Commit graph

21249 commits

Author SHA1 Message Date
Gusted
a94a926564 Merge pull request '[v9.0/forgejo] fix: repo avatar generating (#6338)' (#6346) from bp-v9.0/forgejo-be076c9 into v9.0/forgejo
Some checks failed
/ release (push) Has been cancelled
testing / backend-checks (push) Has been cancelled
testing / frontend-checks (push) Has been cancelled
testing / test-unit (push) Has been cancelled
testing / test-remote-cacher (map[image:docker.io/bitnami/redis:7.2 port:6379]) (push) Has been cancelled
testing / test-remote-cacher (map[image:docker.io/bitnami/valkey:7.2 port:6379]) (push) Has been cancelled
testing / test-remote-cacher (map[image:ghcr.io/microsoft/garnet-alpine:1.0.14 port:6379]) (push) Has been cancelled
testing / test-remote-cacher (map[image:registry.redict.io/redict:7.3.0-scratch port:6379]) (push) Has been cancelled
testing / test-mysql (push) Has been cancelled
testing / test-pgsql (push) Has been cancelled
testing / test-sqlite (push) Has been cancelled
testing / security-check (push) Has been cancelled
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6346
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-12-22 21:45:42 +00:00
Snoweuph
4885e68129 fix: repo avatar generating (#6338)
(cherry picked from commit be076c98d4)
2024-12-22 19:52:56 +00:00
Gusted
4f16ac5f7b Merge pull request '[v9.0/forgejo] fix: keep commit count limit in file history pagination static and not increase with every page' (#6340) from emilylange/bp-v9.0/forgejo-cd2c136 into v9.0/forgejo
Some checks are pending
/ release (push) Waiting to run
testing / backend-checks (push) Waiting to run
testing / frontend-checks (push) Waiting to run
testing / test-unit (push) Blocked by required conditions
testing / test-remote-cacher (map[image:docker.io/bitnami/redis:7.2 port:6379]) (push) Blocked by required conditions
testing / test-remote-cacher (map[image:docker.io/bitnami/valkey:7.2 port:6379]) (push) Blocked by required conditions
testing / test-remote-cacher (map[image:ghcr.io/microsoft/garnet-alpine:1.0.14 port:6379]) (push) Blocked by required conditions
testing / test-remote-cacher (map[image:registry.redict.io/redict:7.3.0-scratch port:6379]) (push) Blocked by required conditions
testing / test-mysql (push) Blocked by required conditions
testing / test-pgsql (push) Blocked by required conditions
testing / test-sqlite (push) Blocked by required conditions
testing / security-check (push) Blocked by required conditions
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6340
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-12-22 01:09:08 +00:00
emilylange
7db46f9ecc
fix: keep commit count limit in file history pagination static and not increase with every page
This fixes a regression introduced by 58a4407acb
from 2022 which reintroduced passing `--skip` to `git rev-list` in favor
of the custom skipping reader based on `io.CopyN` from 59d1cc49f1
and then forgetting to also revert the
`--max-count=CommitsRangeSize*Page` math.

Before this commit:

~~~bash
# curl -s "http://localhost:3000/api/v1/repos/forgejo/forgejo/commits?path=templates&page=1" | jq length
50

# curl -s "http://localhost:3000/api/v1/repos/forgejo/forgejo/commits?path=templates&page=2" | jq length
100

# curl -s "http://localhost:3000/api/v1/repos/forgejo/forgejo/commits?path=templates&page=10" | jq length
500
~~~

With this commit applied:

~~~bash
# curl -s "http://localhost:3000/api/v1/repos/forgejo/forgejo/commits?path=templates&page=1" | jq length
50

# curl -s "http://localhost:3000/api/v1/repos/forgejo/forgejo/commits?path=templates&page=2" | jq length
50

# curl -s "http://localhost:3000/api/v1/repos/forgejo/forgejo/commits?path=templates&page=10" | jq length
50
~~~

