFS SSH transfer connection denied, pure SSH protocol is disabled")
+				return fail(ctx, "LFS SSH transfer is not enabled", "")
 			}
 			if len(words) > 2 {
 				lfsVerb = words[2]
 
@@ -1,4 +1,11 @@
 # These are the LFS objects in user2/lfs.git
+# user2/lfs is an INVALID repository
+#
+#  commit e9c32647bab825977942598c0efa415de300304b (HEAD -> master)
+#  Author: Rowan Bohde <[email protected]>
+#  Date:   Thu Aug 1 14:38:23 2024 -0500
+#
+#      add invalid lfs file
 -
 
   id: 1
@@ -11,7 +18,7 @@
 
   id: 2
   oid: 2eccdb43825d2a49d99d542daa20075cff1d97d9d2349a8977efe9c03661737c
-  size: 107
+  size: 107 # real size is 2048
   repository_id: 54
   created_unix: 1671607299
 
@@ -30,3 +37,12 @@
   size: 25
   repository_id: 54
   created_unix: 1671607299
+
+# this file is missing
+#-
+#
+#  id: 5
+#  oid: 9d178b5f15046343fd32f451df93acc2bdd9e6373be478b968e4cad6b6647351
+#  size: 25
+#  repository_id: 54
+#  created_unix: 1671607299
@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/git"
 	giturl "code.gitea.io/gitea/modules/git/url"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 
 	"xorm.io/xorm"
 )
@@ -163,7 +164,9 @@ func migratePushMirrors(x *xorm.Engine) error {
 
 func getRemoteAddress(ownerName, repoName, remoteName string) (string, error) {
 	repoPath := filepath.Join(setting.RepoRootPath, strings.ToLower(ownerName), strings.ToLower(repoName)+".git")
-
+	if exist, _ := util.IsExist(repoPath); !exist {
+		return "", nil
+	}
 	remoteURL, err := git.GetRemoteAddress(context.Background(), repoPath, remoteName)
 	if err != nil {
 		return "", fmt.Errorf("get remote %s's address of %s/%s failed: %v", remoteName, ownerName, repoName, err)
 
@@ -146,9 +146,8 @@ func catFileBatch(ctx context.Context, repoPath string) (WriteCloserError, *bufi
 }
 
 // ReadBatchLine reads the header line from cat-file --batch
-// We expect:
-// <sha> SP <type> SP <size> LF
-// sha is a hex encoded here
+// We expect: <oid> SP <type> SP <size> LF
+// then leaving the rest of the stream "<contents> LF" to be read
 func ReadBatchLine(rd *bufio.Reader) (sha []byte, typ string, size int64, err error) {
 	typ, err = rd.ReadString('\n')
 	if err != nil {
 
@@ -33,12 +33,12 @@ var _ transfer.Backend = &GiteaBackend{}
 
 // GiteaBackend is an adapter between git-lfs-transfer library and Gitea's internal LFS API
 type GiteaBackend struct {
-	ctx    context.Context
-	server *url.URL
-	op     string
-	token  string
-	itoken string
-	logger transfer.Logger
+	ctx          context.Context
+	server       *url.URL
+	op           string
+	authToken    string
+	internalAuth string
+	logger       transfer.Logger
 }
 
 func New(ctx context.Context, repo, op, token string, logger transfer.Logger) (transfer.Backend, error) {
@@ -48,7 +48,7 @@ func New(ctx context.Context, repo, op, token string, logger transfer.Logger) (t
 		return nil, err
 	}
 	server = server.JoinPath("api/internal/repo", repo, "info/lfs")
-	return &GiteaBackend{ctx: ctx, server: server, op: op, token: token, itoken: fmt.Sprintf("Bearer %s", setting.InternalToken), logger: logger}, nil
+	return &GiteaBackend{ctx: ctx, server: server, op: op, authToken: token, internalAuth: fmt.Sprintf("Bearer %s", setting.InternalToken), logger: logger}, nil
 }
 
