Commit graph

16194 commits

Author SHA1 Message Date
Earl Warren
0c4a307ee2 Merge pull request 'hooks: Harden when we accept push options that change repo settings' (#3319) from earl-warren/forgejo:wip-v1.20-push-options into v1.20/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3319
2024-04-18 21:47:58 +00:00
Earl Warren
ecf654e17f
fix(security): upgrade to go v1.21 2024-04-18 23:23:11 +02:00
Gergely Nagy
c8645d2a70
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.

Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.

There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e66153)

Conflicts: tests/integration/git_push_test.go
  	DeleteRepositoryDirectly does not exist
	CreateRepoOptions is in repo_module
2024-04-18 23:07:18 +02:00
Lunny Xiao
9931369767
Performance optimization for git push (#30104) (#30354)
Agit returned result should be from `ProcReceive` hook but not
`PostReceive` hook. Then for all non-agit pull requests, it will not
check the pull requests for every pushing `refs/pull/%d/head`.

Backport #30104

(cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea)

Conflicts:
    it is implemented differently in Forgejo, just keep the test
    in tests/integration/git_push_test.go
(cherry picked from commit b7cff17de1)
2024-04-18 22:58:45 +02:00
Earl Warren
2fe5f6f732 Merge pull request '[SECURITY] Fix XSS vulnerabilities' (#2443) from earl-warren/forgejo:wip-v1.20-xss into v1.20/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2443
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-22 22:33:07 +00:00
Gusted
672caa6813
[SECURITY] Test XSS in dismissed review
It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

(cherry picked from commit ca798e4cc2)
(cherry picked from commit d3de80b9cc)
2024-02-22 22:44:22 +01:00
Gusted
4fdd0ed728
[SECURITY] Fix XSS in dismissed review
- It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.
- Pass `$reviewerName` trough `Escape`.

(cherry picked from commit fe2df46d05)

Conflicts:
	templates/repo/issue/view_content/comments.tmpl
	trivial context conflict
2024-02-22 22:44:22 +01:00
Gusted
37f03e065a
[SECURITY] Test XSS in wiki last commit information
On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. Verify it is sanitized.

(cherry picked from commit 565e331238)
(cherry picked from commit 92dae3a387)
2024-02-22 22:36:43 +01:00
Gusted
ef05332c3b
[SECURITY] Fix XSS in wiki last commit information
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.

(cherry picked from commit d24c37e132)

Conflicts:
	templates/repo/wiki/revision.tmpl
	templates/repo/wiki/view.tmpl
	trivial context conflict
2024-02-22 22:36:14 +01:00
jolheiser
09635b6b12
[SECURITY] review(kn4ck3r): more template escapes
Signed-off-by: jolheiser <john.olheiser@gmail.com>
(cherry picked from commit 33af169223)

Conflicts:
	templates/repo/migrate/migrating.tmpl
	templates/repo/settings/options.tmpl
	trivial context conflict
2024-02-22 22:33:06 +01:00
Earl Warren
496b0acd22 Merge pull request '[CI] fix the release simulation test' (#2123) from earl-warren/forgejo:wip-ci-release-simulation into v1.20/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2123
Reviewed-by: Loïc Dachary <dachary@noreply.codeberg.org>
2024-01-09 13:36:28 +00:00
Earl Warren
fcf3261cba
[CI] fix the release simulation test 2024-01-09 13:26:57 +01:00
Earl Warren
aa8dd51dc1
[CI] Forgejo Actions based release process (squash) no ownca
The private Forgejo instance trusted with the release signing keys no
longer requires the installation of the ownca certificate authority.

Refs: https://codeberg.org/forgejo/docs/pulls/338
(cherry picked from commit 72f9ae796d)
2023-12-28 17:29:00 +01:00
Earl Warren
ad93e1ad2d
[GITEA] Update crypto dependency 2023-12-20 00:25:39 +01:00
Earl Warren
bfb5a97d8c
[CI] upgrade moved to https://code.forgejo.org/forgejo/end-to-end/ 2023-12-19 23:48:15 +01:00
Earl Warren
8c786eb2ed
[SEMVER] 5.0.8+0-gitea-1.20.6 2023-12-12 22:31:25 +01:00
Lunny Xiao
7aa1e1a54d
Do some missing checks (#28423)
(cherry picked from commit 717d0f5934)

Conflicts:
	routers/api/v1/api.go
	trivial contextual conflict
2023-12-12 22:25:17 +01:00
Gusted
5528072d04 Merge pull request '[GITEA] Add download URL for executable files' (#1847) from Gusted/forgejo:forgejo-bp-1839-120 into v1.20/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1847
2023-12-05 22:50:55 +00:00
Gusted
7f0c874781 [GITEA] Add download URL for executable files
- Backport https://codeberg.org/forgejo/forgejo/pulls/1839
- Consider executable files as a valid case when returning a downloadURL
for them. They are just regular files with the difference being the
executable permission bit being set.
- Not integration testing as it's not possible without adding adjusting
the existing repositories to have a executable file.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1825

(cherry picked from commit ca32891d54)
2023-12-04 18:35:04 +00:00
Gergely Nagy
b4947b78e7 [GITEA] new doctor check: fix-push-mirrors-without-git-remote (#1853)
This is the same as https://codeberg.org/forgejo/forgejo/pulls/1853, backported to v1.20/forgejo.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1855
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-committed-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2023-12-01 13:52:27 +00:00
Gusted
c722ce6cd4 Merge pull request '[DB] Ensure forgejo migration up to date (squash)' (#1851) from Gusted/forgejo:forgejo-bp-1849-120 into v1.20/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1851
2023-11-28 23:05:09 +00:00
Gusted
457564044a
[DB] Ensure forgejo migration up to date (squash)
- Backport https://codeberg.org/forgejo/forgejo/pulls/1849
- Hook Forgejo's `EnsureUpToDate` to Gitea's `EnsureUpToDate`, such that
the Forgejo migrations are also being checked to be up to date.
- I'm not sure how I missed this and if this has caused any problems,
but due to the lack of any open issue about it it seems to not be a big
problem.

