github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-12 02:24:21 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Private+Anonymous Read repo: /api/../archive/ fails with "The target couldn't be found." #14650

New Issue
Closed
opened 2025-11-02 11:18:59 -06:00 by GiteaMirror · 2 comments
GiteaMirror commented 2025-11-02 11:18:59 -06:00
Owner
Copy Link

Originally created by @pbsds on GitHub (Jun 24, 2025).

Description

The header of my repo displays these labels:

Image

Repo settings:

Image

Fetching an archive of a repo works:

$ curl -I https://{hostname}/{owner}/{repo}/archive/main.tar.gz
HTTP/2 200
server: nginx
date: Tue, 24 Jun 2025 23:07:11 GMT
content-type: application/octet-stream
content-length: 655169
accept-ranges: bytes
access-control-expose-headers: Content-Disposition
cache-control: max-age=0, private, must-revalidate, no-transform
content-disposition: attachment; filename="{repo}-main.tar.gz"; filename*=UTF-8''{repo}-main.tar.gz
last-modified: Mon, 23 Jun 2025 22:20:43 GMT
link: <https://{hostname}/api/v1/repos{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78>; rel="immutable"
no-gzip-compression: 1
set-cookie: session=fe2e418eb5a7a3fd; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _csrf=Ylk7fhmB5R1FCoTGyC7ax5Y4ebQ6MTc1MDgwNjQzMTIzMzcwMTc4Mw; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN

Tools like nix flake lock will use the url from link header for reproducibility. It however does not work:

$ curl -I https://{hostname}/api/v1/repos/{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78
HTTP/2 405
server: nginx
date: Tue, 24 Jun 2025 23:11:22 GMT
allow: GET
cache-control: max-age=0, private, must-revalidate, no-transform
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN

$ curl https://{hostname}/api/v1/repos/{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78
{"errors":null,"message":"The target couldn't be found.","url":"https://{hostname}/api/swagger"}

Interestingly however it works when I use the non-/api/v1/repos/ endpoint:

$ curl https://{hostname}/{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78
Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file.

As such I assume this bug is https://github.com/go-gitea/gitea/issues/8649 / https://github.com/go-gitea/gitea/pull/33127 not applying to /api/ endpoints.

Gitea Version

1.24.0

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

From the demo instance:

Image

Image

$ curl -I https://demo.gitea.com/pbsds/asd/archive/main.zip
HTTP/2 200
accept-ranges: bytes
access-control-expose-headers: Content-Disposition
alt-svc: h3=":443"; ma=2592000
cache-control: max-age=0, private, must-revalidate, no-transform
content-disposition: attachment; filename="asd-main.zip"; filename*=UTF-8''asd-main.zip
content-type: application/octet-stream
date: Tue, 24 Jun 2025 23:26:13 GMT
last-modified: Tue, 24 Jun 2025 23:26:12 GMT
link: <https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d>; rel="immutable"
no-gzip-compression: 1
server: Caddy
set-cookie: i_like_gitea=f8abf4e28a620ef7; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _csrf=_0iXbqCgf9umvJNC56urX0Bf7cA6MTc1MDgwNzU2ODc2NDI5MDcwMA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
content-length: 286

$ curl -I http://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d
Server: Caddy
Date: Tue, 24 Jun 2025 23:26:23 GMT

$ curl -I https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d
HTTP/2 405
allow: GET
alt-svc: h3=":443"; ma=2592000
cache-control: max-age=0, private, must-revalidate, no-transform
date: Tue, 24 Jun 2025 23:26:43 GMT
server: Caddy
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN

$ curl https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d
{"errors":null,"message":"not found","url":"https://demo.gitea.com/api/swagger"}

Git Version

No response

Operating System

No response

How are you running Gitea?

