Commit graph

239 commits

Author SHA1 Message Date
Gergely Nagy
c8645d2a70
hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and
template status) via `git push` options: `-o repo.private=true`, `-o
repo.template=true`.

Previously, there weren't sufficient permission checks on these, and
anyone who could `git push` to a repository - including via an AGit
workflow! - was able to change either of these settings. To guard
against this, the pre-receive hook will now check if either of these
options are present, and if so, will perform additional permission
checks to ensure that these can only be set by a repository owner or
an administrator. Additionally, changing these settings is disabled for
forks, even for the fork's owner.

There's still a case where the owner of a repository can change the
visibility of it, and it will not propagate to forks (it propagates to
forks when changing the visibility via the API), but that's an
inconsistency, not a security issue.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit cc80e66153)

Conflicts: tests/integration/git_push_test.go
  	DeleteRepositoryDirectly does not exist
	CreateRepoOptions is in repo_module
2024-04-18 23:07:18 +02:00
Lunny Xiao
9931369767
Performance optimization for git push (#30104) (#30354)
Agit returned result should be from `ProcReceive` hook but not
`PostReceive` hook. Then for all non-agit pull requests, it will not
check the pull requests for every pushing `refs/pull/%d/head`.

Backport #30104

(cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea)

Conflicts:
    it is implemented differently in Forgejo, just keep the test
    in tests/integration/git_push_test.go
(cherry picked from commit b7cff17de1)
2024-04-18 22:58:45 +02:00
Gusted
672caa6813
[SECURITY] Test XSS in dismissed review
It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

(cherry picked from commit ca798e4cc2)
(cherry picked from commit d3de80b9cc)
2024-02-22 22:44:22 +01:00
Gusted
37f03e065a
[SECURITY] Test XSS in wiki last commit information
On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. Verify it is sanitized.

(cherry picked from commit 565e331238)
(cherry picked from commit 92dae3a387)
2024-02-22 22:36:43 +01:00
Lunny Xiao
7aa1e1a54d
Do some missing checks (#28423)
(cherry picked from commit 717d0f5934)

Conflicts:
	routers/api/v1/api.go
	trivial contextual conflict
2023-12-12 22:25:17 +01:00
Gergely Nagy
b4947b78e7 [GITEA] new doctor check: fix-push-mirrors-without-git-remote (#1853)
This is the same as https://codeberg.org/forgejo/forgejo/pulls/1853, backported to v1.20/forgejo.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/1855
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-committed-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2023-12-01 13:52:27 +00:00
Loïc Dachary
e286a15034
test GET /{owner}/{repo}/comments/{id}/attachments
(cherry picked from commit 888dda12cf9bc95f9ef85ba5a518cf40152e07ea)
(cherry picked from commit 4903135a93)
2023-11-26 06:50:26 +01:00
Loïc Dachary
1c18625ac5
test POST /{username}/{reponame}/{type:issues|pulls}/move_pin
(cherry picked from commit 52f50792606a22cbf1e144e1bd480984abf6f53f)
(cherry picked from commit 1e5940b020)
2023-11-26 06:50:26 +01:00
Loïc Dachary
f1c5e63fe1
test POST /{username}/{reponame}/{tags,release}/delete
(cherry picked from commit 463d713fac)
2023-11-26 06:48:49 +01:00
Loïc Dachary
494728f919
test GET /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/detail
(cherry picked from commit c0cf68e381)
2023-11-26 06:48:49 +01:00
Loïc Dachary
381c66ddef
test POST /{username}/{reponame}/{type:issues|pulls}/{index}/content-history/soft-delete
(cherry picked from commit 6edae51a23)
2023-11-26 06:48:49 +01:00
Loïc Dachary
9ce97ac685
test POST /{owner}/{repo}/comments/{id}
Conflicts:
	tests/integration/issue_test.go

(cherry picked from commit 9c14e4f103)
2023-11-26 06:40:03 +01:00
Loïc Dachary
ed87de558f
test DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}
Conflicts:
	tests/integration/api_comment_test.go

(cherry picked from commit 236c5e172c)
2023-11-26 06:40:03 +01:00
Loïc Dachary
dac56f7ed7
test PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
Conflicts:
	tests/integration/api_comment_test.go

(cherry picked from commit 49a246f407)
2023-11-26 06:40:03 +01:00
Lunny Xiao
db0d71ec0f
Fix comment permissions (#28213) (#28217)
backport #28213

This PR will fix some missed checks for private repositories' data on
web routes and API routes.

