Beyond coding. We forge. (Code of Conduct: https://codeberg.org/forgejo/code-of-conduct)
Go to file
Gusted 5b53a150c0
Improve usage of HMAC output for mailer tokens
- If the incoming mail feature is enabled, tokens are being sent with
outgoing mails. These tokens contains information about what type of
action is allow with such token (such as replying to a certain issue
ID), to verify these tokens the code uses the HMAC-SHA256 construction.
- The output of the HMAC is truncated to 80 bits, because this is
recommended by RFC2104, but RFC2104 actually doesn't recommend this. It
recommends, if truncation should need to take place, it should use
max(80, hash_len/2) of the leftmost bits. For HMAC-SHA256 this works out
to 128 bits instead of the currently used 80 bits.
- Update to token version 2 and disallow any usage of token version 1,
token version 2 are generated with 128 bits of HMAC output.
- Add test to verify the deprecation of token version 1 and a general
MAC check test.

(cherry picked from commit 9508aa7713)
2024-11-15 12:02:09 +01:00
.devcontainer Switch to the maintained vitest extension (#29914) 2024-03-26 19:04:25 +01:00
.forgejo chore(ci): ROLE forgejo-coding & forgejo-testing (part two) 2024-11-14 10:21:29 +01:00
.gitea pull_request_template: test/needed label 2024-03-22 10:11:47 +01:00
assets enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
build enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
cmd enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
contrib Merge branch 'rebase-forgejo-dependency' into wip-forgejo 2024-02-05 18:58:23 +01:00
custom/conf Cleanup & add missing options to app.example.ini 2024-06-02 09:40:05 +02:00
docker [BRANDING] cosmetic s/Gitea/Forgejo/ in logs, messages, etc. 2024-02-05 16:02:14 +01:00
models fix: anomynous users code search for private/limited user's repository 2024-11-15 11:59:22 +01:00
modules fix: strict matching of allowed content for sanitizer 2024-11-15 11:59:35 +01:00
options security: add permission check to 'delete branch after merge' 2024-10-28 06:32:10 +01:00
public [v7.0/forgejo] Improvements to English locale (#4459) 2024-07-12 12:46:25 +00:00
release-notes fix(sec): use constant time check for internal token 2024-10-28 06:17:16 +00:00
releases/images [DOCS] RELEASE-NOTES.md 2024-02-05 14:44:32 +01:00
routers fix: require code permissions for branch feed 2024-11-15 11:59:08 +01:00
services Improve usage of HMAC output for mailer tokens 2024-11-15 12:02:09 +01:00
templates Show lock owner instead of repo owner on LFS setting page (#31788) (#31817) 2024-08-18 07:01:03 +02:00
tests Improve usage of HMAC output for mailer tokens 2024-11-15 12:02:09 +01:00
tools Add svg linter and fix incorrect svgs (#30086) 2024-03-30 07:17:30 +01:00
web_src fix: replace v-html with v-text in branch search inputbox 2024-09-06 10:38:00 +00:00
.air.toml Reduce air verbosity (#31417) (#31425) 2024-06-23 14:54:21 +02:00
.changelog.yml Adapt .changelog.yml to new labeling system (#27701) 2023-10-20 00:22:00 +02:00
.deadcode-out [DEADCODE] update 2024-05-14 16:47:37 +02:00
.dockerignore Adjust VS Code debug filename match in .gitignore (#30158) 2024-03-30 07:17:32 +01:00
.editorconfig [v7.0/forgejo] Improve translatability of "Transfer ownership" (#3750) 2024-05-14 12:14:36 +00:00
.envrc Enable direnv (#31672) (#31679) 2024-07-28 08:40:19 +02:00
.eslintrc.yaml Forbid jQuery .attr (#30116) 2024-03-30 07:17:31 +01:00
