Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix download mode leak for latest and list handlers #1826

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

ngshiheng
Copy link
Contributor

@ngshiheng ngshiheng commented Feb 16, 2023

What is the problem I am trying to address?

Despite being set to restrict download via the download mode file, the /list and /latest handlers are still returning data to the user.

This presents a serious security issue, as sensitive module information could potentially be exposed to unauthorized parties.

How is the fix applied?

Check if DownloadMode is set to "none" for a specific module. If so, we just return errors.KindNotFound.

How is this tested?

  • Use a custom download.example.hcl file containing:
download "secret/module/repo/*" {
    mode = "none"
}
  • Before this PR: curl https://proxy.example.com/secret/module/repo/@latest will return data
  • After this PR: curl https://proxy.example.com/bad/module/repo/@latest will return not found error (404)

The same behavior applies to /list endpoint.

What GitHub issue(s) does this PR fix or close?

Fixes #1774

@ngshiheng ngshiheng requested a review from a team as a code owner February 16, 2023 11:54
@ngshiheng ngshiheng force-pushed the fix-download-mode-leaks branch from d7c30de to feab0c7 Compare February 16, 2023 12:34
Copy link
Contributor

@marwan-at-work marwan-at-work left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The download mode is strictly for what to do "when a module is not found", which is only for .zip/.info/.mod endpoint, not for /list and latest. For those, you can check the network mode configuration.

Maybe the docs were not clear enough?

@ngshiheng
Copy link
Contributor Author

ngshiheng commented Feb 16, 2023

Ah, I kinda understand where you're coming from. Though, the docs did mention blocking certain modules as a use case.

Just to explain it from the perspective of our organization, this is one of the primary use cases of Athens - to act as a vendor to supply a set of internal modules to our downstream:

downloadURL = "https://proxy.golang.org"

mode = "sync"

download "company.gitlab.com/repo/a" {
    mode = "sync"
}

download "company.gitlab.com/repo/b" {
    mode = "sync"
}

download "company.gitlab.com/*" {
    mode = "none"
}

In this case, our users should only have access to repo/a and repo/b and nothing more from company.gitlab.com. However, the current behavior of Athens /list and /latest endpoints allows them to query for information that they shouldn't have access to, e.g. company.gitlab.com/repo/c/@latest.

@ngshiheng ngshiheng force-pushed the fix-download-mode-leaks branch from 7ade5fc to 962acf0 Compare February 28, 2023 06:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Download Mode leaks
2 participants