From 5ffa3afc91733b5d3f776ce56c7683d426238617 Mon Sep 17 00:00:00 2001 From: Yeikel Santana Date: Wed, 4 Feb 2026 01:45:46 -0500 Subject: [PATCH] fix: public github release downloads should not be authenticated --- internal/handlers/git_server.go | 10 ++++++++++ internal/handlers/git_server_test.go | 23 +++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/internal/handlers/git_server.go b/internal/handlers/git_server.go index 6de8fb3..0bba995 100644 --- a/internal/handlers/git_server.go +++ b/internal/handlers/git_server.go @@ -323,6 +323,10 @@ func getCredentialsForRequest(r *http.Request, credentials *gitCredentialsMap, e return nil } + if isPublicGitHubDownload(host, r.URL.Path) { + return nil + } + // Get credentials for the host that not unscoped to specific repositories. hostCreds := credentials.get(host) credsForRequest := hostCreds.getCredentialsForRepo(allReposScopeIdentifier) @@ -343,6 +347,12 @@ func getCredentialsForRequest(r *http.Request, credentials *gitCredentialsMap, e return credsForRequest } +// GitHub release download URLs are public +// and do not require authentication +func isPublicGitHubDownload(host string, path string) bool { + return host == "github.com" && strings.Contains(path, "/releases/download/") +} + // HandleResponse handles retrying failed auth responses with alternate credentials // when there are multiple tokens configured for the git server. // diff --git a/internal/handlers/git_server_test.go b/internal/handlers/git_server_test.go index ca868e6..6cc89c0 100644 --- a/internal/handlers/git_server_test.go +++ b/internal/handlers/git_server_test.go @@ -124,6 +124,29 @@ func TestGitServerHandler(t *testing.T) { "valid github request") } +func TestGitServerPublicReleaseDownload(t *testing.T) { + installationCred := testGitSourceCred("github.com", "x-access-token", "v1.token") + gheCred := testGitSourceCred("ghe.some-corp.com", "x-access-token", "corp") + + credentials := config.Credentials{ + installationCred, + gheCred, + } + handler := NewGitServerHandler(credentials, nil) + + req := httptest.NewRequest("HEAD", "https://github.com/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip", nil) + req, _ = handler.HandleRequest(req, nil) + assertUnauthenticated(t, req, "Public github.com release downloads should not be authenticated") + + req = httptest.NewRequest("HEAD", "https://ghe.some-corp.com/gradle/gradle-distributions/releases/download/v9.3.0/gradle-9.3.0-bin.zip", nil) + req, _ = handler.HandleRequest(req, nil) + assertHasBasicAuth(t, req, + gheCred.GetString("username"), + gheCred.GetString("password"), + "valid github request") + +} + func TestGitServerHandler_AuthenticatedAccessToGitHubRepos(t *testing.T) { installationToken1 := "v1.token1" privateRepo1Cred := testGitSourceCred("github.com", "x-access-token", installationToken1, withAccessibleRepos([]string{"github/private-repo-1"}))