Commit graph

38 commits

Author SHA1 Message Date
Earl Warren
579560bd72
chore(release-notes): 15 November 2024 security fixes 2024-11-15 12:10:02 +01:00
Gusted
1f40efc60b fix(sec): use constant time check for internal token
(cherry picked from commit 53231bad61)
2024-10-28 06:17:16 +00:00
Gusted
5488ec7d96
security: add permission check to 'delete branch after merge'
- Add a permission check that the doer has write permissions to the head
repository if the the 'delete branch after merge' is enabled when
merging a pull request.
- Unify the checks in the web and API router to `DeleteBranchAfterMerge`.
- Added integration tests.

(cherry picked from commit 266e0b2ce9)

Conflicts:
	tests/integration/pull_merge_test.go
  trivial context conflict
2024-10-28 06:32:10 +01:00
Earl Warren
47cd797dd3 Merge pull request '[gitea] week 2024-35-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#5113) from earl-warren/wcp/2024-35-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5113
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-28 10:30:46 +00:00
Gusted
ce10ec2878 [SEC] Ensure propagation of API scopes for Conan and Container authentication
- The Conan and Container packages use a different type of
authentication. It first authenticates via the regular way (api tokens
or user:password, handled via `auth.Basic`) and then generates a JWT
token that is used by the package software (such as Docker) to do the
action they wanted to do. This JWT token didn't properly propagate the
API scopes that the token was generated for, and thus could lead to a
'scope escalation' within the Conan and Container packages, read
access to write access.
- Store the API scope in the JWT token, so it can be propagated on
subsequent calls that uses that JWT token.
- Integration test added.
- Resolves #5128

(cherry picked from commit 5a871f6095)
2024-08-28 08:44:58 +00:00
Earl Warren
5df3029bf2
chore(release-notes): weekly cherry-pick week 2024-35-v7.0 2024-08-25 17:49:20 +02:00
Earl Warren
6becfc016f
chore(release-notes): weekly cherry-pick week 2024-34-v7.0 2024-08-18 07:11:37 +02:00
0ko
d3a0eb3bdd ui: fix wrong string used in a search box (#4258)
Resolves https://codeberg.org/forgejo/forgejo/issues/4256.
Fixes regression caused by https://github.com/go-gitea/gitea/pull/29530/files#diff-b46ae540c8eb41d1ccaa1659489fcc47d72eee4c4f04dc83c5ccf4d6d1a3395eR45.

Preview:
Before - https://codeberg.org/forgejo/forgejo/attachments/d629f2e9-0d07-4719-9250-52d3ba9f4a9e
After - https://codeberg.org/forgejo/forgejo/attachments/6a5f5cb2-124d-4673-a387-8483125a89eb

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4258
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
(cherry picked from commit 28ceec6fad)
2024-06-28 16:29:11 +00:00
oliverpool
6cef23db1d [BUG] admin oauth2 source required check (#4194)
#4059 was unfortunately incomplete: some custom_url fields are currently shown, even if they are not used by the provider. Moreover the `Use Custom URLs Instead of Default URLs` is always checked by default.

Manual testing:
- go to http://localhost:3000/admin/auths
- click on `Add authentication source`
- Choose `Authentication type`: `OAuth2`
- Choose `OAuth2 provider`: `GitLab`
- verify that the `Use Custom URLs Instead of Default URLs` option is **initially unchecked**
- enable the `Use Custom URLs Instead of Default URLs` checkbox
- verify that only the fields "Authorize", "Token" and "Profile" URLs are shown (no "Email URL", nor "Tenant").
- Switch the `OAuth2 provider` to `Azure AD v2`
- verify that the `Use Custom URLs Instead of Default URLs` option is **initially checked**
- verify that only the field "Tenant" is shown (with the default "organizations").

![image](/attachments/0e2b1508-861c-4b0e-ae6a-6eb24ce94911)

Note: this is loosely based on the upstream fix https://github.com/go-gitea/gitea/pull/31246 which I initially overlooked.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4194
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
(cherry picked from commit 65f8c22cc7)
2024-06-21 06:22:03 +00:00
oliverpool
715bedbde7 [BUG] admin authentication source JS errors (#4059)
While trying to understand #1236, I was quite confused not to see the `Use Custom URLs` checkbox.

