This PR makes an API change that hasn't been discussed: allowing relative URLs as upload endpoints. This is convenient for the implementation as it could avoid the need to specify a content base URL in the simplest deployment scenarios.
I guess since everything has checksums, the security concerns are pretty minor.
It's possible that a client might try to resolve a URL that came from an upstream repo against the downstream registry's origin, which isn't a security problem because they need to validate the hash anyway but could cause some instability in poorly-written clients or clients that aren't yet fully federation-aware.
I think a (shallow) mirror would need to rewrite relative URLs, which is definitely an argument against allowing them.
Allowing relative URLs or allowing shallow mirroring?
relative URLs
Last updated: Dec 23 2024 at 12:05 UTC