(cherry picked from commit 6c65b6dcf6)
2023-11-28 23:28:06 +01:00
Earl Warren
684f56dd6d
[SEMVER] 5.0.7+0-gitea-1.20.6 2023-11-26 07:28:43 +01:00
Loïc Dachary
e286a15034
test GET /{owner}/{repo}/comments/{id}/attachments
(cherry picked from commit 888dda12cf9bc95f9ef85ba5a518cf40152e07ea)
(cherry picked from commit 4903135a93)
2023-11-26 06:50:26 +01:00
Loïc Dachary
92450913a8
fix POST /{username}/{reponame}/{type:issues|pulls}/move_pin
(cherry picked from commit d97efb777f)
2023-11-26 06:50:26 +01:00
Loïc Dachary
1c18625ac5
test POST /{username}/{reponame}/{type:issues|pulls}/move_pin
(cherry picked from commit 52f50792606a22cbf1e144e1bd480984abf6f53f)
(cherry picked from commit 1e5940b020)
2023-11-26 06:50:26 +01:00
Loïc Dachary
f1c5e63fe1
test POST /{username}/{reponame}/{tags,release}/delete
(cherry picked from commit 463d713fac)
2023-11-26 06:48:49 +01:00
Loïc Dachary
494728f919
test GET /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/detail
(cherry picked from commit c0cf68e381)
2023-11-26 06:48:49 +01:00
Loïc Dachary
9ea9ba8e7e
fix POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
(cherry picked from commit a82cb96480)
2023-11-26 06:48:49 +01:00
Loïc Dachary
381c66ddef
test POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
(cherry picked from commit 6edae51a23)
2023-11-26 06:48:49 +01:00
Loïc Dachary
9ce97ac685
test POST /{owner}/{repo}/comments/{id}
Conflicts:
	tests/integration/issue_test.go

(cherry picked from commit 9c14e4f103)
2023-11-26 06:40:03 +01:00
Loïc Dachary
ed87de558f
test DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}
Conflicts:
	tests/integration/api_comment_test.go

(cherry picked from commit 236c5e172c)
2023-11-26 06:40:03 +01:00
Loïc Dachary
dac56f7ed7
test PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
Conflicts:
	tests/integration/api_comment_test.go

(cherry picked from commit 49a246f407)
2023-11-26 06:40:03 +01:00
Lunny Xiao
db0d71ec0f
Fix comment permissions (#28213) (#28217)
backport #28213

This PR will fix some missed checks for private repositories' data on
web routes and API routes.

(cherry picked from commit dfd511faf3)
2023-11-26 06:35:50 +01:00
Loïc Dachary
a7a9876dd4
Revert "enforce reqRepoReader(unit.TypeIssues) GET /repos/{owner}/{repo}/issues/pinned"
This reverts commit c70eb32280.
2023-11-26 06:34:40 +01:00
Loïc Dachary
140dbb3918
Revert "enforce reqRepoReader(unit.TypeIssues) POST /repos/{owner}/{repo}/issues"
This reverts commit 6b4cb070cc.
2023-11-26 06:34:40 +01:00
Loïc Dachary
d2de912c95
Revert "fix API usage of a PR index in place of issue index and vice versa"
This reverts commit 3ddfca10ac.
2023-11-26 06:34:40 +01:00
Loïc Dachary
a6adf7fc01
Revert "test PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit 8726ce2635.
2023-11-26 06:34:39 +01:00
Loïc Dachary
4ece6a4b19
Revert "fix PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit e291ea5e33.
2023-11-26 06:34:39 +01:00
Loïc Dachary
8aed1fa594
Revert "test GET /api/v1/repos/{owner}/{repo}/issues/comments/{id}/assets/{attachment_id}"
This reverts commit e02448bbf5.
2023-11-26 06:34:39 +01:00
Loïc Dachary
d0bafb6775
Revert "test {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit f59a6cc0e4.
2023-11-26 06:34:39 +01:00
Loïc Dachary
ba352ef4b1
Revert "fix {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit 685ebdba63.
2023-11-26 06:34:39 +01:00
Loïc Dachary
d8204f3e8f
Revert "test GET /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit 2af5a75d71.
2023-11-26 06:34:39 +01:00
Loïc Dachary
3869f80b52
Revert "fix GET /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit 585f74c2ca.
2023-11-26 06:34:39 +01:00
Loïc Dachary
5209a09375
Revert "test DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit 939a66e25c.
2023-11-26 06:34:39 +01:00
Loïc Dachary
fc3825f6b2
Revert "fix DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit 0b0b506b74.
2023-11-26 06:34:38 +01:00
Loïc Dachary
9d8249d9d6
Revert "test POST /{owner}/{repo}/comments/{id}/delete"
This reverts commit d2c16d9c2d.
2023-11-26 06:34:38 +01:00
Loïc Dachary
c21cc34116
Revert "fix POST /{owner}/{repo}/comments/{id}/delete"
This reverts commit 44f2592028.
2023-11-26 06:34:38 +01:00
Loïc Dachary
027e3a7206
Revert "test POST /{owner}/{repo}/comments/{id}"
This reverts commit 0d7893ca8a.
2023-11-26 06:34:38 +01:00
Loïc Dachary
db1bd78d71
Revert "fix POST /{owner}/{repo}/comments/{id}"
This reverts commit 5cc6361e31.
2023-11-26 06:34:38 +01:00