Commit graph

4866 commits

Author SHA1 Message Date
Gusted
dc15aefa3e
fix: ensure correct ssh public key is used for authentication
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.

(cherry picked from commit 3e1b03838e)

Conflicts:
	go.mod
	go.sum
  trivial context conflict
2024-12-12 07:09:00 +01:00
Gusted
e741d0a068 fix: remove softbreak from github legacy callout
- A softbreak was being preserved during the github legacy callout (this
is likely due to a change in Goldmark) while it should not. This caused
an `<br>` to be present between the attention title and attention content.
- Added unit test.

(cherry picked from commit 216a542bfb)
2024-12-04 23:12:58 +00:00
Gusted
532c35c25a Fix: return correct type in GetSubModule
- `GetSubModules` already solely stores the URL of the submodule and not
a `*SubModule` entry, so don't try to type assert it to be a struct.
- I am not able to pinpoint when this was regressed but if I had to
guess it might be #4941.
- Added integration test.

(cherry picked from commit e7cffc378f)
2024-12-03 03:24:54 +00:00
Gusted
c5f37b6cd8 fix: normalize guessed languages from enry
- In the case that Enry correctly recognized the language, but returns
the language name in a way that isn't recognized by enry. Although
overkill I've added a map such that new entries should be easier to add.
- Resolves #6077
- Added unit test

(cherry picked from commit 7aeb1ba1d5)
2024-11-27 18:25:12 +00:00
Lunny Xiao
1c04f8f10a
Fix submodule parsing
(cherry picked from commit 33850a83fe4ebd23a762a7aac81614c42e303bfa)

This really is just the cherry pick of 407b6e6dfc7ee9ebb8a16c7f1a786e4c24d0516e
which is the first commit of the pull request, the one with the
change. The rest of the changes is a refactor that is unrelated to the
bug fix.

Conflicts:
	modules/git/commit_test.go
  trivial context conflict
2024-11-24 16:49:54 +00:00
Earl Warren
6f825ab156 Merge pull request '[gitea] week 2024-47-v9.0 cherry pick (gitea/main -> v9.0/forgejo)' (#5998) from earl-warren/wcp/2024-47-v9.0 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5998
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-18 18:30:46 +00:00
Earl Warren
3e967fa4a0 fix(test): TestGitAttributeCheckerError must allow broken pipe
Early cancelation can lead to two kinds of error. Either canceled or
broken pipe, depending on when the goroutine stops.

Fixes: forgejo/forgejo#6012
(cherry picked from commit b9697f5227)
2024-11-18 11:32:19 +00:00
wxiaoguang
53c5469511
Fix and refactor markdown rendering (#32522)
(cherry picked from commit 5eebe1dc5fb29a162c51d050396fce7b14e47f4e)

Conflicts:
	models/repo/repo.go
	models/repo/repo_test.go
	modules/markup/html.go
	modules/markup/html_commit.go
	modules/markup/html_email.go
	modules/markup/html_emoji.go
	modules/markup/html_internal_test.go
	modules/markup/html_issue.go
	modules/markup/html_link.go
	modules/markup/html_node.go
	modules/markup/html_test.go
	modules/markup/markdown/goldmark.go
	modules/markup/markdown/markdown_test.go
	modules/markup/markdown/transform_image.go
	modules/markup/orgmode/orgmode.go
	modules/markup/orgmode/orgmode_test.go
	modules/markup/render.go
	modules/markup/render_links.go
	modules/templates/util_render.go
	modules/templates/util_render_test.go
	routers/common/markup.go
	routers/web/feed/convert.go
	routers/web/repo/wiki.go
  but a few lines survived and are useful
2024-11-17 20:50:50 +01:00
Gusted
35435c573a fix: use better code to group UID and stopwatches
- Instead of having code that relied on the result being sorted (which
wasn't specified in the query and therefore not safe to assume so). Use
a map where it doesn't care if the result that we get from the database
is sorted or not.
- Added unit test.

(cherry picked from commit e4eb82b738)
2024-11-17 19:18:45 +00:00
Gusted
1770117178
fix: extend forgejo_auth_token table
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.

(cherry picked from commit 1ce33aa38d)

v9: Removed migration - XORM can handle this case automatically without
migration. Add `DEFAULT 'long_term_authorization'`.
2024-11-15 11:33:17 +01:00
Gusted
254bded75e
fix: strict matching of allowed content for sanitizer
- _Simply_ add `^$` to regexp that didn't had it yet, this avoids any
content being allowed that simply had the allowed content as a
substring.
- Fix file-preview regex to have `$` instead of `*`.