(cherry picked from commit cd2c1361c5)
2024-12-22 01:22:35 +01:00
Earl Warren
a66f8c1aff Merge pull request '[v9.0/forgejo] chore(release): link to the standalone release notes file' (#6326) from bp-v9.0/forgejo-0e02397 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6326
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-12-19 09:49:31 +00:00
Earl Warren
e6faa29ee1 chore(release): link to the standalone release notes file
(cherry picked from commit 0e02397915)
2024-12-19 08:38:54 +00:00
Michael Kriese
28c1b4d47e Merge pull request 'Update module golang.org/x/net to v0.33.0 (v9.0/forgejo)' (#6318) from renovate/v9.0/forgejo-golang.org-x-net-0.x into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6318
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-12-19 05:57:28 +00:00
Renovate Bot
7f5f9dc221 Update module golang.org/x/net to v0.33.0 2024-12-18 23:16:45 +00:00
Earl Warren
d595393bb6 Merge pull request '[v9.0/forgejo] fix: ensure correct ssh public key is used for authentication' (#6253) from earl-warren/forgejo:wip-9.0-ssh into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6253
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-12-12 07:06:13 +00:00
Earl Warren
83b614e1e8 Merge pull request '[v9.0/forgejo] fix: Revert "allow synchronizing user status from OAuth2 login providers (#31572)"' (#6251) from bp-v9.0/forgejo-7f8f9b8 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6251
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-12 07:02:40 +00:00
Gusted
dc15aefa3e
fix: ensure correct ssh public key is used for authentication
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.

(cherry picked from commit 3e1b03838e)

Conflicts:
	go.mod
	go.sum
  trivial context conflict
2024-12-12 07:09:00 +01:00
Gusted
29a0b0131e fix: Revert "allow synchronizing user status from OAuth2 login providers (#31572)"
This commit has a fundamental flaw, in order to syncronize if external
users are still active the commit checks if the refresh token is
accepted by the OAuth provider, if that is not the case it sees that as
the user is disabled and sets the is active field to `false` to signal
that. Because it might be possible (this commit makes this a highly
likelyhood) that the OAuth provider still recognizes this user the
commit introduces code to allow users to re-active themselves via the
oauth flow if they were disabled because of this. However this code
makes no distinction in why the user was disabled and always re-actives
the user.

Thus the reactivation via the OAuth flow allows users to bypass the
manually activation setting (`[service].REGISTER_MANUAL_CONFIRM`) or if
the admin for other reasons disabled the user.

This reverts commit 21fdd28f08.

(cherry picked from commit 7f8f9b878f)
2024-12-12 05:43:20 +00:00
Earl Warren
71dc491a09 Merge pull request 'Update module golang.org/x/crypto to v0.31.0 (v9.0/forgejo)' (#6247) from renovate/v9.0/forgejo-golang.org-x-crypto-0.x into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6247
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-12 05:06:00 +00:00
Renovate Bot
d39571dc53 Update module golang.org/x/crypto to v0.31.0 2024-12-12 04:38:53 +00:00
Earl Warren
591b1f54a3 Merge pull request '[v9.0/forgejo] chore(ci): set the milestone when a pull request is closed (take 4)' (#6231) from bp-v9.0/forgejo-6f53f7d into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6231
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-10 11:59:37 +00:00
Earl Warren
a5e26e3ad0 chore(ci): set the milestone when a pull request is closed (take 4)
The milestone can only be determined to be final when a pull request
is merged.

It is possible that a pull request is opened during the development of
v10 and merged after it is published.

It is also possible that it is permanently closed without being merged.

(cherry picked from commit 6f53f7d007)
2024-12-10 06:21:30 +00:00
Earl Warren
8e3d076750 Merge pull request '[v9.0/forgejo] chore(ci): set the milestone when a pull request is open (take 3)' (#6225) from bp-v9.0/forgejo-bf9e19c into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6225
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-09 23:38:46 +00:00
Earl Warren
2b66ddf352 chore(ci): set the milestone when a pull request is open (take 3)
pull_request_target runs from the target branch, not the default branch

(cherry picked from commit bf9e19cc21)
2024-12-09 22:56:21 +00:00
Earl Warren
d8ca6f0581 Merge pull request '[v9.0/forgejo] chore(ci): set the milestone when a pull request is open' (#6217) from bp-v9.0/forgejo-1f18d8d into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6217
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-09 16:46:29 +00:00
Earl Warren
bf84528109
chore(ci): set the milestone when a pull request is open (take 2)
Use the oci:ci image to get jq

(cherry picked from commit ebfe702df6)
2024-12-09 17:42:44 +01:00
Earl Warren
485ffc4bae chore(ci): set the milestone when a pull request is open
(cherry picked from commit 1f18d8d677)
2024-12-09 16:17:37 +00:00
Gusted
bda9ee9b83 Merge pull request 'Update dependency @github/relative-time-element to v4.4.4 (v9.0/forgejo)' (#6176) from renovate/v9.0/forgejo-github-relative-time-element-4.x into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6176
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-12-06 03:15:14 +00:00
Renovate Bot
f5a32bd4fd Update dependency @github/relative-time-element to v4.4.4 2024-12-06 02:03:50 +00:00
Otto
02844b48c3 Merge pull request '[v9.0/forgejo] Do not rewrite ssh keys files when deleting a user without one' (#6168) from bp-v9.0/forgejo-3c9b3dd into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6168
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-06 00:01:49 +00:00
Andreas Shimokawa
3beefb29b9 Do not rewrite ssh keys files when deleting a user without one (#6097)
### Problem

Big instances can have huge authorized_keys files when using OpenSSH instead of the internal ssh server. Forgejo always re-generates the contents of that file when a user is deleted, even if he does not even have a public key uploaded. In case of codeberg.org, a 15MB file gets rewritten. If we batch delete 100 Spam users without ssh keys, we rewrite 1.5GB, this takes time and wears the SSD. In addition, there is a high chance of hitting a race contidion bug, when deleting users in parallel.