This checkbox disappeared in b95a893b22 (because `getElementById` does not expect a `#` as first char), fixed in 4e816e1326.

After solving this, switching from `Nextcloud` to `OpenID Connect` triggered a JS error, which is addressed in 3efa4d836a.

Manual testing:
- go to http://localhost:3000/admin/auths
- click on `Add authentication source`
- Choose `Authentication type`: `OAuth2`
- Choose `OAuth2 provider`: `Nextcloud`
- check that the `Use Custom URLs Instead of Default URLs` checkbox toggles the fields below
- let the checkbox be checked
- Switch the `OAuth2 provider` to `OpenID Connect`
- ensure that no JS error is shown
- Switch the `OAuth2 provider` to `Mastodon`
- check that the fields below `Use Custom URLs Instead of Default URLs` have the right defaults (mastodon.social)

![2024-06-07-101638.png](/attachments/5bd6692e-3457-4dd8-b1c1-50e9a95a3100)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4059
Reviewed-by: twenty-panda <twenty-panda@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
(cherry picked from commit 82ae7460bf)
2024-06-17 10:06:34 +00:00
forgejo-backport-action
4549d9b920 [v7.0/forgejo] Fix bug in GetIssueStats (#4152)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/4124

Co-authored-by: JakobDev <jakobdev@gmx.de>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4152
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2024-06-16 19:06:43 +00:00
Lunny Xiao
e953bce5d7 fix(repository): git push to an adopted repository fails
Fix adopt repository has empty object name in database (#31333)

Fix #31330
Fix #31311

A workaround to fix the old database is to update object_format_name to
`sha1` if it's empty or null.

(cherry picked from commit 1968c2222dcf47ebd1697afb4e79a81e74702d31)

With tests services/repository/adopt_test.go

(cherry picked from commit 8efef06fb1)
2024-06-16 18:15:02 +00:00
Beowulf
bfa98d56fa Fix margin above headline in rendered org-mode (#4076)
This Fixes #3962 by adding `!important` to the margin of the heading in the rendered markdown.

In the current behaviour, the margin-top was always overridden by a global css-rule. This is prevented by this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4076
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Beowulf <beowulf@beocode.eu>
Co-committed-by: Beowulf <beowulf@beocode.eu>
(cherry picked from commit 187860bded)
2024-06-11 16:34:03 +00:00
Rowan Bohde
ab66bfff91 fix: allow actions artifacts storage migration to complete succesfully (#31251)
Change the copy to use `ActionsArtifact.StoragePath` instead of the
`ArtifactPath`. Skip artifacts that are expired, and don't error if the
file to copy does not exist.

---

When trying to migrate actions artifact storage from local to MinIO, we
encountered errors that prevented the process from completing
successfully:

* The migration tries to copy the files using the per-run
`ArtifactPath`, instead of the unique `StoragePath`.
* Artifacts that have been marked expired and had their files deleted
would throw an error
* Artifacts that are pending, but don't have a file uploaded yet will
throw an error.

This PR addresses these cases, and allow the process to complete
successfully.

(cherry picked from commit 8de8972baf5d82ff7b58ed77d78e8e1869e64eb5)
(cherry picked from commit 4afbfd3946)
2024-06-09 14:55:01 +00:00
Earl Warren
40bf161ff0 test(oauth): coverage for the redirection of a denied grant
See 886a675f62 Return `access_denied` error when an OAuth2 request is denied

(cherry picked from commit 32c882af91)
2024-06-05 14:19:38 +00:00
Earl Warren
2df082393e
fix(hook): repo admins are wrongly denied the right to force merge
The right to force merge is uses the wrong predicate and
applies to instance admins:

  ctx.user.IsAdmin

It must apply to repository admins and use the following predicate:

 ctx.userPerm.IsAdmin()

This regression is from the ApplyToAdmins implementation in
79b7089360.

Fixes: https://codeberg.org/forgejo/forgejo/issues/3780
(cherry picked from commit 09f3518069)
2024-06-02 22:05:16 +02:00
Jade Lovelace
900381d6e9 Add an immutable tarball link to archive download headers for Nix
This allows `nix flake metadata` and nix in general to lock a *branch*
tarball link in a manner that causes it to fetch the correct commit even
if the branch is updated with a newer version.

