Commit graph

17207 commits

Author SHA1 Message Date
Earl Warren a5f675a3ea
[SEMVER] 6.0.13+0-gitea-1.21.11 2024-07-03 16:35:15 +02:00
Earl Warren b2830dd413 Merge pull request '[v1.21/forgejo] fix(security): GO-2024-2947' (#4250) from earl-warren/forgejo:wip-v1.21-retryhttp into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4250
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-06-26 10:40:05 +00:00
Earl Warren adce1cad5c
[v1.21/forgejo] fix(security): GO-2024-2947
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/4245
2024-06-26 12:11:22 +02:00
Earl Warren cd36b74cde
[SEMVER] 6.0.13+0-gitea-1.21.11 2024-06-13 12:40:56 +02:00
Earl Warren 49119d06d1 Merge pull request '[v1.21/forgejo] RFC 6749 Section 10.2 conformance' (#4047) from earl-warren/forgejo:wip-v1.21-oauth into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4047
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
2024-06-06 13:27:50 +00:00
Earl Warren edf9c23d3a
test(oauth): RFC 6749 Section 10.2 conformance
See:

1b088fade6 Prevent automatic OAuth grants for public clients
07fe5a8b13 use existing oauth grant for public client

(cherry picked from commit 592469464b)
2024-06-06 13:59:24 +02:00
Denys Konovalov 97a0d90c39
use existing oauth grant for public client (#31015)
Do not try to create a new authorization grant when one exists already,
thus preventing a DB-related authorization issue.

Fix https://github.com/go-gitea/gitea/pull/30790#issuecomment-2118812426

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 9c8c9ff6d10b35de8d2d7eae0fc2646ad9bbe94a)
(cherry picked from commit 07fe5a8b13)
2024-06-06 13:59:06 +02:00
Archer 02474498b1
Prevent automatic OAuth grants for public clients (#30790)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
(cherry picked from commit 1b088fade6)
2024-06-06 13:58:50 +02:00
Earl Warren 9679455b3c Merge pull request '[v1.21/forgejo] chore(dependency): whitelist mholt/archiver/v3 CVE-2024-0406' (#4036) from earl-warren/forgejo:wip-v1.21-archiver into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4036
Reviewed-by: proton-ab <proton-ab@noreply.codeberg.org>
2024-06-05 22:16:59 +00:00
Earl Warren 6a2369c64c
chore(dependency): whitelist mholt/archiver/v3 CVE-2024-0406
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: https://github.com/mholt/archiver/issues/404
(cherry picked from commit 3bfec270ac)

Conflicts:
	go.sum
	trivial context conflict
2024-06-05 22:23:01 +02:00
Earl Warren f8be8e3b21 Merge pull request 'test(cli): admin user create and must change password value' (#3413) from earl-warren/forgejo:wip-v1.21-cli-user-create into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3413
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
2024-04-25 09:01:08 +00:00
Earl Warren 33eabaf885
test(cli): admin user create and must change password value
(cherry picked from commit eb74846d7d)
2024-04-25 00:10:21 +02:00
oliverpool 049a77b382
[TESTS] prevent overriding testlogger when calling mainApp
(cherry picked from commit 5785ae72c7)

Conflicts:
	modules/testlogger/testlogger.go
	trivial conflict because it was not backported in order
2024-04-24 12:50:02 +02:00
Earl Warren 1bb403421d
[SEMVER] 6.0.12+0-gitea-1.21.11 2024-04-19 11:41:35 +02:00
Earl Warren f702129854 Merge pull request 'fix(api): error 500 on tag creation when a workflow exists' (#3324) from earl-warren/forgejo:wip-v1.21-tag-api-regression into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3324
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-19 09:38:18 +00:00
Earl Warren a53194f4b1
fix(api): error 500 on tag creation when a workflow exists
files_service.CreateCommitStatus must not explicitly call
gitRepo.Close(), it will be called by the closer function.

Calling it explicitly will cause the repository to be closed
prematurely when obtained from the context, making it unusuable by the
caller later on.

