Commit graph

17141 commits

Author SHA1 Message Date
Giteabot
d97cd15a1b
Fix missed return (#29450) (#29453)
Backport #29450 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 2df38af752c13ca02a899d6a53848c68259d3336)
2024-03-10 18:08:05 +07:00
Lunny Xiao
40c602df9b
Fix template bug (#27581) (#29446)
Fix #29152
Backport #27581

(cherry picked from commit dc48eb070b2e4143739b7ab22bb9e172af90106d)
2024-03-10 18:07:56 +07:00
Giteabot
40318cf9c3
Not trigger all jobs any more, when re-running the first job (#29439) (#29441)
Backport #29439 by @sillyguodong

Previously, it will be treated as "re-run all jobs" when `jobIndex ==
0`. So when you click re-run button on the first job, it triggers all
the jobs actually.

Caused by #26535.

Co-authored-by: sillyguodong <33891828+sillyguodong@users.noreply.github.com>
(cherry picked from commit 9456deb512db59025cae26d82812ff880c5ea3bc)
2024-03-10 18:06:44 +07:00
Giteabot
47409b2fa0
Ignore empty repo for CreateRepository in action notifier (#29416) (#29424)
Backport #29416 by @yp05327

Fix #29415

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit c758a8afba85fe1847f4d1f5441f6c62b37517ae)
2024-03-10 18:06:30 +07:00
Earl Warren
84449e9288 Merge pull request '[BUG] prevent removing session cookie when redirect_uri query contains ://' (#2606) from oliverpool/forgejo:backport2590 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2606
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-03-08 15:07:50 +00:00
Earl Warren
4696f4cefd Merge pull request 'Fix /api/v1/{owner}/{repo}/issue_templates' (#2605) from gusted/forgejo-bp-2292 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2605
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
2024-03-08 15:07:38 +00:00
oliverpool
3877a2332b implement fix 2024-03-07 22:43:38 +01:00
oliverpool
20bc8662b1 [BUG] prevent removing session cookie when redirect_uri query contains :// 2024-03-07 22:41:47 +01:00
Gergely Nagy
969d3f4410
Fix /api/v1/{owner}/{repo}/issue_templates
Backport of #2292

When issue templates were moved into services in
def4956122, the code was also refactored
and simplified. Unfortunately, that simplification broke the
`/api/v1/{owner}/{repo}/issue_templates` route, because it was
previously using a helper function that ignored invalid templates, and
after the refactor, the function it called *always* returned non-nil as
the second return value. This, in turn, results in the aforementioned
end point always returning an internal server error.

This change restores the previous behaviour of ignoring invalid files
returned by `issue.GetTemplatesFromDefaultBranch`, and adds a few test
cases to exercise the endpoint.

Other users of `GetTemplatesFromDefaultBranch` already ignore the second
return value, or handle it correctly, so no changes are necessary there.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit be8d16438a)
2024-03-07 21:50:27 +01:00
Earl Warren
6e877f02ab Merge pull request '[gitea] v1.21 cherry-pick' (#2566) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2566
2024-03-06 05:50:42 +00:00
Earl Warren
812458206f Merge pull request 'Revert "[CI] pin go v1.21.8 version"' (#2570) from earl-warren/forgejo:wip-v1.21-ci-go-action into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2570
2024-03-06 05:09:16 +00:00
Earl Warren
ded6e7a4b2
[SEMVER] 6.0.7+0-gitea-1.21.7 2024-03-06 13:05:29 +08:00
Giteabot
91a2d3ecc4
Add missing space (#29393) (#29399)
Backport #29393 by @KN4CK3R

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 0f35cb5a2a9ad3b1d78f9547148b594adc4bdabf)
2024-03-06 12:20:42 +08:00
Giteabot
40c3a1d2ea
enforce maxlength in frontend (#29389) (#29396)
Backport #29389 by @zokkis

Set maxlength attribute in frontend

to long file-name

![image](https://github.com/go-gitea/gitea/assets/72873130/15111614-55ab-4583-acb2-15c25997601d)

