Commit graph

19133 commits

Author SHA1 Message Date
Archer
a228ab3ab2
Prevent automatic OAuth grants for public clients (#30790)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
(cherry picked from commit 1b088fade6)
2024-06-06 12:05:37 +02:00
Earl Warren
8f88817c00 test(oauth): RFC 6749 Section 10.2 conformance
See:

1b088fade6 Prevent automatic OAuth grants for public clients
07fe5a8b13 use existing oauth grant for public client

(cherry picked from commit 592469464b)
2024-06-06 10:01:56 +00:00
Earl Warren
71c4eee50d Merge pull request '[v7.0/forgejo] chore(dependency): whitelist mholt/archiver/v3 CVE-2024-0406' (#4035) from earl-warren/forgejo:wip-v7.0-archiver into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4035
Reviewed-by: proton-ab <proton-ab@noreply.codeberg.org>
2024-06-05 22:17:19 +00:00
Earl Warren
e7977767fa
chore(dependency): whitelist mholt/archiver/v3 CVE-2024-0406
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: https://github.com/mholt/archiver/issues/404
(cherry picked from commit 3bfec270ac)

Conflicts:
	go.sum
	trivial context conflict
2024-06-05 22:19:30 +02:00
Earl Warren
e17e243624 Merge pull request '[v7.0/forgejo] test(oauth): coverage for the redirection of a denied grant' (#4029) from bp-v7.0/forgejo-32c882a into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4029
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-05 17:17:29 +00:00
Earl Warren
a930cb847a Merge pull request '[v7.0/forgejo] fix(oauth): HTML snippets in templates can be displayed' (#4031) from bp-v7.0/forgejo-caadd18 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4031
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-05 16:03:15 +00:00
Earl Warren
32673ad6a6 Merge pull request '[v7.0/forgejo] test(avatar): deleting a user avatar and file is atomic' (#4017) from bp-v7.0/forgejo-c139efb-20148e0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4017
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-05 15:27:58 +00:00
Zettat123
d841e95191
Return access_denied error when an OAuth2 request is denied (#30974)
According to [RFC
6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1),
when the resource owner or authorization server denied an request, an
`access_denied` error should be returned. But currently in this case
Gitea does not return any error.

For example, if the user clicks "Cancel" here, an `access_denied` error
should be returned.

<img width="360px"
src="https://github.com/go-gitea/gitea/assets/15528715/be31c09b-4c0a-4701-b7a4-f54b8fe3a6c5"
/>

(cherry picked from commit f1d9f18d96050d89a4085c961f572f07b1e653d1)
(cherry picked from commit 886a675f62)
2024-06-05 17:19:22 +02:00
Earl Warren
f1301542b8 fix(oauth): HTML snippets in templates can be displayed
These changes were missed when cherry-picking the following

c9d0e63c202827756c637d9ca7bbde685c1984b7 Remove unnecessary "Str2html" modifier from templates (#29319)

Fixes: https://codeberg.org/forgejo/forgejo/issues/3623
(cherry picked from commit caadd1815a)
2024-06-05 15:18:43 +00:00
Earl Warren
40bf161ff0 test(oauth): coverage for the redirection of a denied grant
See 886a675f62 Return `access_denied` error when an OAuth2 request is denied

(cherry picked from commit 32c882af91)
2024-06-05 14:19:38 +00:00
Earl Warren
cf2d8b57ae
test(avatar): deleting a user avatar is idempotent
If the avatar file in storage does not exist, it is not an error and
the database can be updated.

See 1be797faba Fix bug on avatar

(cherry picked from commit d2c4d833f4)
2024-06-05 16:02:24 +02:00
Lunny Xiao
32d8ada0e7
Fix bug on avatar (#31008)
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 58a03e9fadb345de5653345c2a68ecfd0750940a)
(cherry picked from commit 1be797faba)
2024-06-05 08:04:10 +02:00
Earl Warren
3ba58114c7 test(avatar): deleting a user avatar and file is atomic
The avatar must not be unset in the database if there is a failure to
remove the avatar file from storage (file or S3). The two operations
are wrapped in a transaction for that purpose and this test verifies
it is effective.

