Commit graph

21013 commits

Author SHA1 Message Date
Gusted
12f97ef51f
[SEC] Add keying module
The keying modules tries to solve two problems, the lack of key
separation and the lack of AEAD being used for encryption. The currently
used `secrets` doesn't provide this and is hard to adjust to provide
this functionality.

For encryption, the additional data is now a parameter that can be used,
as the underlying primitive is an AEAD constructions. This allows for
context binding to happen and can be seen as defense-in-depth; it
ensures that if a value X is encrypted for context Y (e.g. ID=3,
Column="private_key") it will only decrypt if that context Y is also
given in the Decrypt function. This makes confused deputy attack harder
to exploit.[^1]

For key separation, HKDF is used to derives subkeys from some IKM, which
is the value of the `[service].SECRET_KEY` config setting. The context
for subkeys are hardcoded, any variable should be shuffled into the the
additional data parameter when encrypting.

[^1]: This is still possible, because the used AEAD construction is not
key-comitting. For Forgejo's current use-case this risk is negligible,
because the subkeys aren't known to a malicious user (which is required
for such attack), unless they also have access to the IKM (at which
point you can assume the whole system is compromised). See
https://scottarc.blog/2022/10/17/lucid-multi-key-deputies-require-commitment/
2024-08-21 16:06:17 +02:00
Otto
86be767939 Merge pull request 'Refactor some forms: semantic HTML, usability, accessibility, less JS' (#5031) from fnetx/css-only-hide into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5031
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-08-21 13:50:37 +00:00
0ko
b65a1312b3 i18n(en): remove unused strings related to team permissions
Added in 72aa5a20ec.
Dropped in cb41f5cae1.
2024-08-21 18:41:07 +05:00
0ko
a1c87db46f i18n(en): fix administrator access naming consistency 2024-08-21 18:39:51 +05:00
Otto Richter
83d2b3b7fa Implement CSS-only input toggling, refactor related forms
UX/Translation changes:

- new teams: remove redundant tooltips that don't add meaningful information
  - move general information to table fieldset
- new teams: rename "general" to "custom" access for clarity
- new teams: show labels beside options on mobile

Accessibility:

- semantic form elements allow easier navigation (fieldset, mostly)
- improve better labelling of new teams table
- fix accessibility scan issues
- TODO: the parts that "disable" form elements were not yet touched and
  are not really accessible to screenreaders

Technical:

- replace two JavaScript solutions with one CSS standard
- implement a simpler grid (.simple-grid)
- simplify markup
- remove some webhook settings specific CSS

Testing:

- check more form content for accessibility issues
- but exclude tooltips from the scan :(
- reuse existing form tests from previous PR
2024-08-21 15:03:19 +02:00
Otto
c20c534b90 Merge pull request 'fix: validate title length when updating an issue' (#4809) from thilinajayanath/forgejo:validate-issue-title-update into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4809
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-21 12:55:26 +00:00
Renovate Bot
df907ec7f9 Update golang packages 2024-08-21 09:58:16 +00:00
Earl Warren
6ea97ffe9b Merge pull request 'chore(renovate): fix grouping' (#5047) from viceice/forgejo:chore/renovate/grouping into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5047
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-21 09:45:34 +00:00
Michael Kriese
d9d7f8dc92
chore(renovate): fix grouping 2024-08-21 11:27:19 +02:00
Michael Kriese
f4b6da00fb Merge pull request 'chore(renovate): bump go version inside go.mod' (#5044) from viceice/forgejo:chore/renovate/gomod into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5044
2024-08-21 08:44:45 +00:00
Michael Kriese
171e4cc3be
chore(renovate): bump go version inside go.mod 2024-08-21 10:10:00 +02:00
thilinajayanath
1e922d906f validate the title length when updating an issue and add integration test for issue title update
using middleware validator to validate title length on update

use error name from binding package

add integration test for title update

rebase upstream and update test var name

fix test slice formatting

just a try (#1)

Reviewed-on: https://codeberg.org/thilinajayanath/forgejo/pulls/1
Co-authored-by: Otto Richter <git@otto.splvs.net>
Co-committed-by: Otto Richter <git@otto.splvs.net>

fix errors + add test for 255 char title

fix test domain

fix CSRF token error on test

updaate result struct that's used to decode the json response

add json tags for struct and check changed title when http 200 is received

try to decode the title if the request succeeded

add comment in integration test
2024-08-21 08:56:52 +02:00
Earl Warren
6c8d9823ac
fix: release: Forgejo version is not set
LDFLAGS="-buildid=" must be set in the environment so the Makefile
adds to it. Setting it via the make arguments overrides it and removes
the -X "main.*Version" arguments which are used to set the Forgejo
version of the binary.