(cherry picked from commit dfd511faf3)
2023-11-26 06:35:50 +01:00
Loïc Dachary
a6adf7fc01
Revert "test PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit 8726ce2635.
2023-11-26 06:34:39 +01:00
Loïc Dachary
8aed1fa594
Revert "test GET /api/v1/repos/{owner}/{repo}/issues/comments/{id}/assets/{attachment_id}"
This reverts commit e02448bbf5.
2023-11-26 06:34:39 +01:00
Loïc Dachary
d0bafb6775
Revert "test {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit f59a6cc0e4.
2023-11-26 06:34:39 +01:00
Loïc Dachary
d8204f3e8f
Revert "test GET /repos/{owner}/{repo}/issues/comments/{id}/reactions"
This reverts commit 2af5a75d71.
2023-11-26 06:34:39 +01:00
Loïc Dachary
5209a09375
Revert "test DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}"
This reverts commit 939a66e25c.
2023-11-26 06:34:39 +01:00
Loïc Dachary
9d8249d9d6
Revert "test POST /{owner}/{repo}/comments/{id}/delete"
This reverts commit d2c16d9c2d.
2023-11-26 06:34:38 +01:00
Loïc Dachary
027e3a7206
Revert "test POST /{owner}/{repo}/comments/{id}"
This reverts commit 0d7893ca8a.
2023-11-26 06:34:38 +01:00
Loïc Dachary
2e1d6d2ef2
Revert "test GET /{owner}/{repo}/comments/{id}/attachments"
This reverts commit 4903135a93.
2023-11-26 06:34:38 +01:00
Loïc Dachary
15cc486204
Revert "test POST /{username}/{reponame}/{tags,release}/delete"
This reverts commit d7b11f5378.
2023-11-26 06:34:37 +01:00
Loïc Dachary
98098de1f7
Revert "test GET /api/v1/repos/{owner}/{repo}/keys/{id}"
This reverts commit d095e4fdc5.
2023-11-26 06:34:37 +01:00
Loïc Dachary
d93f6c153f
Revert "test POST /{username}/{reponame}/{type:issues|pulls}/move_pin"
This reverts commit 1e5940b020.
2023-11-26 06:34:37 +01:00
Loïc Dachary
1e5940b020
test POST /{username}/{reponame}/{type:issues|pulls}/move_pin
(cherry picked from commit 52f50792606a22cbf1e144e1bd480984abf6f53f)
2023-11-25 08:08:37 +01:00
Loïc Dachary
d095e4fdc5
test GET /api/v1/repos/{owner}/{repo}/keys/{id}
(cherry picked from commit f5ad29dbc77df834a3b5b9a63b19bca680a9f5ed)
2023-11-25 08:08:37 +01:00
Loïc Dachary
d7b11f5378
test POST /{username}/{reponame}/{tags,release}/delete
(cherry picked from commit 78dcbb62fe87abe044034d880c9e8c22b44c2c98)
2023-11-25 08:08:37 +01:00
Loïc Dachary
4903135a93
test GET /{owner}/{repo}/comments/{id}/attachments
(cherry picked from commit 888dda12cf9bc95f9ef85ba5a518cf40152e07ea)
2023-11-25 07:23:34 +01:00
Loïc Dachary
0d7893ca8a
test POST /{owner}/{repo}/comments/{id}
(cherry picked from commit 61db02681a024220d6d2fe61c1479fd03cb341ea)
2023-11-25 07:23:34 +01:00
Loïc Dachary
d2c16d9c2d
test POST /{owner}/{repo}/comments/{id}/delete
(cherry picked from commit 02da8922f1d9ea8e0985b10a3003315f57b14b46)
2023-11-25 07:23:34 +01:00
Loïc Dachary
939a66e25c
test DELETE /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 11dcaa7ec84bcb2931bfe001d4c6a02c5af4ec5b)
2023-11-25 07:23:33 +01:00
Loïc Dachary
2af5a75d71
test GET /repos/{owner}/{repo}/issues/comments/{id}/reactions
(cherry picked from commit 58d923ccbaad1ec12120800b28dbfe6c8c225556)
2023-11-25 07:23:33 +01:00
Loïc Dachary
f59a6cc0e4
test {DELETE,POST} /repos/{owner}/{repo}/issues/comments/{id}/reactions
(cherry picked from commit ffcd2e79ac3ef63cd33d3ca9a18dae5f16431e54)
2023-11-25 07:23:33 +01:00
Loïc Dachary
e02448bbf5
test GET /api/v1/repos/{owner}/{repo}/issues/comments/{id}/assets/{attachment_id}
via getIssueCommentSafe

