Test if container blob is accessible before mounting (#22759)

related #16865 This PR adds an accessibility check before mounting container blobs. --------- Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: silverwind <me@silverwind.io>
2025-05-16 20:00:03 +02:00 · 2023-07-09 13:24:43 +02:00 · 2023-07-09 13:24:43 +02:00 · 115f40e433
commit 115f40e433
parent 38844e0869
3 changed files with 72 additions and 8 deletions
--- a/routers/api/packages/container/container.go
+++ b/routers/api/packages/container/container.go
@ -203,17 +203,25 @@ func InitiateUploadBlob(ctx *context.Context) {
 			Digest:     mount,
 		})
 		if blob != nil {
-			if err := mountBlob(&packages_service.PackageInfo{Owner: ctx.Package.Owner, Name: image}, blob.Blob); err != nil {
+			accessible, err := packages_model.IsBlobAccessibleForUser(ctx, blob.Blob.ID, ctx.Doer)
+			if err != nil {
 				apiError(ctx, http.StatusInternalServerError, err)
 				return
 			}

-			setResponseHeaders(ctx.Resp, &containerHeaders{
-				Location:      fmt.Sprintf("/v2/%s/%s/blobs/%s", ctx.Package.Owner.LowerName, image, mount),
-				ContentDigest: mount,
-				Status:        http.StatusCreated,
-			})
-			return
+			if accessible {
+				if err := mountBlob(&packages_service.PackageInfo{Owner: ctx.Package.Owner, Name: image}, blob.Blob); err != nil {
+					apiError(ctx, http.StatusInternalServerError, err)
+					return
+				}
+
+				setResponseHeaders(ctx.Resp, &containerHeaders{
+					Location:      fmt.Sprintf("/v2/%s/%s/blobs/%s", ctx.Package.Owner.LowerName, image, mount),
+					ContentDigest: mount,
+					Status:        http.StatusCreated,
+				})
+				return
+			}
 		}
 	}