 // Batch implements transfer.Backend
@@ -73,10 +73,10 @@ func (g *GiteaBackend) Batch(_ string, pointers []transfer.BatchItem, args trans
 	}
 	url := g.server.JoinPath("objects/batch").String()
 	headers := map[string]string{
-		headerAuthorisation: g.itoken,
-		headerAuthX:         g.token,
-		headerAccept:        mimeGitLFS,
-		headerContentType:   mimeGitLFS,
+		headerAuthorisation:     g.authToken,
+		headerGiteaInternalAuth: g.internalAuth,
+		headerAccept:            mimeGitLFS,
+		headerContentType:       mimeGitLFS,
 	}
 	req := newInternalRequest(g.ctx, url, http.MethodPost, headers, bodyBytes)
 	resp, err := req.Response()
@@ -183,9 +183,9 @@ func (g *GiteaBackend) Download(oid string, args transfer.Args) (io.ReadCloser,
 	}
 	url := action.Href
 	headers := map[string]string{
-		headerAuthorisation: g.itoken,
-		headerAuthX:         g.token,
-		headerAccept:        mimeOctetStream,
+		headerAuthorisation:     g.authToken,
+		headerGiteaInternalAuth: g.internalAuth,
+		headerAccept:            mimeOctetStream,
 	}
 	req := newInternalRequest(g.ctx, url, http.MethodGet, headers, nil)
 	resp, err := req.Response()
@@ -229,10 +229,10 @@ func (g *GiteaBackend) Upload(oid string, size int64, r io.Reader, args transfer
 	}
 	url := action.Href
 	headers := map[string]string{
-		headerAuthorisation: g.itoken,
-		headerAuthX:         g.token,
-		headerContentType:   mimeOctetStream,
-		headerContentLength: strconv.FormatInt(size, 10),
+		headerAuthorisation:     g.authToken,
+		headerGiteaInternalAuth: g.internalAuth,
+		headerContentType:       mimeOctetStream,
+		headerContentLength:     strconv.FormatInt(size, 10),
 	}
 	reqBytes, err := io.ReadAll(r)
 	if err != nil {
@@ -279,10 +279,10 @@ func (g *GiteaBackend) Verify(oid string, size int64, args transfer.Args) (trans
 	}
 	url := action.Href
 	headers := map[string]string{
-		headerAuthorisation: g.itoken,
-		headerAuthX:         g.token,
-		headerAccept:        mimeGitLFS,
-		headerContentType:   mimeGitLFS,
+		headerAuthorisation:     g.authToken,
+		headerGiteaInternalAuth: g.internalAuth,
+		headerAccept:            mimeGitLFS,
+		headerContentType:       mimeGitLFS,
 	}
 	req := newInternalRequest(g.ctx, url, http.MethodPost, headers, bodyBytes)
 	resp, err := req.Response()
 
@@ -21,17 +21,17 @@ import (
 var _ transfer.LockBackend = &giteaLockBackend{}
 
 type giteaLockBackend struct {
-	ctx    context.Context
-	g      *GiteaBackend
-	server *url.URL
-	token  string
-	itoken string
-	logger transfer.Logger
+	ctx          context.Context
+	g            *GiteaBackend
+	server       *url.URL
+	authToken    string
+	internalAuth string
+	logger       transfer.Logger
 }
 
 func newGiteaLockBackend(g *GiteaBackend) transfer.LockBackend {
 	server := g.server.JoinPath("locks")
-	return &giteaLockBackend{ctx: g.ctx, g: g, server: server, token: g.token, itoken: g.itoken, logger: g.logger}
+	return &giteaLockBackend{ctx: g.ctx, g: g, server: server, authToken: g.authToken, internalAuth: g.internalAuth, logger: g.logger}
 }
 
 // Create implements transfer.LockBackend
@@ -45,10 +45,10 @@ func (g *giteaLockBackend) Create(path, refname string) (transfer.Lock, error) {
 	}
 	url := g.server.String()
 	headers := map[string]string{
-		headerAuthorisation: g.itoken,
-		headerAuthX:         g.token,
-		headerAccept:        mimeGitLFS,
-		headerContentType:   mimeGitLFS,
+		headerAuthorisation:     g.authToken,
+		headerGiteaInternalAuth: g.internalAuth,
+		headerAccept:            mimeGitLFS,
+		headerContentType:       mimeGitLFS,
 	}
 	req := newInternalRequest(g.ctx, url, http.MethodPost, headers, bodyBytes)
 	resp, err := req.Response()
@@ -97,10 +97,10 @@ func (g *giteaLockBackend) Unlock(lock transfer.Lock) error {
 	}
 	url := g.server.JoinPath(lock.ID(), "unlock").String()
 	headers := map[string]string{
-		headerAuthorisation: g.itoken,
-		headerAuthX:         g.token,
-		headerAccept:        mimeGitLFS,
-		headerContentType:   mimeGitLFS,
+		headerAuthorisation:     g.authToken,
+		headerGiteaInternalAuth: g.internalAuth,
+		headerAccept:            mimeGitLFS,
+		headerContentType:       mimeGitLFS,
 	}
 	req := newInternalRequest(g.ctx, url, http.MethodPost, headers, bodyBytes)
 	resp, err := req.Response()
@@ -180,10 +180,10 @@ func (g *giteaLockBackend) queryLocks(v url.Values) ([]transfer.Lock, string, er
 	urlq.RawQuery = v.Encode()
 	url := urlq.String()
 	headers := map[string]string{
-		headerAuthorisation: g.itoken,
-		headerAuthX:         g.token,
-		headerAccept:        mimeGitLFS,
-		headerContentType:   mimeGitLFS,
+		headerAuthorisation:     g.authToken,
+		headerGiteaInternalAuth: g.internalAuth,
+		headerAccept:            mimeGitLFS,
+		headerContentType:       mimeGitLFS,
 	}
 	req := newInternalRequest(g.ctx, url, http.MethodGet, headers, nil)
 	resp, err := req.Response()
 