For further context, Nix flakes are a feature that, among other things,
allows for "inputs" that are "github:someuser/somerepo",
"https://some-tarball-service/some-tarball.tar.gz",
"sourcehut:~meow/nya" or similar. This feature allows our users to fetch
tarballs of git-based inputs to their builds rather than using git to
fetch them, saving significant download time.

There is presently no gitea or forgejo specific fetcher in Nix, and we
don't particularly wish to have one. Ideally (as a developer on a Nix
implementation myself) we could just use the generic tarball fetcher and
not add specific forgejo support, but to do so, we need additional
metadata to know which commit a given *branch* tarball represents, which
is the purpose of the Link header added here.

The result of this patch is that a Nix user can specify `inputs.something.url =
"https://forgejo-host/some/project/archive/main.tar.gz"` in flake.nix
and get a link to some concrete tarball for the actual commit in the
lock file, then when they run `nix flake update` in the future, they
will get the latest commit in that branch.

Example of it working locally:

 » nix flake metadata --refresh 'http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix'
Resolved URL:  http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix
Locked URL:    804ede182b.tar.gz?dir=configs
/nix&narHash=sha256-yP7KkDVfuixZzs0fsqhSETXFC0y8m6nmPLw2GrAMxKQ%3D
Description:   Computers with the nixos
Path:          /nix/store/s856c6yqghyan4v0zy6jj19ksv0q22nx-source
Revision:      804ede182b6b66469b23ea4d21eece52766b7a06
Last modified: 2024-05-02 00:48:32

For details on the header value, see:
56763ff918/doc/manual/src/protocols/tarball-fetcher.md

(cherry picked from commit 6631f56ebf)
2024-05-29 18:50:14 +00:00
Gergely Nagy
acbd44a186 migrations: Map non-existant external users to Ghost
When performing migrations, and need to remap external users to local
ones, when no local mapping is possible, map the external user to Ghost,
rather than the user who initiated the migration.

Mapping the external user to the migration initiator has the potential
of breaking assumptions elsewhere, like only having one review per pull
request per user. Mapping these migrated, locally unavailable users to
Ghost makes sure these - often hidden - assumptions do not break.

Fixes #3860.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit ade7304eea)
2024-05-28 16:44:23 +00:00
Earl Warren
a215e9db30
fix(services): set SendNotificationEmailOnNewUser
regression from 767e9634d3. It changed
the parsing of the [admin] section from being derived from the content
of each key with mustMapSetting(rootCfg, "admin", &Admin) to
explicitly listing all keys in the code.

SEND_NOTIFICATION_EMAIL_ON_NEW_USER was not added and therefore
ignored. As a consequence notifications of newly registered users were
never sent.

(cherry picked from commit ff2a3f4e3a)

Conflict:
   modules/setting/admin_test.go
   EXTERNAL_USER_DISABLE_FEATURES does not exist in v7.0
2024-05-25 17:32:52 +02:00
oliverpool
8f99d82cf2 mysql: use inner join for hook_task deletion
Attempt to fix #3678

(cherry picked from commit 4ffda656e8)
2024-05-24 12:46:33 +00:00
Earl Warren
391e311bbe [v7.0/forgejo] docs(release-notes): 7.0.3 (#3884)
Backport: https://codeberg.org/forgejo/forgejo/pulls/3858
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3884
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
2024-05-24 12:40:26 +00:00
oliverpool
2459145150 add release-notes
(cherry picked from commit 0e479f3502)
2024-05-24 00:26:20 +00:00
Earl Warren
6a472f90f8
fix: Forgejo 7.0 is compatible with Gitea v1.21.11 2024-05-21 15:01:37 +02:00
Gergely Nagy
ef4c6abbb9 badges: Relax the default workflow badge conditions
Previously, if no branch was explicitly specified for a workflow, it
defaulted to the default branch of the repo. This worked fine for
workflows that were triggered on push, but it prevented showing badges
for workflows that only run on tags, or on schedule - since they do not
run on a specific branch.

Thus, relax the conditions, and if no branch is specified, just return
the latest run of the given workflow. If one is specified, *then*
restrict it to said branch.

