21173 commits

This branch

This branch

All branches

Author	SHA1	Message	Date
Earl Warren	6569f1f25f	Merge pull request '[v9.0/forgejo] fix: 15 November 2024 security fixes batch' (#5975) from earl-warren/forgejo:wip-v9.0-security-15-11 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5975 Reviewed-by: Otto <otto@codeberg.org>	2024-11-15 11:57:38 +00:00
Earl Warren	2f72bec100	[v9.0/forgejo] chore(release-notes): 15 November 2024 security fixes	2024-11-15 11:46:38 +01:00
Gusted	42f3644409	fix: disallow basic authorization when security keys are enrolled ... - This unifies the security behavior of enrolling security keys with enrolling TOTP as a 2FA method. When TOTP is enrolled, you cannot use basic authorization (user:password) to make API request on behalf of the user, this is now also the case when you enroll security keys. - The usage of access tokens are the only method to make API requests on behalf of the user when a 2FA method is enrolled for the user. - Integration test added. (cherry picked from commit e6bbecb02d)	2024-11-15 11:33:45 +01:00
Gusted	1770117178	fix: extend forgejo_auth_token table ... - Add a `purpose` column, this allows the `forgejo_auth_token` table to be used by other parts of Forgejo, while still enjoying the no-compromise architecture. - Remove the 'roll your own crypto' time limited code functions and migrate them to the `forgejo_auth_token` table. This migration ensures generated codes can only be used for their purpose and ensure they are invalidated after their usage by deleting it from the database, this also should help making auditing of the security code easier, as we're no longer trying to stuff a lot of data into a HMAC construction. -Helper functions are rewritten to ensure a safe-by-design approach to these tokens. - Add the `forgejo_auth_token` to dbconsistency doctor and add it to the `deleteUser` function. - TODO: Add cron job to delete expired authorization tokens. - Unit and integration tests added. (cherry picked from commit 1ce33aa38d) v9: Removed migration - XORM can handle this case automatically without migration. Add `DEFAULT 'long_term_authorization'`.	2024-11-15 11:33:17 +01:00
Gusted	1379914c45	Improve usage of HMAC output for mailer tokens ... - If the incoming mail feature is enabled, tokens are being sent with outgoing mails. These tokens contains information about what type of action is allow with such token (such as replying to a certain issue ID), to verify these tokens the code uses the HMAC-SHA256 construction. - The output of the HMAC is truncated to 80 bits, because this is recommended by RFC2104, but RFC2104 actually doesn't recommend this. It recommends, if truncation should need to take place, it should use max(80, hash_len/2) of the leftmost bits. For HMAC-SHA256 this works out to 128 bits instead of the currently used 80 bits. - Update to token version 2 and disallow any usage of token version 1, token version 2 are generated with 128 bits of HMAC output. - Add test to verify the deprecation of token version 1 and a general MAC check test. (cherry picked from commit 9508aa7713)	2024-11-15 11:33:08 +01:00
Gusted	254bded75e	fix: strict matching of allowed content for sanitizer ... - _Simply_ add `^$` to regexp that didn't had it yet, this avoids any content being allowed that simply had the allowed content as a substring. - Fix file-preview regex to have `$` instead of `*`. (cherry picked from commit 7067cc7da4) v9: added fix for ref-issue, this is already fixed in forgejo branch but not backported as it was part of a feature.	2024-11-15 11:32:51 +01:00
Gusted	a88e3e6ac0	fix: anomynous users code search for private/limited user's repository ... - Consider private/limited users in the `AccessibleRepositoryCondition` query, previously this only considered private/limited organization. This limits the ability for anomynous users to do code search on private/limited user's repository - Unit test added. (cherry picked from commit b70196653f)	2024-11-15 11:32:38 +01:00
Gusted	6c75d1a504	fix: require code permissions for branch feed ... - The RSS and atom feed for branches exposes details about the code, it therefore should be guarded by the requirement that the doer has access to the code of that repository. - Added integration testing. (cherry picked from commit 3e3ef76808)	2024-11-15 11:32:24 +01:00
Gusted	36300be94e	fix: don't show private forks in forks list ... - If a repository is forked to a private or limited user/organization, the fork should not be visible in the list of forks depending on the doer requesting the list of forks. - Added integration testing for web and API route. (cherry picked from commit 061abe6004)	2024-11-15 11:32:09 +01:00
Gusted	c8c8377acb	fix: add ID check for updating push mirror interval ... - Ensure that the specified push mirror ID belongs to the requested repository, otherwise it is possible to modify the intervals of the push mirrors that do not belong to the requested repository. - Integration test added. (cherry picked from commit 786dfc7fb8)	2024-11-15 11:31:28 +01:00
Earl Warren	fd4a68b4de	Merge pull request '[v9.0/forgejo] chore(ci): ROLE forgejo-coding & forgejo-testing' (#5952) from earl-warren/forgejo:wip-v9.0-testing-only into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5952 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Reviewed-by: Michael Kriese <michael.kriese@gmx.de>	2024-11-14 11:28:49 +00:00