For instance, as CreateCommitStatus is called indirectly when a
workflow exists for the tag to be created, it will make the repositoryn
in the context unusable for the tag creation API.
2024-04-19 10:52:17 +02:00
Gergely Nagy cc80e66153
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.

Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.

There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-18 11:53:30 +02:00
Lunny Xiao b7cff17de1
Performance optimization for git push (#30104) (#30354)
Agit returned result should be from `ProcReceive` hook but not
`PostReceive` hook. Then for all non-agit pull requests, it will not
check the pull requests for every pushing `refs/pull/%d/head`.

Backport #30104

(cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea)

Conflicts:
    it is implemented differently in Forgejo, just keep the test
    in tests/integration/git_push_test.go
2024-04-18 09:39:47 +02:00
Earl Warren 82d1eeb47e Merge pull request '[gitea] v1.21.11-0 cherry-pick' (#3226) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3226
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
2024-04-17 10:19:07 +00:00
Earl Warren 5f64346931 Merge pull request 'fix(actions): call automerge service on successful commit state' (#3109) from viceice/forgejo:fix/actions/automerge into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3109
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-15 15:25:12 +00:00
Michael Kriese 4889a3a171
fix(actions): call automerge service on successful commit state
- Backport of https://github.com/go-gitea/gitea/pull/30225
2024-04-15 16:17:16 +02:00
Lunny Xiao 8dcc7d9e8c
Fix possible renderer security problem(#30136) (#30315)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 65d96725bb6cb0d0616c17844aca6c753aa5c851)
2024-04-15 11:36:01 +02:00
Earl Warren 8f5d5d49bc Merge pull request '[SEMVER] 6.0.11+0-gitea-1.21.11' (#3225) from earl-warren/forgejo:wip-semver into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3225
2024-04-15 08:39:30 +00:00
Lunny Xiao e702e79625
Change the default maxPerPage for gitbucket (#30392) (#30471)
Backport #30392

This patch improves the migration from gitbucket to gitea.

The gitbucket uses it's own internal perPage value (= 25) for paging and
ignore per_page arguments in the requested URL. This cause gitea to
migrate only 25 issues and 25 PRs from gitbucket repository. This may
not happens on old gitbucket. But recent gitbucket 4.40 or 4.38.4 has
this problem.

This patch change to use this internally hardcoded perPage of gitbucket
as gitea's maxPerPage numer when migrating from gitbucket. There are
several perPage values in gitbucket like 25 for Isseus/PRs and 10 for
Releases. Some of those API doesn't support paging yet. It sounds
difficult to implement, but using the minimum number among them worked
out very well. So, I use 10 in this patch.

Brief descriptions of problems and this patch are also available in
https://github.com/go-gitea/gitea/issues/30316.

In addition, I'm not sure what kind of test cases are possible to write
here. It's a test for migration, so it requires testing gitbucket server
and gitea server, I guess. Please let me know if it is possible to write
such test cases here. Thanks!

Co-authored-by: Kazushi (Jam) Marukawa <jam@pobox.com>
(cherry picked from commit b6379d2f167551560c870d2d705269c9ba6fc3bc)
2024-04-15 09:52:00 +02:00
Lunny Xiao c2f9eacd50
Upgrade go-sqlite to v1.14.22 (#30462)
(cherry picked from commit fc4e08f804704613d3a99347ef25813b9d38a422)
2024-04-15 09:41:13 +02:00
Zettat123 cb8ec2287f
Check the token's owner and repository when registering a runner (#30406) (#30412)
Backport #30406

Fix #30378

(cherry picked from commit 55990ebf9240fced8c58491521fc21bf4a4d8f23)

Conflicts:
	services/user/delete.go
	trivial context conflict because of `[MODERATION] User blocking`
2024-04-15 09:35:37 +02:00
Giteabot fd47240545
Close file in the Upload func (#30262) (#30269)
Co-authored-by: guangwu <guoguangwu@magic-shield.com>
(cherry picked from commit 4588c7b705629ffed3108d09d665937c14d39716)
2024-04-15 09:17:54 +02:00
Earl Warren 127d9f743a
[SEMVER] 6.0.11+0-gitea-1.21.11 2024-04-15 09:14:39 +02:00
Earl Warren 2ee30d2651 Merge pull request '[v1.21/forgejo] fix(actions): the trigger user of a schedule is the action user' (#3215) from bp-v1.21/forgejo-c3e2c25 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3215
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-14 18:34:24 +00:00
Earl Warren 387aea4434 fix(actions): the trigger user of a schedule is the action user
The user that caused the notification to re-evaluates the
schedules is not the one that will trigger the workflows. They are
background tasks that are authored by the action user (id -2).