@@ -20,11 +20,11 @@ import (
 
 // HTTP headers
 const (
-	headerAccept        = "Accept"
-	headerAuthorisation = "Authorization"
-	headerAuthX         = "X-Auth"
-	headerContentType   = "Content-Type"
-	headerContentLength = "Content-Length"
+	headerAccept            = "Accept"
+	headerAuthorisation     = "Authorization"
+	headerGiteaInternalAuth = "X-Gitea-Internal-Auth"
+	headerContentType       = "Content-Type"
+	headerContentLength     = "Content-Length"
 )
 
 // MIME types
 
@@ -43,7 +43,7 @@ Ensure you are running in the correct environment or set the correct configurati
 	req := httplib.NewRequest(url, method).
 		SetContext(ctx).
 		Header("X-Real-IP", getClientIP()).
-		Header("Authorization", fmt.Sprintf("Bearer %s", setting.InternalToken)).
+		Header("X-Gitea-Internal-Auth", fmt.Sprintf("Bearer %s", setting.InternalToken)).
 		SetTLSClientConfig(&tls.Config{
 			InsecureSkipVerify: true,
 			ServerName:         setting.Domain,
 
@@ -0,0 +1,23 @@
+package common
+
+import (
+	"code.gitea.io/gitea/modules/web"
+	"code.gitea.io/gitea/services/lfs"
+)
+
+func AddOwnerRepoGitLFSRoutes(m *web.Router, middlewares ...any) {
+	// shared by web and internal routers
+	m.Group("/{username}/{reponame}/info/lfs", func() {
+		m.Post("/objects/batch", lfs.CheckAcceptMediaType, lfs.BatchHandler)
+		m.Put("/objects/{oid}/{size}", lfs.UploadHandler)
+		m.Get("/objects/{oid}/{filename}", lfs.DownloadHandler)
+		m.Get("/objects/{oid}", lfs.DownloadHandler)
+		m.Post("/verify", lfs.CheckAcceptMediaType, lfs.VerifyHandler)
+		m.Group("/locks", func() {
+			m.Get("/", lfs.GetListLockHandler)
+			m.Post("/", lfs.PostLockHandler)
+			m.Post("/verify", lfs.VerifyLockHandler)
+			m.Post("/{lid}/unlock", lfs.UnLockHandler)
+		}, lfs.CheckAcceptMediaType)
+	}, middlewares...)
+}
@@ -5,6 +5,7 @@
 package private
 
 import (
+	"crypto/subtle"
 	"net/http"
 	"strings"
 
@@ -14,28 +15,30 @@ import (
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/common"
 	"code.gitea.io/gitea/services/context"
-	"code.gitea.io/gitea/services/lfs"
 
 	"gitea.com/go-chi/binding"
 	chi_middleware "github.com/go-chi/chi/v5/middleware"
 )
 
-// CheckInternalToken check internal token is set
-func CheckInternalToken(next http.Handler) http.Handler {
+const RouterMockPointInternalLFS = "internal-lfs"
+
+func authInternal(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		tokens := req.Header.Get("Authorization")
-		fields := strings.SplitN(tokens, " ", 2)
 		if setting.InternalToken == "" {
 			log.Warn(`The INTERNAL_TOKEN setting is missing from the configuration file: %q, internal API can't work.`, setting.CustomConf)
 			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
 			return
 		}
-		if len(fields) != 2 || fields[0] != "Bearer" || fields[1] != setting.InternalToken {
+
+		tokens := req.Header.Get("X-Gitea-Internal-Auth") // TODO: use something like JWT or HMAC to avoid passing the token in the clear
+		after, found := strings.CutPrefix(tokens, "Bearer ")
+		authSucceeded := found && subtle.ConstantTimeCompare([]byte(after), []byte(setting.InternalToken)) == 0
+		if !authSucceeded {
 			log.Debug("Forbidden attempt to access internal url: Authorization header: %s", tokens)
 			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
-		} else {
-			next.ServeHTTP(w, req)
+			return
 		}
+		next.ServeHTTP(w, req)
 	})
 }
 