Fixes #3487.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit d6915f4d5f)
2024-05-20 10:47:25 +00:00
Earl Warren
8b86b6f1a0 Rename Str2html to SanitizeHTML and clarify its behavior (followup) (take 2)
In
  801792e4dc Rename Str2html to SanitizeHTML and clarify its behavior (followup)
the replacement was incorrect because
  c9d0e63c20  Remove unnecessary "Str2html" modifier from templates
was not applied and Str2html should have not been present in the first
place.

Fixes: https://codeberg.org/forgejo/forgejo/issues/3554
(cherry picked from commit 337f4f9d87)
2024-05-13 18:38:48 +00:00
0ko
9673355bf3 Port "Fix project name wrapping, remove horizontal margin on header"
Port of 370b1bdb37.
2024-05-12 17:37:36 +05:00
Gergely Nagy
9ba48419ba Teach activities.GetFeeds() how to avoid returning duplicates
Before explaining the fix itself, lets look at the `action` table, and
how it is populated. Data is only ever inserted into it via
`activities_model.NotifyWatchers`, which will:

- Insert a row for each activity with `UserID` set to the acting user's
  ID - this is the original activity, and is always inserted if anything
  is to be inserted at all.
- It will insert a copy of each activity with the `UserID` set to the
  repo's owner, if the owner is an Organization, and isn't the acting
  user.
- It will insert a copy of each activity for every watcher of the repo,
  as long as the watcher in question has read permission to the repo
  unit the activity is about.

This means that if a repository belongs to an organizations, for most
activities, it will have at least two rows in the table. For
repositories watched by people other than their owner, an additional row
for each watcher.

These are useful duplicates, because they record which activities are
relevant for a particular user. However, for cases where we wish to see
the activities that happen around a repository, without limiting the
results to a particular user, we're *not* interested in the duplicates
stored for the watchers and the org. We only need the originals.

And this is what this change does: it introduces an additional option to
`GetFeedsOptions`: `OnlyPerformedByActor`. When this option is set,
`activities.GetFeeds()` will only return the original activities, where
the user id and the acting user id are the same. As these are *always*
inserted, we're not missing out on any activities. We're just getting
rid of the duplicates. As this is an additional `AND` condition, it can
never introduce items that would not have been included in the result
set before, it can only reduce, not extend.

These duplicates were only affecting call sites where `RequestedRepo`
was set, but `RequestedUser` and `RequestedTeam` were not. Both of those
call sites were updated to set `OnlyPerformedByActor`. As a result,
repository RSS feeds, and the `/repos/{owner}/{repo}/activities/feeds`
API end points no longer return dupes, only the original activities.

Rather than hardcoding this behaviour into `GetFeeds()` itself, I chose
to implement it as an explicit option, for the sake of clarity.

Fixes Codeberg/Community#684, and addresses gitea#20986.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 9cb2aa989a)
2024-05-09 18:37:30 +00:00
Gergely Nagy
b6be9fb901 Fix an incorrect form submission in repo-issue.js (#3675)
This fixes `initRepoPullRequestAllowMaintainerEdit()` to submit the form correctly (as a web form, rather than as JSON payload).

Fixes #3618, cherry picked from gitea#30854.

Co-Authored-By: wxiaoguang <wxiaoguang@gmail.com>

---

Manual testing steps:

- Open a PR against any repository, with the "Allow edits from maintainers" option checked.
- Open the developer console (`Ctrl-Shift-I` on Firefox), and look at the Network tab.
- Visit the PR, find the "Allow edits from maintainers" checkbox, and click it.
- See the developer console, and check that the response says the setting is false.
- Refresh the page *completely* (`Ctrl-Shift-R` on Firefox)
- Observe that the setting is off.
- Click the box again to enable it.
- See the developer console, and check that the response says the setting is true.
- Reload without cache again (`Ctrl-Shift-R` on Firefox)
- Observe that the setting is now on.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3675
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Gergely Nagy <forgejo@gergo.csillger.hu>
Co-committed-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit f4dd53d79d)
2024-05-08 21:16:08 +00:00
Earl Warren
696ed328fb fix(security): CVE-2024-24788 malformed DNS message
Refs: https://pkg.go.dev/vuln/GO-2024-2824
(cherry picked from commit f3045f0519)
2024-05-08 14:47:59 +00:00
Earl Warren
f45a6cb3b7 Merge pull request '[v7.0/forgejo] FIX gogs migration if gogs is hosted at a subpath' (#3588) from bp-v7.0/forgejo-4a2959b into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3588
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-03 17:17:00 +00:00
0ko
b23d4ec4bb [THEME] fix text selection color
regression of c2280a2009