We use the nixos module which in turn uses nginx

Database

PostgreSQL

Originally created by @pbsds on GitHub (Jun 24, 2025). ### Description The header of my repo displays these labels: ![Image](https://github.com/user-attachments/assets/a202f366-b969-41c6-8b8f-d50d25f57a3a) Repo settings: ![Image](https://github.com/user-attachments/assets/b2584be5-a0af-431f-bf98-7d7a9bcf13bd) Fetching an archive of a repo works: ```shell $ curl -I https://{hostname}/{owner}/{repo}/archive/main.tar.gz HTTP/2 200 server: nginx date: Tue, 24 Jun 2025 23:07:11 GMT content-type: application/octet-stream content-length: 655169 accept-ranges: bytes access-control-expose-headers: Content-Disposition cache-control: max-age=0, private, must-revalidate, no-transform content-disposition: attachment; filename="{repo}-main.tar.gz"; filename*=UTF-8''{repo}-main.tar.gz last-modified: Mon, 23 Jun 2025 22:20:43 GMT link: <https://{hostname}/api/v1/repos{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78>; rel="immutable" no-gzip-compression: 1 set-cookie: session=fe2e418eb5a7a3fd; Path=/; HttpOnly; Secure; SameSite=Lax set-cookie: _csrf=Ylk7fhmB5R1FCoTGyC7ax5Y4ebQ6MTc1MDgwNjQzMTIzMzcwMTc4Mw; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax x-content-type-options: nosniff x-frame-options: SAMEORIGIN ``` Tools like `nix flake lock` will use the url from `link` header for reproducibility. It however does not work: ```shell $ curl -I https://{hostname}/api/v1/repos/{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78 HTTP/2 405 server: nginx date: Tue, 24 Jun 2025 23:11:22 GMT allow: GET cache-control: max-age=0, private, must-revalidate, no-transform x-content-type-options: nosniff x-frame-options: SAMEORIGIN ``` ```shell $ curl https://{hostname}/api/v1/repos/{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78 {"errors":null,"message":"The target couldn't be found.","url":"https://{hostname}/api/swagger"} ``` Interestingly however it works when I use the non-`/api/v1/repos/` endpoint: ```shell $ curl https://{hostname}/{owner}/{repo}/archive/fb7b0a7e70754cf368de7d7c469dabe71b2f1c78.tar.gz?rev=fb7b0a7e70754cf368de7d7c469dabe71b2f1c78 Warning: Binary output can mess up your terminal. Use "--output -" to tell curl to output it to your terminal anyway, or consider "--output <FILE>" to save to a file. ``` As such I assume this bug is https://github.com/go-gitea/gitea/issues/8649 / https://github.com/go-gitea/gitea/pull/33127 not applying to `/api/` endpoints. ### Gitea Version 1.24.0 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots From the demo instance: ![Image](https://github.com/user-attachments/assets/533c438f-65f9-4bce-8493-148769811597) ![Image](https://github.com/user-attachments/assets/5aac1c96-5cc1-400f-ba08-c26e3d320968) ```shell $ curl -I https://demo.gitea.com/pbsds/asd/archive/main.zip HTTP/2 200 accept-ranges: bytes access-control-expose-headers: Content-Disposition alt-svc: h3=":443"; ma=2592000 cache-control: max-age=0, private, must-revalidate, no-transform content-disposition: attachment; filename="asd-main.zip"; filename*=UTF-8''asd-main.zip content-type: application/octet-stream date: Tue, 24 Jun 2025 23:26:13 GMT last-modified: Tue, 24 Jun 2025 23:26:12 GMT link: <https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d>; rel="immutable" no-gzip-compression: 1 server: Caddy set-cookie: i_like_gitea=f8abf4e28a620ef7; Path=/; HttpOnly; Secure; SameSite=Lax set-cookie: _csrf=_0iXbqCgf9umvJNC56urX0Bf7cA6MTc1MDgwNzU2ODc2NDI5MDcwMA; Path=/; Max-Age=86400; HttpOnly; Secure; SameSite=Lax x-content-type-options: nosniff x-frame-options: SAMEORIGIN content-length: 286 $ curl -I http://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d HTTP/1.1 308 Permanent Redirect Connection: close Location: https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d Server: Caddy Date: Tue, 24 Jun 2025 23:26:23 GMT $ curl -I https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d HTTP/2 405 allow: GET alt-svc: h3=":443"; ma=2592000 cache-control: max-age=0, private, must-revalidate, no-transform date: Tue, 24 Jun 2025 23:26:43 GMT server: Caddy x-content-type-options: nosniff x-frame-options: SAMEORIGIN $ curl https://demo.gitea.com/api/v1/repos/pbsds/asd/archive/2b369676dcf0c63d043d40b454c6dac29ba5200d.tar.gz?rev=2b369676dcf0c63d043d40b454c6dac29ba5200d {"errors":null,"message":"not found","url":"https://demo.gitea.com/api/swagger"} ``` ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? We use the nixos module which in turn uses nginx ### Database PostgreSQL
GiteaMirror added the type/bug label 2025-11-02 11:18:59 -06:00
GiteaMirror commented 2025-11-02 11:19:01 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 25, 2025):

2 problems here:

  1. API doesn't support HEAD request
  2. API doesn't support anonymous user to read a private repo with public access
@wxiaoguang commented on GitHub (Jun 25, 2025): 2 problems here: 1. API doesn't support HEAD request 2. API doesn't support anonymous user to read a private repo with public access
GiteaMirror commented 2025-11-02 11:19:01 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Jun 25, 2025):

-> Fix archive API #34853

@wxiaoguang commented on GitHub (Jun 25, 2025): -> Fix archive API #34853
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#14650
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?