From d4f75fb6db22e57577867445a022227e70958931 Mon Sep 17 00:00:00 2001
From: Rutger Broekhoff
Date: Tue, 2 Jan 2024 17:44:14 +0100
Subject: Wheee

---
 cmd/git-lfs-server/main.go | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

(limited to 'cmd')

diff --git a/cmd/git-lfs-server/main.go b/cmd/git-lfs-server/main.go
index 0652e87..b13f997 100644
--- a/cmd/git-lfs-server/main.go
+++ b/cmd/git-lfs-server/main.go
@@ -92,12 +92,13 @@ type batchResponse struct {
 }
 
 type handler struct {
-	mc           *minio.Client
-	bucket       string
-	anonUser     string
-	gitolitePath string
-	privateKey   ed25519.PrivateKey
-	baseURL      *url.URL
+	mc                      *minio.Client
+	bucket                  string
+	anonUser                string
+	gitolitePath            string
+	privateKey              ed25519.PrivateKey
+	baseURL                 *url.URL
+	exportAllForwardedHosts []string
 }
 
 func isValidSHA256Hash(hash string) bool {
@@ -566,6 +567,16 @@ func (h *handler) authorizeBatchAPI(w http.ResponseWriter, r *http.Request, or o
 	user := h.anonUser
 	ctx := r.Context()
 
+	if or.operation == operationDownload {
+		// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host
+		forwardedHost := r.Header.Get("X-Forwarded-Host")
+		if forwardedHost != "" && slices.Contains(h.exportAllForwardedHosts, forwardedHost) {
+			// This is a forwarded host for which all repositories are exported,
+			// regardless of ownership configuration in Gitolite.
+			return true
+		}
+	}
+
 	if authz := r.Header.Get("Authorization"); authz != "" {
 		if !strings.HasPrefix(authz, "Bearer ") {
 			makeRespError(ctx, w, "Invalid Authorization header", http.StatusBadRequest)
@@ -821,8 +832,10 @@ func main() {
 	baseURLStr := os.Getenv("BASE_URL")
 	listenHost := os.Getenv("LISTEN_HOST")
 	listenPort := os.Getenv("LISTEN_PORT")
+	exportAllForwardedHostsStr := os.Getenv("EXPORT_ALL_FORWARDED_HOSTS")
 
 	listenAddr := net.JoinHostPort(listenHost, listenPort)
+	exportAllForwardedHosts := strings.Split(exportAllForwardedHostsStr, ",")
 
 	if gitolitePath == "" {
 		gitolitePath = "gitolite"
@@ -879,7 +892,7 @@ func main() {
 		die("Fatal: failed to create S3 client: %s", err)
 	}
 
-	h := &handler{mc, bucket, anonUser, gitolitePath, privateKey, baseURL}
+	h := &handler{mc, bucket, anonUser, gitolitePath, privateKey, baseURL, exportAllForwardedHosts}
 	if err = http.ListenAndServe(listenAddr, h); err != nil {
 		die("Fatal: failed to serve CGI: %s", err)
 	}
-- 
cgit v1.2.3