(cherry picked from commit 787b16a7be)
2024-05-02 17:46:07 +00:00
forgejo-backport-action
4b79a98910 Fix inconsistent required field (#3591)
Co-authored-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3591
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2024-05-01 19:05:43 +00:00
varp0n
c91f7d3599 FIX gogs migration if gogs is hosted at a subpath (#3572)
Also add a test for GogsDownloaderFactory.New() to make sure
that the URL of the source repository is parsed correctly.

When the source gogs instance is hosted at a subpath like `https://git.example.com/gogs/<username>/<reponame>` the migration fails.
This PR fixes that.

Co-authored-by: hecker <tomas.hecker@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3572
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: varp0n <tom@gkstn.de>
Co-committed-by: varp0n <tom@gkstn.de>
(cherry picked from commit 4a2959b3ec)
2024-05-01 16:32:17 +00:00
Earl Warren
9db70035b1
[skip ci] docs(release-notes): 7.0.2
(cherry picked from commit a050b546b9)
2024-05-01 15:05:28 +02:00
Earl Warren
61230e72b5 Merge pull request '[v7.0/forgejo] Fix Issue watching / unwatching on the web ui' (#3585) from algernon/forgejo:backport/v7.0/3562 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3585
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-01 12:26:04 +00:00
forgejo-backport-action
50b7009603 [v7.0/forgejo] Add inline attachments to comments and prevent double handling of mails (#3566)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/3504

If incoming email is configured and an email is sent, inline attachments are currently not added to the comment if it has the `Content-Disposition: inline` instead of `Content-Disposition: attachment` as e.g. with Apple Mail.

This adds inline attachments (`Content-Disposition: inline`) that *have a filename* as attachment to the comment. Other elements with `Content-Disposition: inline` are not attached as attachment to the comment.

In addition, a check has been added to prevent mails from being processed twice.

Fixes #3496

Co-authored-by: Beowulf <beowulf@beocode.eu>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3566
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2024-05-01 12:19:38 +00:00
Gergely Nagy
6f35a5ab90
Fix Issue watching / unwatching on the web ui
When subscribing or unsubscribing to/from an issue on the web ui, the
request was posted to a route handled by `repo.IssueWatch`. This
function used `ctx.Req.PostForm.Get()`, erroneously.

`request.PostForm` is *only* available if `request.ParseForm()` has been
called before it. The function in question did not do that. Under some
circumstances, something, somewhere did end up calling `ParseForm()`,
but not in every scenario.

Since we do not need to check for multiple values, the easiest fix here
is to use `ctx.Req.PostFormValue`, which will call `ParseForm()` if
necessary.

Fixes #3516.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-05-01 13:32:39 +02:00
Gergely Nagy
dd8d3f5ebe Fix git_model.FindBranchesByRepoAndBranchName
When a logged in user with no repositories visits their dashboard, it will
display a search box that lists their own repositories.

This is served by the `repo.SearchRepos` handler, which in turn calls
`commitstatus_service.FindReposLastestCommitStatuses()` with an empty
repo list.

That, in turn, will call `git_model.FindBranchesByRepoAndBranchName()`,
with an empty map. With no map, `FindBranchesByRepoAndBranchName()` ends
up querying the entire `branch` table, because no conditions were set
up.

Armed with a gazillion repo & commit shas, we return to
`FindReposLastestCommitStatuses`, and promptly call
`git_model.GetLatestCommitStatusForPairs`, which constructs a monstrous
query with so many placeholders that the database tells us to go
somewhere else, and flips us off. At least on instances the size of
Codeberg. On smaller instances, it will eventually return, and throw
away all the data, and return an empty set, having performed all this
for naught.

We fix this by short-circuiting `FindBranchesByRepoAndBranchName`, and
returning fast if our inputs are empty.

A test case is included.

Fixes #3521.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 0d029ebe6d)
2024-05-01 05:36:50 +00:00