See 1be797faba Fix bug on avatar

(cherry picked from commit c139efb1e9)
2024-06-04 22:39:38 +00:00
Earl Warren
afba61f55d test(storage): export UninitializedStorage to simulate failure
(cherry picked from commit 20148e061a)
2024-06-04 22:39:38 +00:00
Earl Warren
e17e330712 Merge pull request '[gitea] week 2024-23-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#4004) from earl-warren/wcp/2024-23-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4004
Reviewed-by: Victoria <efertone@noreply.codeberg.org>
2024-06-04 07:47:02 +00:00
Giteabot
e04b490cf6
Fix overflow in issue card (#31203) (#31225)
Backport #31203 by @silverwind

Before:

<img width="373" alt="Screenshot 2024-06-01 at 01 31 26"
src="https://github.com/go-gitea/gitea/assets/115237/82a210f2-c82e-4b7e-ac43-e70e46fa1186">

After:
<img width="376" alt="Screenshot 2024-06-01 at 01 31 32"
src="https://github.com/go-gitea/gitea/assets/115237/82d1b9f7-4fad-47bd-948a-04e1e7e006e6">

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 0328f31fdc9b82efe7110cd2107628c2004e5be4)
2024-06-03 17:41:13 +02:00
Giteabot
4e233dd190
Fix the possible migration failure on 286 with postgres 16 (#31209) (#31218)
Backport #31209 by @lunny

Try to fix #31205

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 68e405cf0b00e475c089d8b94cc076d269ab9bb9)
2024-06-03 09:51:27 +02:00
Giteabot
4ad7c599e7
Fix branch order (#31174) (#31193)
Backport #31174 by @lunny

Fix #31172

The original order or the default order should not be ignored even if we
have an is_deleted order.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit c6176ee59f4a25607dcfbc00757121f705101101)
2024-06-03 09:49:40 +02:00
Lunny Xiao
d462b6d495
Fix push multiple branches error with tests (#31151)
(cherry picked from commit 5c1b550e00e9460078e00c41a32d206b260ef482)

Conflicts:
	tests/integration/git_push_test.go
	trivial context conflict because of
	2ac3dcbd43 test: hook post-receive for sha256 repos
(cherry picked from commit 62448bfb93)
(cherry picked from commit e8c776c79384c1c0a4d707ce5084b27347703848)
2024-06-03 09:47:51 +02:00
Earl Warren
4d0a5ea317 Merge pull request '[v7.0/forgejo] fix(hook): repo admins are wrongly denied the right to force merge' (#3997) from earl-warren/forgejo:wip-7.0-admin-protection into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3997
Reviewed-by: Victoria <efertone@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-06-03 04:51:53 +00:00
Earl Warren
2df082393e
fix(hook): repo admins are wrongly denied the right to force merge
The right to force merge is uses the wrong predicate and
applies to instance admins:

  ctx.user.IsAdmin

It must apply to repository admins and use the following predicate:

 ctx.userPerm.IsAdmin()

This regression is from the ApplyToAdmins implementation in
79b7089360.

Fixes: https://codeberg.org/forgejo/forgejo/issues/3780
(cherry picked from commit 09f3518069)
2024-06-02 22:05:16 +02:00
Earl Warren
baec3dc6b9
fix(hook): instance admins wrongly restricted by permissions checks
This exception existed for both instance admins and repo admins
before ApplyToAdmins was introduced in
79b7089360.

It should have been kept for instance admins only because they are not
subject to permission checks.

(cherry picked from commit 05f0007437)
2024-06-02 22:05:16 +02:00
Earl Warren
bad8e72bcd
tests(integration): add TestPullMergeBranchProtect
Verify variations of branch protection that are in play when merging a
pull request as:

* instance admin
* repository admin / owner
* user with write permissions on the repository

In all cases the result is expected to be the same when merging
the pull request via:

* API
* web

Although the implementations are different.

