fix: Add missed token scope checking (#37735)

Follow #37698
2026-05-18 11:10:00 +00:00 · 2026-05-17 21:52:08 -07:00
parent 2d1eb28083
commit c3d9d07702
2 changed files with 51 additions and 3 deletions
--- a/routers/web/repo/repo.go
+++ b/routers/web/repo/repo.go
@@ -364,6 +364,10 @@ func RedirectDownload(ctx *context.Context) {

 // Download an archive of a repository
 func Download(ctx *context.Context) {
+	if !checkDownloadTokenScope(ctx) {
+		return
+	}
+
 	aReq, err := archiver_service.NewRequest(ctx.Repo.Repository, ctx.Repo.GitRepo, ctx.PathParam("*"), ctx.FormStrings("path"))
 	if err != nil {
 		if errors.Is(err, util.ErrInvalidArgument) {
@@ -389,6 +393,10 @@ func Download(ctx *context.Context) {
 // a request that's already in-progress, but the archiver service will just
 // kind of drop it on the floor if this is the case.
 func InitiateDownload(ctx *context.Context) {
+	if !checkDownloadTokenScope(ctx) {
+		return
+	}
+
 	paths := ctx.FormStrings("path")
 	if setting.Repository.StreamArchives || len(paths) > 0 {
 		ctx.JSON(http.StatusOK, map[string]any{
--- a/tests/integration/download_test.go
+++ b/tests/integration/download_test.go
@@ -17,6 +17,7 @@ import (

 type downloadScopeCase struct {
 	name         string
+	method       string
 	url          string
 	withScope    int
 	publicOnlyOK bool
@@ -88,68 +89,107 @@ func TestDownloadRepoContentTokenScopes(t *testing.T) {
 	publicOnlyToken := getUserToken(t, "user2", auth_model.AccessTokenScopeReadRepository, auth_model.AccessTokenScopePublicOnly)

 	cases := []downloadScopeCase{
+		{
+			name:         "PublicArchiveDownload",
+			method:       http.MethodGet,
+			url:          "/user2/repo1/archive/master.tar.gz",
+			withScope:    http.StatusOK,
+			publicOnlyOK: true,
+		},
+		{
+			name:         "PrivateArchiveDownload",
+			method:       http.MethodGet,
+			url:          "/user2/repo2/archive/master.tar.gz",
+			withScope:    http.StatusOK,
+			publicOnlyOK: false,
+		},
+		{
+			name:         "PublicArchiveInitiate",
+			method:       http.MethodPost,
+			url:          "/user2/repo1/archive/master.tar.gz",
+			withScope:    http.StatusOK,
+			publicOnlyOK: true,
+		},
+		{
+			name:         "PrivateArchiveInitiate",
+			method:       http.MethodPost,
+			url:          "/user2/repo2/archive/master.tar.gz",
+			withScope:    http.StatusOK,
+			publicOnlyOK: false,
+		},
 		{
 			name:         "PublicRawBlob",
+			method:       http.MethodGet,
 			url:          "/user2/repo1/raw/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f",
 			withScope:    http.StatusOK,
 			publicOnlyOK: true,
 		},
 		{
 			name:         "PublicRawBranch",
+			method:       http.MethodGet,
 			url:          "/user2/repo1/raw/branch/master/README.md",
 			withScope:    http.StatusOK,
 			publicOnlyOK: true,
 		},
 		{
 			name:         "PublicRawTag",
+			method:       http.MethodGet,
 			url:          "/user2/repo1/raw/tag/v1.1/README.md",
 			withScope:    http.StatusOK,
 			publicOnlyOK: true,
 		},
 		{
 			name:         "PublicRawCommit",
+			method:       http.MethodGet,
 			url:          "/user2/repo1/raw/commit/65f1bf27bc3bf70f64657658635e66094edbcb4d/README.md",
 			withScope:    http.StatusOK,
 			publicOnlyOK: true,
 		},
 		{
 			name:         "PublicMediaBlob",
+			method:       http.MethodGet,
 			url:          "/user2/repo1/media/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f",
 			withScope:    http.StatusOK,
 			publicOnlyOK: true,
 		},
 		{
 			name:         "PublicMediaBranch",
+			method:       http.MethodGet,
 			url:          "/user2/repo1/media/branch/master/README.md",
 			withScope:    http.StatusOK,
 			publicOnlyOK: true,
 		},
 		{
 			name:         "PublicMediaTag",
+			method:       http.MethodGet,
 			url:          "/user2/repo1/media/tag/v1.1/README.md",
 			withScope:    http.StatusOK,
 			publicOnlyOK: true,
 		},
 		{
 			name:         "PublicMediaCommit",
+			method:       http.MethodGet,
 			url:          "/user2/repo1/media/commit/65f1bf27bc3bf70f64657658635e66094edbcb4d/README.md",
 			withScope:    http.StatusOK,
 			publicOnlyOK: true,
 		},
 		{
 			name:         "PrivateRawBranch",
+			method:       http.MethodGet,
 			url:          "/user2/repo2/raw/branch/master/test.xml",
 			withScope:    http.StatusOK,
 			publicOnlyOK: false,
 		},
 		{
 			name:         "PrivateRawBlob",
+			method:       http.MethodGet,
 			url:          "/user2/repo2/raw/blob/6395b68e1feebb1e4c657b4f9f6ba2676a283c0b",
 			withScope:    http.StatusOK,
 			publicOnlyOK: false,
 		},
 		{
 			name:         "PrivateMediaBranch",
+			method:       http.MethodGet,
 			url:          "/user2/repo2/media/branch/master/test.xml",
 			withScope:    http.StatusOK,
 			publicOnlyOK: false,
@@ -158,14 +198,14 @@ func TestDownloadRepoContentTokenScopes(t *testing.T) {

 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			MakeRequest(t, NewRequest(t, "GET", tc.url).AddTokenAuth(miscToken), http.StatusForbidden)
-			MakeRequest(t, NewRequest(t, "GET", tc.url).AddTokenAuth(ownerReadToken), tc.withScope)
+			MakeRequest(t, NewRequest(t, tc.method, tc.url).AddTokenAuth(miscToken), http.StatusForbidden)
+			MakeRequest(t, NewRequest(t, tc.method, tc.url).AddTokenAuth(ownerReadToken), tc.withScope)

 			publicOnlyStatus := http.StatusForbidden
 			if tc.publicOnlyOK {
 				publicOnlyStatus = tc.withScope
 			}
-			MakeRequest(t, NewRequest(t, "GET", tc.url).AddTokenAuth(publicOnlyToken), publicOnlyStatus)
+			MakeRequest(t, NewRequest(t, tc.method, tc.url).AddTokenAuth(publicOnlyToken), publicOnlyStatus)
 		})
 	}
 }