(cherry picked from commit 7067cc7da4)

v9: added fix for ref-issue, this is already fixed in forgejo branch but
not backported as it was part of a feature.
2024-11-15 11:32:51 +01:00
Gusted
de389f2ecc fix: handle renamed dependency for cargo registery
- When a dependency is renamed, specified via `package="actual-name"` in
Cargo.toml, this should become the name of the depedency when the
package is retrieved from the registery by cargo and the old name should
be available in the `package` field.
- The reference implementation also does this: 490e66a9d6/src/controllers/krate/publish.rs (L702-L705)
- Resolves #5936
- Unit test added.

(cherry picked from commit bb93d3e6c8)
2024-11-13 22:56:30 +00:00
Earl Warren
11f71dcb09 fix: add label to issues and PR labeled/unlabeled events
When a workflow has

on:
  pull_request:
    types:
      - labeled
      - unlabeled

The payload misses the label field describing the added or removed
label.

The unlabeled event type was also incorrectly mapped to the labeled
event type.

(cherry picked from commit 58e3c1fbdb)
2024-11-04 14:10:27 +00:00
Shiny Nematoda
908bd64238
fix(grep): fix git-grep for code search when git version is below 2.38
(cherry picked from commit f2ab4ff83a)

Conflicts:
	modules/git/grep.go
  trivial context conflict
2024-10-31 21:26:03 +01:00
Gusted
1f62fe8ae0 fix: make branch protection work for new branches
- If `GetAffectedFiles` is called for a push with an empty oldCommitID,
then set the oldCommitID to the empty tree. This will effictively diff
all the changes included in the push, which is the expected behavior for
branches.
- Integration test added.
- Resolves #5683
- Port of gitea#31778 but implemented differently.

(cherry picked from commit f5e025917f)
2024-10-24 20:21:43 +00:00
Gusted
f3b16e1363 fix: Specify default value for EXPLORE_DEFAULT_SORT.
- This is another regression from
5a0bc35799, where the default value was
changed to "alphabetically" because it relied on `ExploreDefaultSort`
providing a fallback value.
- Set the default value for `EXPLORE_DEFAULT_SORT` to `recentupdate`,
this was already the behavior explicitly for existing users of this setting
but with 5a0bc35799 it didn't provide a
explicit fallback to `recentupdate`. So opting for a 'easy' fix, that
doesn't add boilerplate code to those instances.

(cherry picked from commit f4be4e733c)
2024-10-20 23:07:18 +00:00
Gusted
aec4a0dd59 [BUG] Make chroma match case-insenstive
- In the case that [go-enry](https://github.com/go-enry/go-enry/)
returned langauge doesn't match a lexer name (Either because its not
available or because it doesn't match Chroma's name), a last effort
attempt is made to use Chroma's matching.
- go-enry already applies `strings.ToLower` onto the filename to avoid
being case-sensitive, add the same code for Chroma's matching. The code
being used doesn't rely on the filename being case senstive for correct
matching.
- Adds unit test.
- Resolves #752

(cherry picked from commit dcc442351d)
2024-10-11 17:35:54 +00:00
ehshi
d62cbfe923 update git book link to v2 (#5503)
## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [ ] in their respective `*_test.go` for unit tests.
  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [ ] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Co-authored-by: Ehsan Shirvanian <ehsan@duck.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5503
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: ehshi <ehshi@noreply.codeberg.org>
Co-committed-by: ehshi <ehshi@noreply.codeberg.org>
(cherry picked from commit 82b1ab56de)
2024-10-09 09:29:23 +00:00
Bruno Sofiato
4cb10ff28a
Fixed race condition when deleting documents by repoId in ElasticSearch (#32185)
Resolves #32184

---------

Signed-off-by: Bruno Sofiato <bruno.sofiato@gmail.com>
(cherry picked from commit d266d190bd744b7b6f572bf69a42013e21b9be62)
2024-10-06 11:45:22 +02:00
yp05327
c400f26e6c
Fix wrong status of Set up Job when first step is skipped (#32120)
Fix #32089