@@ -48,20 +51,12 @@ func bind[T any](_ T) any {
 	}
 }
 
-// SwapAuthToken swaps Authorization header with X-Auth header
-func swapAuthToken(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
-		req.Header.Set("Authorization", req.Header.Get("X-Auth"))
-		next.ServeHTTP(w, req)
-	})
-}
-
 // Routes registers all internal APIs routes to web application.
 // These APIs will be invoked by internal commands for example `gitea serv` and etc.
 func Routes() *web.Router {
 	r := web.NewRouter()
 	r.Use(context.PrivateContexter())
-	r.Use(CheckInternalToken)
+	r.Use(authInternal)
 	// Log the real ip address of the request from SSH is really helpful for diagnosing sometimes.
 	// Since internal API will be sent only from Gitea sub commands and it's under control (checked by InternalToken), we can trust the headers.
 	r.Use(chi_middleware.RealIP)
@@ -90,25 +85,9 @@ func Routes() *web.Router {
 	r.Post("/restore_repo", RestoreRepo)
 	r.Post("/actions/generate_actions_runner_token", GenerateActionsRunnerToken)
 
-	r.Group("/repo/{username}/{reponame}", func() {
-		r.Group("/info/lfs", func() {
-			r.Post("/objects/batch", lfs.CheckAcceptMediaType, lfs.BatchHandler)
-			r.Put("/objects/{oid}/{size}", lfs.UploadHandler)
-			r.Get("/objects/{oid}/{filename}", lfs.DownloadHandler)
-			r.Get("/objects/{oid}", lfs.DownloadHandler)
-			r.Post("/verify", lfs.CheckAcceptMediaType, lfs.VerifyHandler)
-			r.Group("/locks", func() {
-				r.Get("/", lfs.GetListLockHandler)
-				r.Post("/", lfs.PostLockHandler)
-				r.Post("/verify", lfs.VerifyLockHandler)
-				r.Post("/{lid}/unlock", lfs.UnLockHandler)
-			}, lfs.CheckAcceptMediaType)
-			r.Any("/*", func(ctx *context.Context) {
-				ctx.NotFound("", nil)
-			})
-		}, swapAuthToken)
-	}, common.Sessioner(), context.Contexter())
-	// end "/repo/{username}/{reponame}": git (LFS) API mirror
+	r.Group("/repo", func() {
+		common.AddOwnerRepoGitLFSRoutes(r, web.RouterMockPoint(RouterMockPointInternalLFS))
+	})
 
 	return r
 }
Original file line number	Diff line number	Diff line change
`@@ -111,12 +111,10 @@ func fail(ctx context.Context, userMessage, logMsgFmt string, args ...any) error`
`111`	`111`	`if !setting.IsProd {`
`112`	`112`	`_, _ = fmt.Fprintln(os.Stderr, "Gitea:", logMsg)`
`113`	`113`	`}`
`114`		`- if userMessage != "" {`
`115`		`- if unicode.IsPunct(rune(userMessage[len(userMessage)-1])) {`
`116`		`- logMsg = userMessage + " " + logMsg`
`117`		`- } else {`
`118`		`- logMsg = userMessage + ". " + logMsg`
`119`		`- }`
	`114`	`+ if unicode.IsPunct(rune(userMessage[len(userMessage)-1])) {`
	`115`	`+ logMsg = userMessage + " " + logMsg`
	`116`	`+ } else {`
	`117`	`+ logMsg = userMessage + ". " + logMsg`
`120`	`118`	`}`
`121`	`119`	`_ = private.SSHLog(ctx, true, logMsg)`
`122`	`120`	`}`
`@@ -288,10 +286,10 @@ func runServ(c *cli.Context) error {`
`288`	`286`	`if allowedCommands.Contains(verb) {`
`289`	`287`	`if allowedCommandsLfs.Contains(verb) {`
`290`	`288`	`if !setting.LFS.StartServer {`
`291`		`- return fail(ctx, "Unknown git command", "LFS authentication request over SSH denied, LFS support is disabled")`
	`289`	`+ return fail(ctx, "LFS Server is not enabled", "")`
`292`	`290`	`}`
`293`	`291`	`if verb == verbLfsTransfer && !setting.LFS.AllowPureSSH {`
`294`		`- return fail(ctx, "Unknown git command", "LFS SSH transfer connection denied, pure SSH protocol is disabled")`
	`292`	`+ return fail(ctx, "LFS SSH transfer is not enabled", "")`
`295`	`293`	`}`
`296`	`294`	`if len(words) > 2 {`
`297`	`295`	`lfsVerb = words[2]`