.gitattributes [META] Use correct language for .tmpl 2024-02-05 14:44:33 +01:00
.gitignore Enable direnv (#31672) (#31679) 2024-07-28 08:40:19 +02:00
.gitmodules cleanup(tests): remove manual testing submodule 2024-04-21 08:46:56 +00:00
.gitpod.yml Switch to the maintained vitest extension (#29914) 2024-03-26 19:04:25 +01:00
.golangci.yml enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
.ignore Add /public/assets to .ignore (#26232) 2023-07-30 12:34:20 +02:00
.markdownlint.yaml Update JS dependencies (#28537) 2023-12-30 05:29:03 +00:00
.npmrc Upgrade to npm lockfile v3 and explicitely set it (#23561) 2023-03-18 19:38:10 +01:00
.spectral.yaml Add spectral linter for Swagger (#20321) 2022-07-11 18:07:16 -05:00
.stylelintrc.yaml Enable a few stylelint rules (#30038) 2024-03-26 19:04:28 +01:00
.yamllint.yaml fully replace drone with actions (#27556) 2023-10-11 06:39:32 +00:00
BSDmakefile Fix build errors on BSD (in BSDMakefile) (#27594) 2023-10-13 15:38:27 +00:00
build.go User/Org Feed render description as per web (#23887) 2023-04-04 04:39:47 +01:00
CODEOWNERS [META] Add CODEOWNERS files 2024-02-05 14:44:33 +01:00
CONTRIBUTING.md docs: contributing: avoid information duplication (#3454) 2024-04-25 19:13:36 +00:00
DCO Remove address from DCO (#22595) 2023-01-24 18:52:38 +00:00
Dockerfile fix(release): add missing ARG RELEASE_VERSION 2024-04-17 16:06:43 +00:00
Dockerfile.rootless feat(release): add OCI labels to container images 2024-04-17 05:48:38 +00:00
flake.lock Add nix flake for dev shell (#30967) (#31310) 2024-06-16 11:13:47 +02:00
flake.nix Add nix flake for dev shell (#30967) (#31310) 2024-06-16 11:13:47 +02:00
go.mod Update dependency go to v1.22.7 2024-09-06 05:18:52 +00:00
go.sum [v7.0/forgejo] Update module golang.org/x/image to v0.18.0 2024-06-26 12:46:03 +02:00
LICENSE [DOCS] LICENSE: add Forgejo Authors 2024-02-05 14:44:32 +01:00
main.go [RELEASE] decouple the release name from the version number 2024-02-17 15:27:35 +01:00
MAINTAINERS Apply to become a maintainer (#27522) 2023-10-08 10:36:40 -04:00
Makefile build(go-licenses): support go toolchain mismatch 2024-07-04 14:15:49 +00:00
package-lock.json Update dependency happy-dom to v15 [SECURITY] (v7.0/forgejo) (#5853) 2024-11-08 09:44:46 +00:00
package.json Update dependency happy-dom to v15 [SECURITY] (v7.0/forgejo) (#5853) 2024-11-08 09:44:46 +00:00
playwright.config.js Enforce trailing comma in JS on multiline (#30002) 2024-03-26 19:04:27 +01:00
poetry.lock Upgrade tqdm dependency (#30996) 2024-05-24 15:15:07 +02:00
poetry.toml Clean up pyproject.toml and package.json, fix poetry options (#25327) 2023-06-18 18:13:08 +00:00
pyproject.toml Update js and py dependencies, bump python (#29561) 2024-03-06 12:10:46 +08:00
README.md [BRANDING] add Forgejo logo 2024-02-05 16:02:13 +01:00
RELEASE-NOTES.md [v7.0/forgejo] docs(release-notes): 7.0.3 (#3884) 2024-05-24 12:40:26 +00:00
renovate.json Reduce concurrent Renovate PR's 2024-03-26 09:40:48 +01:00
tailwind.config.js Change --border-radius-circle to --border-radius-full (gitea#30936) 2024-05-29 13:52:42 +02:00
updates.config.js Configure pinned JS dependencies via updates.config.js (#29696) 2024-03-20 08:46:28 +01:00
vitest.config.js Switch to happy-dom for testing (#29948) 2024-03-26 19:04:26 +01:00
webpack.config.js [CHORE] Don't bundle elkjs 2024-07-25 00:20:10 +00:00

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of builtin functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.