Regression introduced in [CHORE] Support reproducible builds' (#4970)
2024-08-21 07:27:38 +02:00
Gusted
821875e057 Merge pull request 'Update dependency chart.js to v4.4.4 (forgejo)' (#5037) from renovate/forgejo-chart.js-4.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5037
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-21 03:17:48 +00:00
Gusted
35cc077d82 Merge pull request 'Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v1.60.2 (forgejo)' (#5039) from renovate/forgejo-github.com-golangci-golangci-lint-cmd-golangci-lint-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5039
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-21 03:13:43 +00:00
Renovate Bot
63faeb365c Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v1.60.2 2024-08-21 02:03:34 +00:00
Renovate Bot
b8690562d2 Update dependency chart.js to v4.4.4 2024-08-21 00:03:20 +00:00
Gusted
5b81cab0ed Merge pull request '[CHORE] Support reproducible builds' (#4970) from gusted/forgejo-reproducible-builds into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4970
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Radosław Piliszek <radek@piliszek.it>
2024-08-20 18:14:33 +00:00
Gusted
68cc61b537
Add integration test 2024-08-20 19:09:22 +02:00
Gusted
9111eb3473 Merge pull request '[PORT] Fix overflow for images on project cards (gitea#31683)' (#5029) from gusted/forgejo-bp-gt-31683 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5029
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-08-20 16:11:42 +00:00
Gusted
0764b7c18b
[UI] Remove snapping for images on project cards
Remove the snapping of the images on the projects cards, the images are
way too small to notice that when scrolling you're being snapped to
these images and when you do notice it, it doesn't make sense as you
wouldn't expect it to be snapped.
2024-08-20 16:02:52 +02:00
Simon Priet
8e46efef95
[PORT] Scroll images in project issues separately from the remaining issue (gitea#31683)
As discussed in https://github.com/go-gitea/gitea/issues/31667 &
https://github.com/go-gitea/gitea/issues/26561, when a card on a Project
contains images, they can overflow the card on its containing column.
This aims to fix this issue via snapping scrollbars.

---
Conflict resolution: none

(cherry picked from commit fe7c9416777243264e8482d3af29e30c2b671074)
2024-08-20 15:54:22 +02:00
Otto
d9ae23188f Merge pull request 'chore(renovate): F3 is under development, update quarterly' (#5025) from earl-warren/forgejo:wip-f3-renovate into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5025
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-20 13:52:38 +00:00
Otto
01a153555a Merge pull request 'chore(CODEOWNERS): @earl-warren watches over all PRs [skip ci]' (#5027) from earl-warren/forgejo:wip-codeowner into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5027
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-08-20 13:51:38 +00:00
Gusted
f28cde134e Merge pull request '[UI] Adjust trailing EOL behavior for empty file' (#5013) from gusted/forgejo-adjust-eol into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5013
Reviewed-by: Otto <otto@codeberg.org>
2024-08-20 13:42:04 +00:00
Michael Kriese
0d45ed0faa Merge pull request 'chore(renovate): better linter and postcss grouping' (#5026) from viceice/forgejo:chore/renovate/grouping into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5026
2024-08-20 07:03:45 +00:00
Earl Warren
c76a73ad35 Merge pull request '[gitea] week 2024-34 cherry pick (gitea/main -> forgejo)' (#4998) from earl-warren/wcp/2024-34 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4998
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-20 06:32:09 +00:00
Earl Warren
5a58741879
chore(CODEOWNERS): @earl-warren watches over all PRs
As I watch all PRs created daily, there is no need to rely on the
CODEOWNERS logic for me to be notified that it exists.
2024-08-20 08:24:48 +02:00
Michael Kriese
bf609ce874
chore(renovate): better linter and postcss grouping 2024-08-20 08:14:08 +02:00
Earl Warren
0c2d527aec
chore(renovate): F3 is under development, update quarterly 2024-08-20 08:02:00 +02:00
Earl Warren
027a2fb0a4 Merge pull request 'Update dependency @axe-core/playwright to v4.10.0 (forgejo)' (#5021) from renovate/forgejo-axe-core-playwright-4.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5021
Reviewed-by: Otto <otto@codeberg.org>
2024-08-20 05:57:07 +00:00
Gusted
85cd07a263 Merge pull request 'Update dependency mini-css-extract-plugin to v2.9.1 (forgejo)' (#5020) from renovate/forgejo-mini-css-extract-plugin-2.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5020
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-20 00:43:37 +00:00
Renovate Bot
74ebb47509 Update dependency @axe-core/playwright to v4.10.0 2024-08-20 00:04:06 +00:00
Renovate Bot
b8f56fd3ca Update dependency mini-css-extract-plugin to v2.9.1 2024-08-20 00:03:53 +00:00
Gusted
0692cc2cc1
[BUG] First user created through reverse proxy should be admin
- Currently users created through the reverse proxy aren't created
trough the normal route of `createAndHandleCreatedUser` as this does a
lot of other routines which aren't necessary for the reverse proxy auth,
however one routine is important to have: the first created user should
be an admin. This patch adds that code
- Adds unit test.
- Resolves #4437
2024-08-19 21:04:35 +02:00
Gusted
e9a89a188e
[UI] Adjust trailing EOL behavior for empty file
- Follow up #4835
- Currently for empty files (file size is shown in the file header) the
"No EOL" information is being shown, even though it doesn't really
make sense to show that for empty files.
- Add integration test.
- Ref: https://codeberg.org/Codeberg/Community/issues/1612#issuecomment-2169437
2024-08-19 20:23:15 +02:00
Gusted
be46795975
[CHORE] Support reproducible builds
This is a step towards making Forgejo's binaries (the one listed in the
release tab) reproducible.

