1
0
Fork 0
mirror of https://code.forgejo.org/forgejo/runner.git synced 2025-09-15 18:57:01 +00:00

Fix security issues with cache by proxying access (#503)

This is the forgejo-runner-side patch for a partial overhaul of the cache system to fix some access control issues with caches.

This code depends on changes in act which are being reviewed here: forgejo/act#107

Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/502
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/503
Reviewed-by: Gusted <gusted@noreply.code.forgejo.org>
Co-authored-by: Kwonunn <kwonunnx@gmail.com>
Co-committed-by: Kwonunn <kwonunnx@gmail.com>
This commit is contained in:
Kwonunn 2025-03-22 00:03:09 +00:00 committed by Kwonunn
parent e5e28d16a5
commit 46eb63a952
8 changed files with 139 additions and 38 deletions

View file

@ -17,9 +17,10 @@ import (
)
type cacheServerArgs struct {
Dir string
Host string
Port uint16
Dir string
Host string
Port uint16
Secret string
}
func runCacheServer(ctx context.Context, configFile *string, cacheArgs *cacheServerArgs) func(cmd *cobra.Command, args []string) error {
@ -32,9 +33,10 @@ func runCacheServer(ctx context.Context, configFile *string, cacheArgs *cacheSer
initLogging(cfg)
var (
dir = cfg.Cache.Dir
host = cfg.Cache.Host
port = cfg.Cache.Port
dir = cfg.Cache.Dir
host = cfg.Cache.Host
port = cfg.Cache.Port
secret = cfg.Cache.Secret
)
// cacheArgs has higher priority
@ -47,11 +49,21 @@ func runCacheServer(ctx context.Context, configFile *string, cacheArgs *cacheSer
if cacheArgs.Port != 0 {
port = cacheArgs.Port
}
if cacheArgs.Secret != "" {
secret = cacheArgs.Secret
}
if secret == "" {
// no cache secret was specified, panic
log.Error("no cache secret was specified, exiting.")
return nil
}
cacheHandler, err := artifactcache.StartHandler(
dir,
host,
port,
secret,
log.StandardLogger().WithField("module", "cache_request"),
)
if err != nil {