(cherry picked from commit 6fa962f409c84477a7a4cf35b4a38a4a93fc3224)
2024-09-29 11:52:09 +02:00
Earl Warren
5442b0a6b1 Merge pull request '[v9.0/forgejo] feat: add architecture-specific removal support for arch package' (#5407) from bp-v9.0/forgejo-89742c4 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5407
2024-09-27 12:09:01 +00:00
Exploding Dragon
658ed564cb feat: add architecture-specific removal support for arch package (#5351)
- [x] add architecture-specific removal support
- [x] Fix upload competition
- [x] Fix not checking input when downloading

docs: https://codeberg.org/forgejo/docs/pulls/874

### Release notes

- [ ] I do not want this change to show in the release notes.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5351
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Exploding Dragon <explodingfkl@gmail.com>
Co-committed-by: Exploding Dragon <explodingfkl@gmail.com>
(cherry picked from commit 89742c4913)
2024-09-27 08:29:09 +00:00
Lunny Xiao
ba7da0af31 Use camo.Always instead of camo.Allways (#32097)
Fix #31575

https://gitea.com/gitea/docs/pulls/73
(cherry picked from commit 8e2dd5d3ddfb442937c79f05df88d18b856952cb)
(cherry picked from commit 2ffb08bb88)
2024-09-27 08:13:30 +00:00
Jamie Schouten
74712e3400 Add bin to Composer Metadata (#32099)
This PR addresses the missing `bin` field in Composer metadata, which
currently causes vendor-provided binaries to not be symlinked to
`vendor/bin` during installation.

In the current implementation, running `composer install` does not
publish the binaries, leading to issues where expected binaries are not
available.

By properly declaring the `bin` field, this PR ensures that binaries are
correctly symlinked upon installation, as described in the [Composer
documentation](https://getcomposer.org/doc/articles/vendor-binaries.md).

(cherry picked from commit d351a42494e71b5e2da63302c2f9b46c78e6dbde)
(cherry picked from commit 9d34731198)
2024-09-27 08:13:30 +00:00
Lunny Xiao
6c16834d28 Fix wrong last modify time (#32102)
(cherry picked from commit a802508f88e546bf18990559e44bf27a09c869ee)
(cherry picked from commit f709de2403)
2024-09-27 08:13:30 +00:00
Earl Warren
1a8f1482af feat: add IfZero utility function
(cherry picked from commit 43de021ac1ca017212ec75fd88a8a80a9db27c4c)
(cherry picked from commit 1bdf334844)
2024-09-27 08:13:29 +00:00
hiifong
84718e7b17 Lazy load avatar images (#32051)
(cherry picked from commit f38e1014483b84f4541ffb354cd5dfdd7e000e2c)
(cherry picked from commit 9d5f409a5a)
2024-09-27 08:13:29 +00:00
Bram Hagens
4a74113dee
feat(ui): add more emoji and code block rendering in issues 2024-09-24 14:20:33 +02:00
Jason Song
2da0ebbd23
Support allowed hosts for migrations to work with proxy (#32025)
(cherry picked from commit 125679f2e14cdc8a26a147f7e8fd0e5f174fb5cb)
2024-09-14 17:52:54 +02:00
Jason Song
5b1990b3b2
Increase cacheContextLifetime to reduce false reports (#32011)
Replace #32001.

To prevent the context cache from being misused for long-term work
(which would result in using invalid cache without awareness), the
context cache is designed to exist for a maximum of 10 seconds. This
leads to many false reports, especially in the case of slow SQL.

This PR increases it to 5 minutes to reduce false reports.

5 minutes is not a very safe value, as a lot of changes may have
occurred within that time frame. However, as far as I know, there has
not been a case of misuse of context cache discovered so far, so I think
5 minutes should be OK.

Please note that after this PR, if warning logs are found again, it
should get attention, at that time it can be almost 100% certain that it
is a misuse.

(cherry picked from commit a323a82ec4bde6ae39b97200439829bf67c0d31e)
2024-09-14 17:09:03 +02:00
Lunny Xiao
5f312250eb
Use forum.gitea.com instead of old URL (#31989)
(cherry picked from commit a5818470fe62677d8859b590b2d80b98fe23d098)
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>

Conflicts:
	- .github/ISSUE_TEMPLATE/bug-report.yaml
	  .github/ISSUE_TEMPLATE/config.yml
	  .github/ISSUE_TEMPLATE/feature-request.yaml
	  .github/ISSUE_TEMPLATE/ui.bug-report.yaml
	  templates/install.tmpl
      All of these are Gitea-specific. Resolved the conflict by not
      picking their change.
2024-09-09 20:54:47 +02:00
Lunny Xiao
3ad20e27ae
Fix index too many file names bug (#31903)
Try to fix #31884
Fix #28584