In order to make the actual binary reproducible, we have to ensure that
the release workflow has the correct configuration to produce such
reproducible binaries. The release workflow currently uses the
Dockerfile to produce binaries, as this is one of the easiest ways to do
cross-compiling for Go binaries with CGO enabled (due to SQLite). In the
Dockerfile, two new arguments are being given to the build command.
`-trimpath` ensures that the workpath directory doesn't get included in
the binary; this means that file names (such as for panics) are
relative (to the workpath) and not absolute, which shouldn't impact
debugging. `-buildid=` is added to the linker flag; it sets the BuildID
of the Go linker to be empty; the `-buildid` hashes the input actions
and output content; these vary from build to build for unknown reasons,
but likely because of the involvement of temporary file names, this
doesn't have any effect on the behavior of the resulting binary.

The Makefile receives a new command, `reproduce-build#$VERSION` which
can be used by people to produce a reproducible Forgejo binary of a
particular release; it roughly does what the release workflow also does.
Build the Dockerfile and extract the Forgejo binary from it. This
doesn't allow to produce a reproducible version for every release, only
for those that include this patch, as it needs to call the makefile of
that version in order to make a reproducible binary.

There's one thing left to do: the Dockerfile pins the Go version to a
minor level and not to a patch level. This means that if a new Go patch
version is released, that will be used instead and will result in a
different binary that isn't bit to bit the same as the one that Forgejo
has released.
2024-08-19 17:31:57 +02:00
Otto
3b8ac4388a Merge pull request 'Refactor grouped forms to semantic HTML' (#4995) from fnetx/refactor-grouped-forms into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4995
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-19 14:53:35 +00:00
Earl Warren
0c70e11df8 Merge pull request 'git-grep: refactor defaults' (#4964) from yoctozepto/git-grep-refactor-defaults into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4964
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
2024-08-19 13:12:37 +00:00
Radosław Piliszek
f784260633 git-grep: refactor defaults
One method to set them all... or something like that.

The defaults for git-grep options were scattered over the run
function body. This change refactors them into a separate method.
The application of defaults is checked implicitly by existing
tests and linters, and the new approach makes it very easy
to inspect the desired defaults are set.
2024-08-19 14:28:01 +02:00
Earl Warren
7e37c4d831 Merge pull request '[BUG] Don't fire notification for comment of pending review' (#4487) from gusted/webhook-issue into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4487
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-19 09:04:50 +00:00
Earl Warren
74f08b5da0 Merge pull request 'feat: add forgejo-cli to the container images' (#5012) from earl-warren/forgejo:wip-cli into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5012
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-19 08:47:57 +00:00
limiting-factor
b6efebc237
feat: add forgejo-cli to the container images
When the Forgejo CLI binary is `forgejo-cli`, the `--verbose` or `--quiet`
arguments are available globally for all sub-commands. The same
sub-commands can be used with `forgejo forgejo-cli`, those flags are
not available.
2024-08-19 09:44:04 +02:00
Earl Warren
c7adff3862 Merge pull request 'Lock file maintenance (forgejo)' (#5011) from renovate/forgejo-lock-file-maintenance into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5011
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-19 07:42:40 +00:00
Earl Warren
51620ab0f3 Merge pull request 'Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v1.60.1 (forgejo)' (#4953) from renovate/forgejo-github.com-golangci-golangci-lint-cmd-golangci-lint-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4953
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-19 07:38:14 +00:00
Earl Warren
0fd2254684
chore(release-notes): weekly cherry-pick week 2024-34 2024-08-19 09:27:37 +02:00
yp05327
a8e25e907c
Add missing repository type filter parameters to pager (#31832)
Fix #31807

ps: the newly added params's value will be changed.
When the first time you selected the filter, the values of params will
be `0` or `1`
But in pager it will be `true` or `false`.
So do we have `boolToInt` function?

(cherry picked from commit 7092402a2db255ecde2c20574b973fb632c16d2e)

Conflicts:
	routers/web/org/home.go
  trivial conflict s/pager.AddParam/pager.AddParamString/
2024-08-19 09:26:34 +02:00
forgejo-renovate-action
15e131fd67 Merge pull request 'Update renovate to v38.39.6 (forgejo)' (#5007) from renovate/forgejo-renovate into forgejo 2024-08-19 06:04:05 +00:00
Renovate Bot
e650b25bb6 Lock file maintenance 2024-08-19 02:05:17 +00:00
Renovate Bot
1b9222f6e2 Update renovate to v38.39.6 2024-08-19 02:03:33 +00:00