(cherry picked from commit 793421bf59)

Conflicts:
	tests/integration/pull_merge_test.go
	trivial context conflict
2024-06-02 22:05:08 +02:00
Earl Warren
6827a4a669
test(integration): add protected file to doBranchProtect
A protected file pushed to a protected branch branch is not allowed.

(cherry picked from commit e0eba21ab7)
2024-06-02 22:00:40 +02:00
Earl Warren
e0cd813927
test(integration): refactor doBranchProtectPRMerge
* group test cases to clarify their purpose
* remove pull request branch protection tests, they are redundant
  with TestPullMergeBranchProtect

(cherry picked from commit 0d8478b82e)

Conflicts:
	tests/integration/git_test.go
	trivial context conflict
2024-06-02 22:00:18 +02:00
Earl Warren
9b17f6fd24
test(integration): refactor testPullMerge
* split into testPullMergeForm which can be called directly if
  the caller wants to specify extra parameters.
* testPullMergeForm can expect something different than StatusOK

(cherry picked from commit 20591d966e)
2024-06-02 21:53:46 +02:00
Earl Warren
9cd730a063
test(integration): refactor doAPIMergePullRequest
* http.StatusMethodNotAllowed can be expected: only retry if the
  error message is "Please try again later"
* split into doAPIMergePullRequestForm which can be called directly if
  the caller wants to specify extra parameters.

(cherry picked from commit 49aea9879b)
2024-06-02 21:53:46 +02:00
Earl Warren
68d803aae4
test(integration): refactor doProtectBranch
explicitly specify the parameters instead of providing them as
arguments so the caller has a more fine grain control over them.

(cherry picked from commit 70aa294cc1)
2024-06-02 21:53:46 +02:00
Earl Warren
b4d792d2a2
test(integration): add t.Helper() to reduce stack polution
Without the a testify stack is likely to not show the relevant test.

(cherry picked from commit 4c2ed3c35d)
2024-06-02 21:53:46 +02:00
Earl Warren
2f9be3e824 Merge pull request '[v7.0/forgejo] Add multiple missed return after an error condition' (#3960) from earl-warren/forgejo:wip-v7.0-missed-return into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3960
Reviewed-by: Victoria <efertone@noreply.codeberg.org>
2024-06-02 16:25:10 +00:00
Earl Warren
3b7ad8ef9e Merge pull request '[v7.0/forgejo] add missed return in POST /repos/{owner}/{repo}/push_mirrors' (#3994) from bp-v7.0/forgejo-166bb28-5747951-ba37b9e into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3994
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-02 16:23:19 +00:00
Earl Warren
4cbfd383e9 tests(api): POST /repos/{owner}/{repo}/push_mirrors coverage
(cherry picked from commit 166bb2861f)
2024-06-02 15:45:31 +00:00
Earl Warren
d900842fd7 test(mock): DeletePushMirrors & AddPushMirrorRemote
make them into variables that can be mocked

(cherry picked from commit 5747951cc7)
2024-06-02 15:45:31 +00:00
Lunny Xiao
bcb473dd2a Add missed return after ctx.ServerError (#31130) (partial)
Only routers/api/v1/repo/mirror.go

(cherry picked from commit b6f15c7948ac3d09977350de83ec91d5789ea083)
(cherry picked from commit ba37b9e577)
2024-06-02 15:45:31 +00:00
Earl Warren
089afd4086 Merge pull request 'Revert "Fix error on renaming merged PRs (#3840)"' (#3987) from 0ko/forgejo:revert-bug-causing-bug into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3987
Reviewed-by: Mai-Lapyst <mai-lapyst@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-02 15:27:35 +00:00
Earl Warren
8da2acff43 Merge pull request '[v7.0/forgejo] test(util): MockProtect when mocking multiple times' (#3993) from bp-v7.0/forgejo-884b3c0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3993
Reviewed-by: Victoria <efertone@noreply.codeberg.org>
2024-06-02 15:26:59 +00:00
Earl Warren
35d5ef0649 test(util): MockProtect when mocking multiple times
It is fine to use MockVariableValue to change a setting such as:

defer test.MockVariableValue(&setting.Mirror.Enabled, true)()