(cherry picked from commit 286ede47ad683bf0431e531e82019cd016cc54dd)
2024-09-09 20:54:39 +02:00
Otto
864eabebba Merge pull request 'chore: remove extra go-sqlite3 imports' (#5243) from yoctozepto/no-extra-sqlite into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5243
Reviewed-by: Otto <otto@codeberg.org>
2024-09-08 00:20:45 +00:00
Gusted
912fe49ab3
Construct screen 2024-09-06 20:24:51 +02:00
Radosław Piliszek
f0a6ea454f chore: remove extra go-sqlite3 imports
go-sqlite3 is already properly included conditionally within the
`modules/setting` package.
2024-09-06 09:36:08 +00:00
Gusted
c2e11058bb
chore: update mock redis client
- Follow up of #5173
2024-09-01 05:42:34 +02:00
Gusted
500e0e8602 Merge pull request 'chore: Only implement used API of Redis client' (#5173) from gusted/forgejo-redis-binary-size into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5173
Reviewed-by: Otto <otto@codeberg.org>
2024-08-31 23:08:17 +00:00
Earl Warren
293203cb64 Merge pull request 'chore(ci): Cache generated binary across jobs' (#5130) from fnetx/runner-caching into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5130
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-30 05:47:01 +00:00
Gusted
9df10c5ac5
[FEAT] Only implement used API of Redis client
- Currently for the `nosql` module (which simply said provides a manager
for redis clients) returns the
[`redis.UniversalClient`](https://pkg.go.dev/github.com/redis/go-redis/v9#UniversalClient)
interface. The interfaces exposes all available commands.
- In generalm, dead code elimination should be able to take care of not
generating the machine code for methods that aren't being used. However
in this specific case, dead code elimination either is disabled or gives
up on trying because of exhaustive call stack the client by
`GetRedisClient` is used.
- Help the Go compiler by explicitly specifying which methods we use.
This reduces the binary size by ~400KB (397312 bytes). As Go no longer
generate machine code for commands that aren't being used.
- There's a **CAVEAT** with this, if a developer wants to use a new
method that isn't specified, they will have to know about this
hack (by following the definition of existing Redis methods) and add the
method definition from the Redis library to the `RedisClient` interface.
2024-08-30 04:33:15 +02:00
Exploding Dragon
6eb88be6e8 Merge branch 'forgejo' into bugfix-arch 2024-08-29 12:39:16 +00:00
Gusted
c87655b7ff Merge pull request '[CHORE] Move cache & captcha library' (#5146) from gusted/forgejo-captcha into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5146
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-29 08:02:09 +00:00
Exploding Dragon
3a55604d3c Merge branch 'forgejo' into bugfix-arch 2024-08-28 00:38:10 +00:00
Gusted
bf0d100b84
[CHORE] Move cache library
- This is in the spirit of #5090.
- Move to a fork of gitea.com/go-chi/cache,
code.forgejo.org/go-chi/cache. It removes unused code (a lot of
adapters, that can't be used by Forgejo) and unused dependencies (see
go.sum). Also updates existing dependencies.
8c64f1a362..main
2024-08-27 21:28:56 +02:00
Earl Warren
9addaedaf3 Merge pull request '[gitea] week 2024-35 cherry pick (gitea/main -> forgejo)' (#5109) from algernon/wcp/2024-35 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5109
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-27 06:09:19 +00:00
Exploding Dragon
bc4849a904 Merge branch 'forgejo' into bugfix-arch 2024-08-27 02:34:54 +00:00
Otto
bf65f1e510 Merge pull request 'feat: Trivial default quota configuration' (#5125) from algernon/forgejo:falling-in-reverse into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5125
Reviewed-by: Otto <otto@codeberg.org>
2024-08-27 01:22:41 +00:00
Otto Richter
72408c7d68 Cache generated binary across jobs
- retrieved by the commit hash
- removes bindata tags from integration tests, because it does not seem
  to be required
- due to the missing automatically generated data, the zstd tests fail
  (they use repo data including node_modules (!) as input to the test,
  there is no apparent reason for the size constants)
2024-08-26 23:43:09 +02:00
Gusted
d623126103 Merge pull request '[PORT] Refactor the usage of batch catfile (gitea#31754)' (#5122) from gusted/forgejo-port-gt-31754 into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5122
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-26 16:04:47 +00:00
Gergely Nagy
3b70949651
feat: Trivial default quota configuration
This adds a new configuration setting: `[quota.default].TOTAL`, which
will be used if no groups are configured for a particular user. The new
option makes it possible to entirely skip configuring quotas via the API
if all that one wants is a total size.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-08-26 13:25:34 +02:00
Earl Warren
190b5a3859 Merge pull request '[FIX] Don't allow SSH authentication without ssh executable' (#5123) from gusted/forgejo-prevent-no-ssh into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5123
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-26 08:03:52 +00:00