![image](https://github.com/go-gitea/gitea/assets/72873130/4105ddd8-4973-4da8-b3ab-4cfae1b45554)
(same for branch-name and commit-summary)

Co-authored-by: Tim-Niclas Oelschläger <72873130+zokkis@users.noreply.github.com>
(cherry picked from commit 0b3d6c399c88e42e827f422dc4c8458f0d20c613)
2024-03-06 12:20:42 +08:00
Lunny Xiao
2c802fc8f0
Display friendly error message (#29105) (#29363)
Backport #29105

`ctx.Error` only displays the text but `ctx.ServerError` renders the
usual error page.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit a1c0b3a02e54e5fe879dabccb71fba9498b64051)
2024-03-06 12:20:42 +08:00
Giteabot
a28d6686fa
Fix validity of the FROM email address not being checked (#29347) (#29360)
Backport #29347 by @carlosfelgueiras

Fixes #27188.
Introduces a check on the installation that tries to parse the FROM
address. If it fails, shows a new error message to the user.

Co-authored-by: Carlos Felgueiras <carlosfelgueiras@tecnico.ulisboa.pt>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 35db5a373babd9af157fd63eeb20d6da53320b73)
2024-03-06 12:20:42 +08:00
Lunny Xiao
e4d3067138
Fix project counter in organization/individual profile (#28068) (#29361)
Fix #28052
Backport #28068
Before:

![image](https://github.com/go-gitea/gitea/assets/18380374/5f299983-4b38-4d68-ac0e-4be3c62c0558)

![image](https://github.com/go-gitea/gitea/assets/18380374/f0e12afd-483b-4882-80e9-0261beb3fe0c)

After:

![image](https://github.com/go-gitea/gitea/assets/18380374/47cccb7b-bb35-4a7d-9c5b-83133be0323a)

![image](https://github.com/go-gitea/gitea/assets/18380374/77825c0c-4bf2-4762-83a2-1a5a173cc22d)

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 5043ad54c7a0d1dc6bf5f1caf21b4646ec9344d3)
2024-03-06 12:20:42 +08:00
Giteabot
8e2c991b35
Fix tarball/zipball download bug (#29342) (#29352)
Backport #29342 by @Zettat123

Fix #29249

~~Use the `/repos/{owner}/{repo}/archive/{archive}` API to download.~~

Apply #26430 to archive download URLs.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 829b807a91f9895e3f4b262f688a8d0d9a44caf6)
2024-03-06 12:20:42 +08:00
Giteabot
9da608abad
Don't show third-party JS errors in production builds (#29303) (#29333)
Backport #29303 by @silverwind

So we don't get issues like
https://github.com/go-gitea/gitea/issues/29080 and
https://github.com/go-gitea/gitea/issues/29273 any more. Only active in
[production
builds](https://webpack.js.org/guides/production/#specify-the-mode), in
non-production the errors will still show.

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 6ca8cb590d510c98610031675e0a316f95efaf61)
2024-03-06 12:20:42 +08:00
Giteabot
c4ac72e6a0
Only log error when tag sync fails (#29295) (#29327)
Backport #29295 by @lunny

Fix #28843

This PR will bypass the pushUpdateTag to database failure when
syncAllTags. An error log will be recorded.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit b78f5fc60f510a58d58535af77c5b424a8b5a660)
2024-03-06 12:20:42 +08:00
Lunny Xiao
790a27f38a
Fix SSPI user creation (#28948) (#29323)
Fixes #28945
Backport #28948

Setting the avatar is wrong and creating a random password is equal to
leave it empty.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 7ea2ffaf166780b7786291f7ff022e3f5b49e8c2)
2024-03-06 12:20:42 +08:00
Earl Warren
b837bd81d0
Revert "[CI] pin go v1.21.8 version"
This reverts commit e3698d8662.
2024-03-06 12:18:06 +08:00
Earl Warren
2a2b51c5f7 Merge pull request '[CI] pin go v1.21.8 version' (#2568) from earl-warren/forgejo:wip-v1.21-ci-go-action into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2568
2024-03-06 04:17:23 +00:00
techknowlogick
e7448699f6
bump protobuf module (#29617)
(cherry picked from commit 06039bf0b7ec4dffe74ae323b8bbbbedec69d0c8)

Conflicts:
	go.mod
	go.sum
	trivial context conflict
2024-03-06 11:53:02 +08:00
Earl Warren
e3698d8662
[CI] pin go v1.21.8 version
Because setup-go fails to pick it up.