### Solution / Mitigation

This patch prevents rewriting authorized_keys files, when not necessary. It greatly speeds up deleting malicious users, saves IO bandwidth and SSD wear. It also greatly reduces the chance of hitting a race condition bug. Fixing the race condition is not the scope of this patch though.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6097
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Andreas Shimokawa <shimokawa@fsfe.org>
Co-committed-by: Andreas Shimokawa <shimokawa@fsfe.org>
(cherry picked from commit 3c9b3ddf5c)
2024-12-05 21:32:48 +00:00
Otto
8fa76300ae Merge pull request '[v9.0/forgejo] fix: remove softbreak from github legacy callout' (#6155) from bp-v9.0/forgejo-216a542 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6155
Reviewed-by: Otto <otto@codeberg.org>
2024-12-05 00:16:18 +00:00
Gusted
e741d0a068 fix: remove softbreak from github legacy callout
- A softbreak was being preserved during the github legacy callout (this
is likely due to a change in Goldmark) while it should not. This caused
an `<br>` to be present between the attention title and attention content.
- Added unit test.

(cherry picked from commit 216a542bfb)
2024-12-04 23:12:58 +00:00
Gusted
ad1aad7b1a Merge pull request '[v9.0/forgejo] fix: correct permission loading for limited organisation' (#6149) from bp-v9.0/forgejo-bc9f1e2 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6149
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-12-04 20:54:15 +00:00
Gusted
48fa9c96a7 fix: correct permission loading for limited organisation
- If a organisation is set to be limited visible, then it will still be
visible for signed-in users. However `UnitPermission` didn't take this
into account, it does now.
- Add unit test.
- Resolves #6141

(cherry picked from commit bc9f1e2533)
2024-12-04 17:57:42 +00:00
Earl Warren
1de8d5b450 Merge pull request '[v9.0/forgejo] fix: clean up log files that no longer exist' (#6131) from bp-v9.0/forgejo-4e8677a into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6131
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-12-03 08:04:41 +00:00
Gusted
0ce1c56612 fix: clean up log files that no longer exist
- If for some reason a action log file does not longer exist in the
database or on the file system, then mark it as being cleaned up.
- Unit test added.

(cherry picked from commit 4e8677a911)
2024-12-03 07:08:16 +00:00
Gusted
9b29e8add1 Merge pull request '[v9.0/forgejo] fix: dbconsistency check adding missing quotes' (#6129) from bp-v9.0/forgejo-b525eec into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6129
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-12-03 05:07:03 +00:00
Gusted
4069e1c934 Merge pull request '[v9.0/forgejo] fix: return correct type in GetSubModule' (#6127) from bp-v9.0/forgejo-e7cffc3 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6127
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-12-03 04:35:52 +00:00
Gusted
74e1fd16b0 Merge pull request 'fix: dbconsistency check adding missing quotes' (#6124) from 71rd/forgejo:dbconsistency-forgejo into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6124
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
(cherry picked from commit b525eec82b)
2024-12-03 04:07:18 +00:00
Gusted
532c35c25a Fix: return correct type in GetSubModule
- `GetSubModules` already solely stores the URL of the submodule and not
a `*SubModule` entry, so don't try to type assert it to be a struct.
- I am not able to pinpoint when this was regressed but if I had to
guess it might be #4941.
- Added integration test.

(cherry picked from commit e7cffc378f)
2024-12-03 03:24:54 +00:00
Otto
eeb3451a89 Merge pull request '[v9.0/forgejo] Fix wiki search overflowing on wide screens (#6047)' (#6104) from spiffyk/forgejo:bp-v9.0/wiki-search-too-wide into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6104
Reviewed-by: Otto <otto@codeberg.org>
2024-11-30 17:16:10 +00:00
Oto Šťáva
fe6f4fde20
Cap wiki search width at 80% container width
Co-Authored-By: Zuzana Slavíková <zuza.slavik@email.cz>
2024-11-30 17:11:07 +01:00
Oto Šťáva
c98bd3a11d
Fix wiki search overflowing on wide screens (#6047)
Confine the search menu to be at most the width of the page, or 80% of
the viewport width, whichever is smaller. To do this, introduce a new
`--container-width` variable for the descendant elements of
`.ui.container` to be able to access.