Such a mis-assignment is problematic when the user that caused the
notification is deleted.

Fixes: https://codeberg.org/forgejo/forgejo/issues/3211
(cherry picked from commit c3e2c25359)
2024-04-14 17:36:42 +00:00
Earl Warren 69007f1444 Merge pull request 'Revert "[CI] pin go v1.21.9 version"' (#3050) from earl-warren/forgejo:wip-v1.21-no-pin into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3050
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-05 09:35:55 +00:00
Earl Warren c369619805
Revert "[CI] pin go v1.21.9 version"
The golang action now knows about the latest Go version.

This reverts commit d73ee02324.
2024-04-05 06:24:55 +02:00
Earl Warren d367661ab7 Merge pull request '[SEMVER] 6.0.10+0-gitea-1.21.10' (#3018) from earl-warren/forgejo:wip-semver into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3018
2024-04-04 07:01:33 +00:00
Earl Warren d67a9d40f7
[SEMVER] 6.0.10+0-gitea-1.21.10 2024-04-04 07:42:47 +02:00
Earl Warren 56318d1be6 Merge pull request '[CHORE] Update golang.org/x/net' (#3016) from earl-warren/forgejo:wip-v1.21-go-x-net into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3016
2024-04-04 05:41:49 +00:00
Earl Warren eb01993282
[CHORE] Update golang.org/x/net
Per https://pkg.go.dev/vuln/GO-2024-2687
2024-04-04 07:06:30 +02:00
Earl Warren d73ee02324
[CI] pin go v1.21.9 version
Because setup-go fails to pick it up. It usually happens within 24h
and this commit can be reverted then.
2024-04-04 07:02:03 +02:00
Earl Warren bb25ae7bbe Merge pull request '[gitea] v1.21.10-0 cherry-pick' (#2993) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2993
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-04-03 16:55:31 +00:00
Giteabot 0d3f446460
Fixes #27605: inline math blocks can't be preceeded/followed by alphanumerical characters (#30175) (#30250)
Backport #30175 by @jmlt2002

- Inline math blocks couldn't be preceeded or succeeded by
alphanumerical characters due to changes introduced in PR #21171.
Removed the condition that caused this (precedingCharacter condition)
and added a new exit condition of the for-loop that checks if a specific
'$' was escaped using '\' so that the math expression can be rendered as
intended.
- Additionally this PR fixes another bug where math blocks of the type
'$xyz$abc$' where the dollar sign was not escaped by the user, generated
an error (shown in the screenshots below)
- Altered the tests to accomodate for the changes

Former behaviour (from try.gitea.io):

![image](https://github.com/go-gitea/gitea/assets/114936010/8f0cbb21-321d-451c-b871-c67a8e1e9235)

Fixed behaviour (from my local build):

![image](https://github.com/go-gitea/gitea/assets/114936010/5c22687c-6f11-4407-b5e7-c14b838bc20d)

(Edit) Source code for the README.md file:
```
$x$ -$x$ $x$-

a$xa$ $xa$a 1$xb$ $xb$1

$a a$b b$

a$b $a a$b b$

$a a\$b b$
```

Signed-off-by: João Tiago <joao.leal.tintas@tecnico.ulisboa.pt>
Co-authored-by: João Tiago <114936010+jmlt2002@users.noreply.github.com>
(cherry picked from commit 5123ed31914f704348c0660468a3707011f5a160)
2024-04-03 12:39:25 +02:00
Giteabot 4ed431531b
Fix missing 0 prefix of GPG key id (#30245) (#30247)
Backport #30245 by @KN4CK3R