Refs: https://github.com/actions/setup-go/issues/462
(cherry picked from commit d7aaefcea9d38ca50a96f34ff42efe954bce4acd)

Conflicts:
	.forgejo/workflows/build-release.yml
	.forgejo/workflows/cascade-setup-end-to-end.yml
	.forgejo/workflows/e2e.yml
	.forgejo/workflows/testing.yml
	trivial context conflict
2024-03-06 11:53:02 +08:00
Gusted
9196f0d618 Merge pull request '[BUG] Ensure HasIssueContentHistory takes into account comment_id' (#2535) from gusted/forgejo-bp-2518 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2535
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
2024-03-01 15:19:38 +00:00
Gusted
8fb027fea5
[BUG] Ensure HasIssueContentHistory takes into account comment_id
- Backport of #2518
- The content history table contains the content history of issues and
comments. For issues they are saved with an comment id of zero.
- If you want to check if the issue has an content history, it should
take into account that SQL has `comment_id = 0`, as it otherwise could
return incorrect results when for example the issue already has an
comment that has an content history.
- Fix the code of `HasIssueContentHistory` to take this into account, it
relied on XORM to generate the SQL from the non-default values of the
struct, this wouldn't generate the `comment_id = 0` SQL as `0` is the
default value of an integer.
- Remove an unncessary log (it's not the responsibility of `models`
code to do logging).
- Adds unit test.
- Resolves #2513

(cherry picked from commit 331fa44956)
2024-03-01 15:48:42 +01:00
Gusted
5d5059f42c Merge pull request '[BUG] Correct changed files for codeowners' (#2519) from gusted/forgejo-bp-2507 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2519
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-28 23:18:08 +00:00
Gusted
9b70caf798
[BUG] Correct changed files for codeowners
- Backport of #2507
- The CODEOWNER feature relies on the changed files to determine which
reviewers should be added according to the `CODEOWNER` file.
- The current approach was to 'diff' between the base and head branch,
which seems logical but fail in practice when the pull request is out of
date with the base branch. Therefore it should instead diff between the
head branch and the merge base of the head and base branch, so only the
actual affected files by the pull requests are used, the same approach
is used by the diff of an unmerged pull request.
- Add integration testing (for the feature as well).
- Resolves #2458

(cherry picked from commit fb2795b5bb)
2024-02-28 20:13:20 +01:00
Earl Warren
ab67eb7d8a Merge pull request '[BUG] Remember topic only in repo search' (#2508) from gusted/forgejo-bp-2489 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2508
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-28 10:20:12 +00:00
Gusted
9955e38fa2
[BUG] Remember topic only in repo search
- Backport of #2489
- If the user is searching repositories with an specific topic, adding
any other filter option, such as showing unrelevant repositories or
using another sort Forgejo should remember that 'topic only' was set.
- Adds integration test.
- Resolves #2461

(cherry picked from commit b4360d504c)
2024-02-27 23:37:26 +01:00
Gusted
da9473cd4d Merge pull request '[BUG] Log FindRenamedBranch error' (#2468) from gusted/forgejo-fix-error into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2468
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-25 15:13:28 +00:00
Gusted
255b60931f
[BUG] Log FindRenamedBranch error
- Fix error string to add an `%v` verb to log the error correctly.
2024-02-25 15:40:18 +01:00
Earl Warren
031822b8fc Merge pull request '[SECURITY] Fix XSS vulnerabilities' (#2434) from earl-warren/forgejo:wip-v1.21-xss into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2434
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-02-22 15:03:20 +00:00
Gusted
d3de80b9cc
[SECURITY] Test XSS in dismissed review
It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

(cherry picked from commit ca798e4cc2)
2024-02-22 15:35:04 +01:00
Gusted
fe2df46d05
[SECURITY] Fix XSS in dismissed review
- It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.
- Pass `$reviewerName` trough `Escape`.
2024-02-22 15:04:36 +01:00
Gusted
92dae3a387
[SECURITY] Test XSS in wiki last commit information
On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. Verify it is sanitized.