But when testing for errors and mocking a function, multiple variants
of the functions will be used, not just one. MockProtect a function
will make sure that when the test fails it always restores a sane
version of the function. For instance:

defer test.MockProtect(&mirror_service.AddPushMirrorRemote)()

mirror_service.AddPushMirrorRemote = mockOne
do some tests that may fail

mirror_service.AddPushMirrorRemote = mockTwo
do more tests that may fail

(cherry picked from commit 884b3c0f4b)
2024-06-02 14:32:00 +00:00
Earl Warren
8fc16691e0 Merge pull request '[v7.0/forgejo] Cleanup & add missing options to app.example.ini (#3983)' (#3986) from Mai-Lapyst/forgejo:backport-cleanup-app-example-ini-3983 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3986
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-02 13:13:12 +00:00
0ko
e3dc128776 Merge pull request '[v7.0/forgejo] [I18N] Translations update from Weblate' (#3990) from bp-v7.0/forgejo-ebabb96 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3990
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-06-02 12:42:54 +00:00
Codeberg Translate
cb481411b7 [I18N] Translations update from Weblate (#3908)
Translations update from [Weblate](https://translate.codeberg.org) for [Forgejo/forgejo](https://translate.codeberg.org/projects/forgejo/forgejo/).

Co-authored-by: 0ko <0ko@users.noreply.translate.codeberg.org>
Co-authored-by: wintryexit <weatherdowner@proton.me>
Co-authored-by: leana8959 <leana8959@users.noreply.translate.codeberg.org>
Co-authored-by: hankskyjames777 <hankskyjames777@users.noreply.translate.codeberg.org>
Co-authored-by: Fjuro <fjuro@alius.cz>
Co-authored-by: Atalanttore <Atalanttore@users.noreply.translate.codeberg.org>
Co-authored-by: kdh8219 <kdh8219@monamo.dev>
Co-authored-by: Kaede Fujisaki <ledyba@users.noreply.translate.codeberg.org>
Co-authored-by: purkwiat <purkwiat@gmail.com>
Co-authored-by: KaKi87 <KaKi87@users.noreply.translate.codeberg.org>
Co-authored-by: Kita Ikuyo <searinminecraft@courvix.com>
Co-authored-by: gitcookie-1 <gitcookie-1@users.noreply.translate.codeberg.org>
Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Co-authored-by: Dirk <Dirk@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3908
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>
(cherry picked from commit ebabb96ce0)
2024-06-02 12:02:27 +00:00
0ko
af49331f38 Revert "Fix error on renaming merged PRs (#3840)"
This reverts commit 0b01434aa3.
2024-06-02 13:38:00 +05:00
Mai-Lapyst
42d4c16c37
Cleanup & add missing options to app.example.ini
(cherry picked from commit c3d60ed9f7)
2024-06-02 09:40:05 +02:00
Giteabot
7bd9597803
Missed return on error part of: Fix bug on avatar (#31008) (#31019)
Backport #31008 by @lunny

Extract from #30995

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 8446caa813f676398411d3544cc05a42fd708cd1)
2024-05-31 14:56:16 +02:00
Giteabot
3bdf9eae01
Add missed return after ctx.ServerError (#31130) (#31133)
Backport #31130 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit e6bacf1fed57e33fcbbb7d57782bfc5daa8f2fee)
2024-05-31 14:35:19 +02:00
Earl Warren
ebf1ba683b Merge pull request '[gitea] week 2024-22-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#3942) from earl-warren/wcp/2024-22-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3942
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-05-30 20:01:42 +00:00
Earl Warren
4af90387d4 Merge pull request '[v7.0/forgejo] Add an immutable tarball link to archive download headers for Nix' (#3946) from bp-v7.0/forgejo-6631f56 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3946
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-05-29 19:22:14 +00:00
Jade Lovelace
900381d6e9 Add an immutable tarball link to archive download headers for Nix
This allows `nix flake metadata` and nix in general to lock a *branch*
tarball link in a manner that causes it to fetch the correct commit even
if the branch is updated with a newer version.

