Refactor route path normalization (#31381)

Refactor route path normalization and decouple it from the chi router.
Fix the TODO, fix the legacy strange path behavior.

routers/common/middleware.go

@@ -19,13 +19,23 @@ import (
 
 	"gitea.com/go-chi/session"
 	"github.com/chi-middleware/proxy"
-	chi "github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5"
 )
 
 // ProtocolMiddlewares returns HTTP protocol related middlewares, and it provides a global panic recovery
 func ProtocolMiddlewares() (handlers []any) {
-	// first, normalize the URL path
-	handlers = append(handlers, normalizeRequestPathMiddleware)
+	// make sure chi uses EscapedPath(RawPath) as RoutePath, then "%2f" could be handled correctly
+	handlers = append(handlers, func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+			ctx := chi.RouteContext(req.Context())
+			if req.URL.RawPath == "" {
+				ctx.RoutePath = req.URL.EscapedPath()
+			} else {
+				ctx.RoutePath = req.URL.RawPath
+			}
+			next.ServeHTTP(resp, req)
+		})
+	})
 
 	// prepare the ContextData and panic recovery
 	handlers = append(handlers, func(next http.Handler) http.Handler {
@@ -75,58 +85,6 @@ func ProtocolMiddlewares() (handlers []any) {
 	return handlers
 }
 
-func normalizeRequestPathMiddleware(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-		// escape the URL RawPath to ensure that all routing is done using a correctly escaped URL
-		req.URL.RawPath = req.URL.EscapedPath()
-
-		urlPath := req.URL.RawPath
-		rctx := chi.RouteContext(req.Context())
-		if rctx != nil && rctx.RoutePath != "" {
-			urlPath = rctx.RoutePath
-		}
-
-		normalizedPath := strings.TrimRight(urlPath, "/")
-		// the following code block is a slow-path for replacing all repeated slashes "//" to one single "/"
-		// if the path doesn't have repeated slashes, then no need to execute it
-		if strings.Contains(normalizedPath, "//") {
-			buf := &strings.Builder{}
-			prevWasSlash := false
-			for _, chr := range normalizedPath {
-				if chr != '/' || !prevWasSlash {
-					buf.WriteRune(chr)
-				}
-				prevWasSlash = chr == '/'
-			}
-			normalizedPath = buf.String()
-		}
-
-		if setting.UseSubURLPath {
-			remainingPath, ok := strings.CutPrefix(normalizedPath, setting.AppSubURL+"/")
-			if ok {
-				normalizedPath = "/" + remainingPath
-			} else if normalizedPath == setting.AppSubURL {
-				normalizedPath = "/"
-			} else if !strings.HasPrefix(normalizedPath+"/", "/v2/") {
-				// do not respond to other requests, to simulate a real sub-path environment
-				http.Error(resp, "404 page not found, sub-path is: "+setting.AppSubURL, http.StatusNotFound)
-				return
-			}
-			// TODO: it's not quite clear about how req.URL and rctx.RoutePath work together.
-			// Fortunately, it is only used for debug purpose, we have enough time to figure it out in the future.
-			req.URL.RawPath = normalizedPath
-			req.URL.Path = normalizedPath
-		}
-
-		if rctx == nil {
-			req.URL.Path = normalizedPath
-		} else {
-			rctx.RoutePath = normalizedPath
-		}
-		next.ServeHTTP(resp, req)
-	})
-}
-
 func Sessioner() func(next http.Handler) http.Handler {
 	return session.Sessioner(session.Options{
 		Provider:       setting.SessionConfig.Provider,

routers/common/middleware_test.go

@@ -1,70 +0,0 @@
-// Copyright 2022 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-package common
-
-import (
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestStripSlashesMiddleware(t *testing.T) {
-	type test struct {
-		name         string
-		expectedPath string
-		inputPath    string
-	}
-
-	tests := []test{
-		{
-			name:         "path with multiple slashes",
-			inputPath:    "https://github.com///go-gitea//gitea.git",
-			expectedPath: "/go-gitea/gitea.git",
-		},
-		{
-			name:         "path with no slashes",
-			inputPath:    "https://github.com/go-gitea/gitea.git",
-			expectedPath: "/go-gitea/gitea.git",
-		},
-		{
-			name:         "path with slashes in the middle",
-			inputPath:    "https://git.data.coop//halfd/new-website.git",
-			expectedPath: "/halfd/new-website.git",
-		},
-		{
-			name:         "path with slashes in the middle",
-			inputPath:    "https://git.data.coop//halfd/new-website.git",
-			expectedPath: "/halfd/new-website.git",
-		},
-		{
-			name:         "path with slashes in the end",
-			inputPath:    "/user2//repo1/",
-			expectedPath: "/user2/repo1",
-		},
-		{
-			name:         "path with slashes and query params",
-			inputPath:    "/repo//migrate?service_type=3",
-			expectedPath: "/repo/migrate",
-		},
-		{
-			name:         "path with encoded slash",
-			inputPath:    "/user2/%2F%2Frepo1",
-			expectedPath: "/user2/%2F%2Frepo1",
-		},
-	}
-
-	for _, tt := range tests {
-		testMiddleware := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			assert.Equal(t, tt.expectedPath, r.URL.Path)
-		})
-
-		// pass the test middleware to validate the changes
-		handlerToTest := normalizeRequestPathMiddleware(testMiddleware)
-		// create a mock request to use
-		req := httptest.NewRequest("GET", tt.inputPath, nil)
-		// call the handler using a mock response recorder
-		handlerToTest.ServeHTTP(httptest.NewRecorder(), req)
-	}
-}

routers/init.go

@@ -191,7 +191,8 @@ func NormalRoutes() *web.Route {
 	if setting.Packages.Enabled {
 		// This implements package support for most package managers
 		r.Mount("/api/packages", packages_router.CommonRoutes())
-		// This implements the OCI API (Note this is not preceded by /api but is instead /v2)
+		// This implements the OCI API, this container registry "/v2" endpoint must be in the root of the site.
+		// If site admin deploys Gitea in a sub-path, they must configure their reverse proxy to map the "https://host/v2" endpoint to Gitea.
 		r.Mount("/v2", packages_router.ContainerRoutes())
 	}