(cherry picked from commit 565e331238)
2024-02-22 15:04:11 +01:00
Earl Warren
5048478147 Merge pull request '[gitea] v1.21 cherry-pick' (#2430) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2430
2024-02-22 13:00:38 +00:00
Zettat123
9a63c6f39a
Fix error display when merging PRs (#29288) (#29309)
Backport #29288
Partially fix #29071, regression of Modernize merge button #28140

Fix some missing `Redirect` -> `JSONRedirect`.

Thanks @yp05327 for the help in
https://github.com/go-gitea/gitea/issues/29071#issuecomment-1931261075

(cherry picked from commit dcb9c38568dc4e9502fc416de237cce0eac41cba)
2024-02-22 13:10:12 +01:00
Gusted
d24c37e132
[SECURITY] Fix XSS in wiki last commit information
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.
2024-02-22 13:04:47 +01:00
jolheiser
33af169223
[SECURITY] review(kn4ck3r): more template escapes
Signed-off-by: jolheiser <john.olheiser@gmail.com>
2024-02-22 12:54:34 +01:00
yp05327
47e70bbf0e
Fix gitea-action user avatar broken on edited menu (#29190) (#29307)
Backport #29190

Fix #29178

(cherry picked from commit f80ea95eb538decad4d982ce96f640b18e430393)
2024-02-22 11:07:39 +01:00
wxiaoguang
3a061083d6
Fix missing link on outgoing new release notifications (#29079) (#29300)
Backport #29079

Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit c4a86b20a4ecef749caed4e9e1381c1736cb0309)
2024-02-22 11:07:31 +01:00
wxiaoguang
8a2c4e9ff2
Fix debian InRelease Acquire-By-Hash newline (#29204) (#29299)
Backport #29204

Co-authored-by: Robin Schoonover <robin@cornhooves.org>
(cherry picked from commit f634982d237b38e0634c5997612f50230898247e)
2024-02-22 11:07:28 +01:00
wxiaoguang
a1fb6a2346
Always write proc-receive hook for all git versions (#29287) (#29291)
Backport #29287

(cherry picked from commit 9379352db638aa99ee9f4a7d2755966f3d866541)
2024-02-22 11:07:23 +01:00
Zettat123
c49dd9de9b
Do not show delete button when time tracker is disabled (#29257) (#29279)
Backport #29257
Fix #29233

The delete button of time logs won't be shown when the time tracker is
disabled.

![image](https://github.com/go-gitea/gitea/assets/15528715/5cc4e0c9-d2f9-4b8f-a2f5-fe202b94c191)

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit e940443b276fa4f30633902f025fd2adad1b22de)
2024-02-22 11:07:20 +01:00
Earl Warren
2c567ea193 Merge pull request '[BUG] Initialize Git for hook regeneration' (#2421) from gusted/forgejo-bp-2416 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2421
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-21 14:41:45 +00:00
Gusted
2fb2e832c5
[BUG] Initalize Git for hook regeneration
- Backport of #2416
- The hook regeneration code relies on `git.SupportProcReceive` being
set to determine if the `proc-receive` hook should be written, this
variable is set when the git module is initialized.
- Resolves #2414

(cherry picked from commit 815abad84c)
2024-02-21 14:43:43 +01:00
Earl Warren
ceca25d374 Merge pull request '[gitea] v1.21 cherry-pick' (#2407) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2407
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-20 15:47:19 +00:00
Earl Warren
44906f85f7 Merge pull request '[SEMVER] 6.0.6+0-gitea-1.21.6' (#2409) from earl-warren/forgejo:wip-v1.21-semver into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2409
2024-02-20 11:22:31 +00:00