Fix NuGet package upload error handling#37074
Merged
silverwind merged 8 commits intogo-gitea:mainfrom Apr 1, 2026
Merged
Conversation
Fix `UploadStream()` to guard against nil `MultipartForm` which can occur when `ParseMultipartForm` silently returns nil on malformed Content-Type boundaries (e.g. unquoted boundaries containing `=`). Also remove the `application/x-www-form-urlencoded` branch which would always fail for multipart parsing. Wrap `zip.NewReader` errors in NuGet `ParsePackageMetaData` and `ExtractPortablePdb` as `ErrInvalidArgument` so invalid packages return HTTP 400 instead of 500. Add integration test for multipart/form-data NuGet upload path (used by `dotnet nuget push`) which was previously untested. Fixes go-gitea#36932 Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
GiteaBot
added
the
lgtm/need 2
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Improves NuGet package upload robustness by preventing panics on malformed multipart requests and ensuring invalid ZIP uploads are treated as client errors (HTTP 400), plus adds an integration test covering multipart/form-data uploads.
Changes:
- Guard
Context.UploadStream()against a nilReq.MultipartFormafterParseMultipartForm, avoiding a potential nil dereference and removing a deadapplication/x-www-form-urlencodedbranch. - Wrap
zip.NewReaderfailures in NuGet metadata/symbol parsing asutil.ErrInvalidArgumentto return HTTP 400 for invalid packages instead of HTTP 500. - Add an integration test that uploads a NuGet package using multipart/form-data.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/integration/api_packages_nuget_test.go | Adds an integration test for multipart/form-data NuGet uploads. |
| services/context/context_request.go | Hardens UploadStream() to avoid nil dereference on multipart parsing and removes dead code. |
| modules/packages/nuget/metadata.go | Maps invalid ZIP reader errors to ErrInvalidArgument (HTTP 400) for .nupkg parsing. |
| modules/packages/nuget/symbol_extractor.go | Maps invalid ZIP reader errors to ErrInvalidArgument (HTTP 400) for .snupkg parsing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
silverwind
changed the title
UploadStream and nuget response status codes
ParseMultipartForm always returns an error when it cannot parse the form, so MultipartForm is never nil after a nil-error return. The nil guard and application/x-www-form-urlencoded removal were defensive but unreachable. Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
silverwind
changed the title
UploadStream and nuget response status codesCo-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
wxiaoguang
reviewed
Apr 1, 2026
wxiaoguang
reviewed
Apr 1, 2026
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
wxiaoguang
approved these changes
Apr 1, 2026
GiteaBot
added
lgtm/need 1
Contributor
|
Updated to different messages to help distinguishing different failure cases |
lunny
approved these changes
Apr 1, 2026
GiteaBot
added
lgtm/done
silverwind
added
the
reviewed/wait-merge
GiteaBot
removed
the
reviewed/wait-merge
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Apr 2, 2026
* main: Fix NuGet package upload error handling (go-gitea#37074) Desaturate dark theme background colors (go-gitea#37056) Update JS dependencies and misc tweaks (go-gitea#37064) Redirect to the only OAuth2 provider when no other login methods and fix various problems (go-gitea#36901) Show workflow link (go-gitea#37070) Remove leftover `webpackChunkName` comments from codeeditor (go-gitea#37062) Update Go dependencies (go-gitea#36781) Add webhook name field to improve webhook identification (go-gitea#37025) (go-gitea#37040) Upgrade `go-git` to v5.17.2 (go-gitea#37060) Replace Monaco with CodeMirror (go-gitea#36764) Update Combine method to treat warnings as failures and adjust tests (go-gitea#37048) Raise minimum Node.js version to 22.18.0 (go-gitea#37058) Update golangci-lint to v2.11.4 (go-gitea#37059) Upgrade `golang.org/x/image` to v0.38.0 (go-gitea#37054) Increase e2e test timeouts on CI to fix flaky tests (go-gitea#37053) Refactor "org teams" page and help new users to "add member" to an org (go-gitea#37051)
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Apr 2, 2026
* origin/main: (192 commits) Fix NuGet package upload error handling (go-gitea#37074) Desaturate dark theme background colors (go-gitea#37056) Update JS dependencies and misc tweaks (go-gitea#37064) Redirect to the only OAuth2 provider when no other login methods and fix various problems (go-gitea#36901) Show workflow link (go-gitea#37070) Remove leftover `webpackChunkName` comments from codeeditor (go-gitea#37062) Update Go dependencies (go-gitea#36781) Add webhook name field to improve webhook identification (go-gitea#37025) (go-gitea#37040) Upgrade `go-git` to v5.17.2 (go-gitea#37060) Replace Monaco with CodeMirror (go-gitea#36764) Update Combine method to treat warnings as failures and adjust tests (go-gitea#37048) Raise minimum Node.js version to 22.18.0 (go-gitea#37058) Update golangci-lint to v2.11.4 (go-gitea#37059) Upgrade `golang.org/x/image` to v0.38.0 (go-gitea#37054) Increase e2e test timeouts on CI to fix flaky tests (go-gitea#37053) Refactor "org teams" page and help new users to "add member" to an org (go-gitea#37051) Refactor issue sidebar and fix various problems (go-gitea#37045) Add tests for pull request's content_version in API (go-gitea#37044) Enable concurrent vitest execution (go-gitea#36998) Fix theme discovery and Vite dev server in dev mode (go-gitea#37033) ... # Conflicts: # templates/user/dashboard/feeds.tmpl
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Wrap
zip.NewReadererrors in NuGetParsePackageMetaDataandExtractPortablePdbasErrInvalidArgumentso invalid packages return HTTP 400 (Bad Request) instead of 500 (Internal Server Error).Add integration test for multipart/form-data NuGet upload path (used by
dotnet nuget push) which was previously untested.Note: I was unable to reproduce the reported error with
dotnet nuget push(.NET 10) against a local Gitea instance — the upload succeeded. The reporter's issue may be environment-specific (reverse proxy configuration, .NET version, etc). These changes improve error reporting for invalid uploads regardless.Ref #36932
This PR was written with the help of Claude Opus 4.6