Fixes #30235

If the key id "front" byte has a single digit, `%X` is missing the 0
prefix.
` 38D1A3EADDBEA9C` instead of
`038D1A3EADDBEA9C`
When using the `IssuerFingerprint` slice `%X` is enough but I changed it
to `%016X` too to be consistent.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 935bfe6445f55f1011782eb93492dc55839b2d16)
2024-04-03 12:37:28 +02:00
Giteabot 8d3db1264c
Include encoding in signature payload (#30174) (#30181)
Backport #30174 by @KN4CK3R

Fixes #30119

Include the encoding in the signature payload.

before

![grafik](https://github.com/go-gitea/gitea/assets/1666336/01ab94a3-8af5-4d6f-be73-a10b65a15421)

after

![grafik](https://github.com/go-gitea/gitea/assets/1666336/3a37d438-c70d-4d69-b178-d170e74aa683)

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 2ac78c75d08cbd4c9a47e982021789e6d85a1a32)
2024-04-03 12:36:49 +02:00
yp05327 953914d1f7
Load attachments for code comments (#30124) (#30126)
backport #30124

(cherry picked from commit 7bffb923ce723947837fd1c12fe2f1edcba72315)
2024-04-03 12:33:20 +02:00
yp05327 e9932a404d
Fix gitea doctor will remove repo-avatar files when execute command storage-archives (#30094) (#30120)
backport #30094

(cherry picked from commit 0c10c3a282463d9ada2a6d05cfc733e742c93351)
2024-04-03 12:33:02 +02:00
Lunny Xiao 65d34f9313
Fix possible data race on tests (#30093) (#30108)
backport #30093

(cherry picked from commit 09a5067c0c496d514adac7b82a44ae2061a171db)
2024-04-03 12:32:38 +02:00
yp05327 706ff7aa9f
Fix duplicate migrated milestones (#30102) (#30105)
backport #30102

(cherry picked from commit a0f89ba8c76dd77990f73151cf60e9b945c31587)
2024-04-03 12:32:20 +02:00
yp05327 29b352f490
Fix panic for fixBrokenRepoUnits16961 (#30068) (#30100)
backport #30068

(cherry picked from commit 6d47b63be25dd23d81c8286ac993281c8099e963)
2024-04-03 12:31:39 +02:00
silverwind 5b6c93cc02
Update katex to 0.16.10 (#30089)
https://github.com/KaTeX/KaTeX/releases/tag/v0.16.10

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit 8dccea02f2cf85592c31be35ec9ef5c974a09222)
2024-04-03 12:31:16 +02:00
silverwind 90537783ff
Fix incorrect SVGs (#30087)
Just the SVG fixes from https://github.com/go-gitea/gitea/pull/30086 for
v1.21 branch.

(cherry picked from commit 03f29db46dbaa4cacca875cfe6b1c0b012a93406)
2024-04-03 12:30:19 +02:00
Giteabot 40fba39dc1
Fix misuse of TxContext (#30061) (#30062)
Backport #30061 by @wolfogre

Help #29999, or its tests cannot pass.

Also, add some comments to clarify the usage of `TxContext`.

I don't check all usages of `TxContext` because there are too many
(almost 140+). It's a better idea to replace them with `WithTx` instead
of checking them one by one. However, that may be another refactoring
PR.

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit 78795dd5663b7d8df4620bd50c74a7d71606f1d2)
2024-04-03 12:23:40 +02:00
Giteabot 5e5574c7b3
Respect DEFAULT_ORG_MEMBER_VISIBLE setting when adding creator to org (#30013) (#30035)
Backport #30013 by @DrMaxNix

This PR adds `setting.Service.DefaultOrgMemberVisible` value to dataset
of user when the initial org creator is being added to the created org.

Fixes #30012.

Co-authored-by: DrMaxNix <mail@drmaxnix.de>
(cherry picked from commit e321b8a849087d736a96275d5960f9b1446c95ba)
2024-04-03 12:23:23 +02:00