(cherry picked from commit 9a11049715f1194cad777d5dde0ee514fa15d1f1)
2023-11-25 07:23:33 +01:00
Loïc Dachary
8726ce2635
test PATCH /api/v1/repos/{owner}/{repo}/issues/comments/{id}
(cherry picked from commit 362f340ed9ee28627140ca06dd7487a8989ef62b)
2023-11-25 07:23:33 +01:00
Loïc Dachary
5d18f4b19f
[BRANDING] X-Forgejo-OTP can be used instead of X-Gitea-OTP
(cherry picked from commit 7b0549cd70)
(cherry picked from commit 13e10a65d9)
(cherry picked from commit 65bdd73cf2)
(cherry picked from commit 64eba8bb92)
(cherry picked from commit 4c49b1a759)
(cherry picked from commit 93b4d06406)
(cherry picked from commit e2bc5f36d9)
(cherry picked from commit 2bee76f9df)
(cherry picked from commit 3d8a1b4a9f)
(cherry picked from commit 99dd092cd0)
(cherry picked from commit 0fdbd02204)
(cherry picked from commit 70b277a183)
(cherry picked from commit 3eece7fbb4)
(cherry picked from commit 4838fc9e11)
(cherry picked from commit b76ed541cf)
(cherry picked from commit dcdfb5b65c)
(cherry picked from commit 377dc48cdc)
(cherry picked from commit acc862f411)
(cherry picked from commit ac75ef101f)
(cherry picked from commit 08f2d9f7c5)
(cherry picked from commit e4096f0b64)
(cherry picked from commit bf5876f062)
(cherry picked from commit 7dc60637e5)
(cherry picked from commit ef3101774b)
(cherry picked from commit ecb9e8867c)
(cherry picked from commit 64f0ae72fe)
(cherry picked from commit 8dd6ec7862)
(cherry picked from commit b36723e52b)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1466
(cherry picked from commit 5c378e0cb8)
(cherry picked from commit 1d87602819)
(cherry picked from commit 0f72002d66)
(cherry picked from commit da2556eb13)
(cherry picked from commit c01688cd90)
(cherry picked from commit af4bba8329)
(cherry picked from commit 33ca322c2e)

Conflicts:
	modules/context/api.go
	https://codeberg.org/forgejo/forgejo/pulls/1739
(cherry picked from commit c18e374d44)
(cherry picked from commit 27c4797c9f)
2023-11-14 13:17:12 +01:00
KN4CK3R
44df78edd4
Unify two factor check (#27915) (#27939)
Backport of #27915

Fixes #27819

We have support for two factor logins with the normal web login and with
basic auth. For basic auth the two factor check was implemented at three
different places and you need to know that this check is necessary. This
PR moves the check into the basic auth itself.

(cherry picked from commit 00705da102)
2023-11-14 13:17:12 +01:00
Gusted
51988ef52b
[GITEA] rework long-term authentication
- The current architecture is inherently insecure, because you can
construct the 'secret' cookie value with values that are available in
the database. Thus provides zero protection when a database is
dumped/leaked.
- This patch implements a new architecture that's inspired from: [Paragonie Initiative](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies).
- Integration testing is added to ensure the new mechanism works.
- Removes a setting, because it's not used anymore.

(cherry-pick from eff097448b)

Conflicts:

	modules/context/context_cookie.go
	trivial context conflicts

	routers/web/web.go
	ctx.GetSiteCookie(setting.CookieRememberName) moved from services/auth/middleware.go
2023-10-05 08:50:54 +02:00
Giteabot
3e8c3b7c09
Allow get release download files and lfs files with oauth2 token format (#26430) (#27378)
Backport #26430 by @lunny

Fix #26165
Fix #25257

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 23139aa27b)
2023-10-03 14:48:40 +02:00
Earl Warren
5aad8a6918
[GITEA] enable system users for comment.LoadPoster
System users (Ghost, ActionsUser, etc) have a negative id and may be
the author of a comment, either because it was created by a now
deleted user or via an action using a transient token.

The GetPossibleUserByID function has special cases related to system
users and will not fail if given a negative id.

Refs: https://codeberg.org/forgejo/forgejo/issues/1425
(cherry picked from commit 97667e06b3)
2023-09-12 11:02:07 +02:00
wxiaoguang
9c0380fe84
Avoid double-unescaping of form value (#26853) (#26863)
Backport #26853

The old `prepareQueryArg` did double-unescaping of form value.

