Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix download mode leak for latest and list handlers #1826

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix download mode leak for latest and list handlers #1826

wants to merge 3 commits into from

Conversation

ngshiheng
Copy link
Contributor

@ngshiheng ngshiheng commented Feb 16, 2023
edited

What is the problem I am trying to address?

Despite being set to restrict download via the download mode file, the /list and /latest handlers are still returning data to the user.

This presents a serious security issue, as sensitive module information could potentially be exposed to unauthorized parties.

How is the fix applied?

Check if DownloadMode is set to "none" for a specific module. If so, we just return errors.KindNotFound.

How is this tested?

  • Use a custom download.example.hcl file containing:
download "secret/module/repo/*" {
    mode = "none"
}
  • Before this PR: curl https://proxy.example.com/secret/module/repo/@latest will return data
  • After this PR: curl https://proxy.example.com/bad/module/repo/@latest will return not found error (404)

The same behavior applies to /list endpoint.

What GitHub issue(s) does this PR fix or close?

Fixes #1774

@ngshiheng ngshiheng requested a review from a team as a code owner February 16, 2023 11:54
marwan-at-work
marwan-at-work reviewed Feb 16, 2023
View reviewed changes
Copy link
Contributor

@marwan-at-work marwan-at-work left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The download mode is strictly for what to do "when a module is not found", which is only for .zip/.info/.mod endpoint, not for /list and latest. For those, you can check the network mode configuration.

Maybe the docs were not clear enough?

@ngshiheng
Copy link
Contributor Author

ngshiheng commented Feb 16, 2023
edited

Ah, I kinda understand where you're coming from. Though, the docs did mention blocking certain modules as a use case.

Just to explain it from the perspective of our organization, this is one of the primary use cases of Athens - to act as a vendor to supply a set of internal modules to our downstream:

downloadURL = "https://proxy.golang.org"

mode = "sync"

download "company.gitlab.com/repo/a" {
    mode = "sync"
}

download "company.gitlab.com/repo/b" {
    mode = "sync"
}

download "company.gitlab.com/*" {
    mode = "none"
}

In this case, our users should only have access to repo/a and repo/b and nothing more from company.gitlab.com. However, the current behavior of Athens /list and /latest endpoints allows them to query for information that they shouldn't have access to, e.g. company.gitlab.com/repo/c/@latest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marwan-at-work marwan-at-work marwan-at-work left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Download Mode leaks
2 participants
@ngshiheng @marwan-at-work