Also update the relevant e2e test: add a long 'lorem ipsum' page, add a
search for it, parameterize the width.
2024-11-30 17:10:57 +01:00
Otto
5cffc09c37 Merge pull request '[v9.0/forgejo] Improve Swagger documentation for user endpoints' (#6092) from bp-v9.0/forgejo-b074e08-76fb2af into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6092
Reviewed-by: Otto <otto@codeberg.org>
2024-11-29 13:16:38 +00:00
JakobDev
d3e5d887ee Run make tidy
(cherry picked from commit 76fb2afc40)
2024-11-28 20:44:16 +00:00
JakobDev
72cbefe63e Improve Swagger documentation for user endpoints
(cherry picked from commit b074e08f34)
2024-11-28 20:44:16 +00:00
Earl Warren
a167d7b91c Merge pull request '[v9.0/forgejo] fix: normalize guessed languages from enry' (#6085) from bp-v9.0/forgejo-7aeb1ba into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6085
2024-11-27 21:39:54 +00:00
Gusted
c5f37b6cd8 fix: normalize guessed languages from enry
- In the case that Enry correctly recognized the language, but returns
the language name in a way that isn't recognized by enry. Although
overkill I've added a map such that new entries should be easier to add.
- Resolves #6077
- Added unit test

(cherry picked from commit 7aeb1ba1d5)
2024-11-27 18:25:12 +00:00
Earl Warren
a494510972 Merge pull request '[gitea] week 2024-48-v9.0 cherry pick (gitea/main -> v9.0/forgejo)' (#6064) from earl-warren/wcp/2024-48-v9.0 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6064
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-27 18:22:15 +00:00
Gusted
714308506e Merge pull request '[v9.0/forgejo] Show page titles in wiki search results (#6048)' (#6070) from bp-v9.0/forgejo-fc31fa0 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6070
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
Reviewed-by: Oto Šťáva <spiffyk@noreply.codeberg.org>
2024-11-25 15:12:06 +00:00
Oto Šťáva
2374f8f47d Show page titles in wiki search results (#6048)
Replace wiki page filenames with page titles in the search results,
fixing the problem with them showing unreadable URI-encoded names.

(cherry picked from commit fc31fa0eeb)
2024-11-25 14:18:18 +00:00
Earl Warren
1f9a1537a5
chore(release-notes): notes for the week 2024-48-v9.0 weekly cherry pick 2024-11-24 16:53:22 +00:00
Rowan Bohde
48872d11ca
allow the actions user to login via the jwt token (#32527)
We have some actions that leverage the Gitea API that began receiving
401 errors, with a message that the user was not found. These actions
use the `ACTIONS_RUNTIME_TOKEN` env var in the actions job to
authenticate with the Gitea API. The format of this env var in actions
jobs changed with go-gitea/gitea/pull/28885 to be a JWT (with a
corresponding update to `act_runner`) Since it was a JWT, the OAuth
parsing logic attempted to parse it as an OAuth token, and would return
user not found, instead of falling back to look up the running task and
assigning it to the actions user.

Make ACTIONS_RUNTIME_TOKEN in action runners could be used,
attempting to parse Oauth JWTs. The code to parse potential old
`ACTION_RUNTIME_TOKEN` was kept in case someone is running an older
version of act_runner that doesn't support the Actions JWT.

(cherry picked from commit 407b6e6dfc7ee9ebb8a16c7f1a786e4c24d0516e)

Conflicts:
	services/auth/oauth2.go
  trivial context conflicts because OAuth2 scopes are in Forgejo and
  not yet in Gitea
2024-11-24 16:51:29 +00:00
Lunny Xiao
1c04f8f10a
Fix submodule parsing
(cherry picked from commit 33850a83fe4ebd23a762a7aac81614c42e303bfa)

This really is just the cherry pick of 407b6e6dfc7ee9ebb8a16c7f1a786e4c24d0516e
which is the first commit of the pull request, the one with the
change. The rest of the changes is a refactor that is unrelated to the
bug fix.

Conflicts:
	modules/git/commit_test.go
  trivial context conflict
2024-11-24 16:49:54 +00:00
Lunny Xiao
bf520f5184
Fix GetInactiveUsers (#32540)
Fix #31480

(cherry picked from commit 9bf821ae6c108379d22ae11d8d5784a4ed7ad647)

Conflicts:
	models/user/user_test.go
  trivial context conflict
2024-11-24 16:46:39 +00:00