Unconstrained private code access via wget

Question

Unconstrained private code access via wget

chenghuzi opened this issue 7 months ago · 0 comments

chenghuzi commented 7 months ago

Gogs version

0.14.0+dev

Git version

Server: 2.38.5
Client: Not applicable

Operating system

Debian GNU/Linux 11

Database

SQLite 3

Describe the bug

I have a private, unlisted repo hosted on Gogs. I attempted to download a notebook file from my repo. Upon obtaining the raw file URL, I tried to download it using wget. Surprisingly, I was able to download it without any problem, even though there was no authentication in my request. My request was as simple as wget file_raw_url. Note that this bug only appears when downloading private items via the command-line wget; it works as expected with a browser.

To reproduce

Create a private repo
store some files there
get the raw file URL for any private file in that repo
run wget -c FILE_URL to download that file with any machine.

Expected behavior

The Gogs server should return some error signal for those unauthenticated requests.

Additional context

No response

Code of Conduct

I agree to follow this project's Code of Conduct