For further context, Nix flakes are a feature that, among other things,
allows for "inputs" that are "github:someuser/somerepo",
"https://some-tarball-service/some-tarball.tar.gz",
"sourcehut:~meow/nya" or similar. This feature allows our users to fetch
tarballs of git-based inputs to their builds rather than using git to
fetch them, saving significant download time.

There is presently no gitea or forgejo specific fetcher in Nix, and we
don't particularly wish to have one. Ideally (as a developer on a Nix
implementation myself) we could just use the generic tarball fetcher and
not add specific forgejo support, but to do so, we need additional
metadata to know which commit a given *branch* tarball represents, which
is the purpose of the Link header added here.

The result of this patch is that a Nix user can specify `inputs.something.url =
"https://forgejo-host/some/project/archive/main.tar.gz"` in flake.nix
and get a link to some concrete tarball for the actual commit in the
lock file, then when they run `nix flake update` in the future, they
will get the latest commit in that branch.

Example of it working locally:

 » nix flake metadata --refresh 'http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix'
Resolved URL:  http://localhost:3000/api/v1/repos/jade/cats/archive/main.tar.gz?dir=configs/nix
Locked URL:    804ede182b.tar.gz?dir=configs
/nix&narHash=sha256-yP7KkDVfuixZzs0fsqhSETXFC0y8m6nmPLw2GrAMxKQ%3D
Description:   Computers with the nixos
Path:          /nix/store/s856c6yqghyan4v0zy6jj19ksv0q22nx-source
Revision:      804ede182b6b66469b23ea4d21eece52766b7a06
Last modified: 2024-05-02 00:48:32

For details on the header value, see:
56763ff918/doc/manual/src/protocols/tarball-fetcher.md

(cherry picked from commit 6631f56ebf)
2024-05-29 18:50:14 +00:00
Earl Warren
6d9fe1db67 Merge pull request '[v7.0/forgejo] migrations: Map non-existant external users to Ghost' (#3936) from bp-v7.0/forgejo-ade7304 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3936
Reviewed-by: Gergely Nagy <algernon@noreply.codeberg.org>
2024-05-29 18:20:04 +00:00
silverwind
def21375b7
Change --border-radius-circle to --border-radius-full (gitea#30936)
Cherry-pick of 2ced31e81d adapted to Forgejo releases UI.

Percentage-based `border-radius` [creates undesirable
ellipse](https://jsfiddle.net/silverwind/j9ko5wnt/4/) on non-square
content. Instead, use pixel value and use same wording `full` like
tailwind does, but increast to 99999px over their 9999px.

(cherry picked from commit 2ced31e81dd9e45659660c1abff529d0192fd8ed)
Adapted by @0ko

(cherry picked from commit afa1380672)
(cherry picked from commit 7b7318255e68ee7e4d0f5b1b8e5ef91cd72a59e5)
2024-05-29 13:52:42 +02:00
Kemal Zebari
43303922a8
Sync up deleted branches & action assets related cleanup documentation (#31022)
Syncs up docs associated to actions and deleted branch cleanup i.e. in
custom/app.example.ini and the config cheat sheet.

(cherry picked from commit c9eac519961ecd5d0e1d6ee856ab532e8c16c65d)

Conflicts:
	docs/content/administration/config-cheat-sheet.en-us.md
	docs do not exist here in Forgejo
(cherry picked from commit d6e454c320)
(cherry picked from commit 7d5ac68bc45d21464aa02f186ea36b62338d3585)
2024-05-29 13:44:21 +02:00