(cherry picked from commit e8da63c24e)
2023-09-08 08:09:18 +02:00
KN4CK3R
471138829b
Fix NuGet search endpoints (#25613) (#26499)
Backport of #25613

Fixes #25564
Fixes #23191

- Api v2 search endpoint should return only the latest version matching
the query
- Api v3 search endpoint should return `take` packages not package
versions

(cherry picked from commit 762d4245fb)
2023-08-21 07:27:20 +02:00
Earl Warren
1ffddf75d6
[DB] run all Forgejo migrations in integration tests
The tests at tests/integration/migration-test/migration_test.go will
not run any Forgejo migration when using the gitea-*.sql.gz files
because they do not contain a ForgejoVersion row which is interpreted
as a new Forgejo installation for which there is no need for migration.

Create a situation by which the ForgejoVersion table exists and has a
version of 0 in tests/integration/migration-test/forgejo-v1.19.0.*.sql.gz
thus ensuring all Forgejo migrations are run.

The forgejo*.sql.gz files do not have any Gitea related records, which
will be interpreted by the Gitea migrations as a new installation that
does not need any migration. As a consequence the migration tests run
when using forgejo-v1.19.0.*.sql.gz are exclusively about Forgejo
migrations.

(cherry picked from commit ec8003859c)
2023-08-21 07:22:18 +02:00
Earl Warren
d83135c204
Revert "[GITEA] Use join for the deleting issue actions query"
This reverts commit 9b71369be9.
2023-08-21 07:22:17 +02:00
Earl Warren
20557c6bdb
[BRANDING] define the forgejo webhook type
templates/swagger/v1_json.tmpl updated with `make generate-swagger`

(cherry picked from commit 88899c492e)
(cherry picked from commit 7171bd9617)
(cherry picked from commit 1a742446c1)
(cherry picked from commit d7c189d7b2)

Conflicts:
	routers/web/web.go
(cherry picked from commit cbdea868e4)
(cherry picked from commit 6cd150483b)
(cherry picked from commit 47246da8d3)
(cherry picked from commit f2aa0e6b76)
(cherry picked from commit 5a4fc69a16)
(cherry picked from commit 48e444ca09)
(cherry picked from commit 888e537811)
(cherry picked from commit 5121f493c9)
(cherry picked from commit 9394e55fdf)
(cherry picked from commit 3a2ce51768)
(cherry picked from commit 719ead3a65)
(cherry picked from commit 83e6f82e2a)
(cherry picked from commit 494a429b21)
(cherry picked from commit 4d775db6b4)
(cherry picked from commit b68f777dc2)
(cherry picked from commit 5b934023fa)
(cherry picked from commit 3b1ed8b16c)
(cherry picked from commit 6bc4a46c9f)
(cherry picked from commit 8064bb24a3)

Conflicts:
	templates/admin/hook_new.tmpl
	templates/org/settings/hook_new.tmpl
	templates/repo/settings/webhook/base_list.tmpl
	templates/repo/settings/webhook/new.tmpl
	templates/user/settings/hook_new.tmpl
	https://codeberg.org/forgejo/forgejo/pulls/1181

(cherry picked from commit 55f5588a91)

Conflicts:
	routers/web/web.go
	https://codeberg.org/forgejo/forgejo/issues/1219
2023-08-21 07:22:16 +02:00
Earl Warren
c862cc15c8
Revert "[BRANDING] define the forgejo webhook type"
This reverts commit 02ba08ca84.
2023-08-21 07:22:16 +02:00
JakobDev
d89003cc1b Fix API leaking Usermail if not logged in (#25097)
The API should only return the real Mail of a User, if the caller is
logged in. The check do to this don't work. This PR fixes this. This not
really a security issue, but can lead to Spam.

---------

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit ea385f5d39)
2023-08-05 11:43:54 +00:00
Gusted
5f769ef20d [GITEA] Show manual cron run's last time
- Currently in the cron tasks, the 'Previous Time' only displays the
previous time of when the cron library executes the function, but not
any of the manual executions of the task.
- Store the last run's time in memory in the Task struct and use that,
when that time is later than time that the cron library has executed this
task.
- This ensures that if an instance admin manually starts a task, there's
feedback that this task is/has been run, because the task might be run
that quick, that the status icon already has been changed to an
checkmark,
- Tasks that are executed at startup now reflect this as well, as the
time of the execution of that task on startup is now being shown as
'Previous Time'.
- Added integration tests for the API part, which is easier to test
because querying the HTML table of cron tasks is non-trivial.
- Resolves https://codeberg.org/forgejo/forgejo/issues/949
- Backport #1087
2023-07-31 18:34:14 +00:00