Earl Warren	78f69040fc	chore(ci): ROLE forgejo-coding & forgejo-testing (part two) ... When the CI vars.ROLE is forgejo-coding, it is assumed to be the repository where collaborative coding happens, i.e. https://codeberg.org/forgejo/forgejo When the CI vars.ROLE is forgejo-testing, it is assumed that only codebase testing is to be run and no other tests such as release build integration, label constraints, backporting etc. (cherry picked from commit 068558accd) Conflicts: .forgejo/workflows/testing.yml was in .forgejo/workflows/e2e.yml	2024-11-14 10:12:36 +01:00
Earl Warren	3465f73e2c	chore(ci): ROLE forgejo-coding & forgejo-testing ... When the CI vars.ROLE is forgejo-coding, it is assumed to be the repository where collaborative coding happens, i.e. https://codeberg.org/forgejo/forgejo When the CI vars.ROLE is forgejo-testing, it is assumed that only codebase testing is to be run and no other tests such as release build integration, label constraints, backporting etc. (cherry picked from commit f82840f1ea) Conflicts: .forgejo/workflows/merge-requirements.yml	2024-11-14 10:09:44 +01:00
Otto	86496d701d	Merge pull request '[v9.0/forgejo] fix: handle renamed dependency for cargo registry' (#5945) from bp-v9.0/forgejo-bb93d3e into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5945 Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2024-11-13 23:13:42 +00:00
Gusted	de389f2ecc	fix: handle renamed dependency for cargo registery ... - When a dependency is renamed, specified via `package="actual-name"` in Cargo.toml, this should become the name of the depedency when the package is retrieved from the registery by cargo and the old name should be available in the `package` field. - The reference implementation also does this: 490e66a9d6/src/controllers/krate/publish.rs (L702-L705) - Resolves #5936 - Unit test added. (cherry picked from commit bb93d3e6c8)	2024-11-13 22:56:30 +00:00
Earl Warren	e43533cd1b	Merge pull request '[v9.0/forgejo] chore(release): also copy the release to code.forgejo.org' (#5937) from bp-v9.0/forgejo-7492330 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5937 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>	2024-11-13 18:33:57 +00:00
Earl Warren	2a78dba95b	chore(ci): trigger a mirror when a release is publish ... Notify https://code.forgejo.org/forgejo/forgejo that a new release was published by setting the trigger label to https://code.forgejo.org/forgejo/forgejo/issues/5. It is only ever useful when a stable release is published, the experimental releases are not mirrored. But it is triggered in all cases. This will waste a few mirror check daily, when experimental releases are built. This is an improvement compared to the current situation where mirrors are checked hourly: * Instead of being checked 24 times per day it will be down to less than 5 * The mirror happens immediately after the release is published instead of waiting for the next run of the cron job. If a mirror operation is in progress, as evidenced by the presence of the trigger label on the issure, it means two releases are being published. Wait up to 1h for the mirror to complete and remove the trigger label. (cherry picked from commit 7492330721)	2024-11-13 16:53:43 +00:00
Earl Warren	e9cd753b98	Merge pull request '[v9.0/forgejo] fix(ci): synchronize updates the commit status asynchronously' (#5926) from bp-v9.0/forgejo-983aed4 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5926 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>	2024-11-12 12:33:20 +00:00
Earl Warren	dac13b7fc3	fix(ci): synchronize updates the commit status asynchronously ... When a new commit is pushed to an existing pull request, the update of the commit status will happen asynchronously, via the git hook. --- FAIL: TestPullRequestCommitStatus/synchronize (2.14s) actions_trigger_test.go:331: Error Trace: /workspace/forgejo/forgejo/tests/integration/actions_trigger_test.go:331 Error: Should be true Test: TestPullRequestCommitStatus/synchronize (cherry picked from commit 983aed4268)	2024-11-12 11:53:06 +00:00
Otto	0db515dfec	Merge pull request '[v9.0/forgejo] fix: Move forgot_password-link to fix login tab order' (#5887) from fnetx/bp-5838 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5887 Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2024-11-10 13:41:51 +00:00
Gusted	336ccf45c8	Merge pull request '[v9.0/forgejo] fix(ui): Details icon in repo settings sidebar' (#5891) from bp-v9.0/forgejo-5932b86 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5891 Reviewed-by: Otto <otto@codeberg.org> Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2024-11-10 12:54:50 +00:00
Otto Richter	70aefc810c	fix(ui): Details icon in repo settings sidebar ... Consistent classes between both details/summary constructs in the sidebar, ensuring they have the same style. (cherry picked from commit 5932b86af4)	2024-11-10 02:13:45 +00:00
MrSmoer	6025b93664	Remove unused css class "form-field-content-aside-label" ... This css class was used to display the "forgot password"-link right and above the password field. cd75519a0b moves this link, so this class is now unused	2024-11-10 02:24:58 +01:00
MrSmoer	e823122f19	fix: Move "forgot_password"-link to fix login tab order ... Previously hitting tab in the username field set the focus to the "forgot password" link. Only on the next hit the password field was selected. This is an issue for some password managers (keepassdx android keyboard) and not as nice for accessibility. Now the forgot link is below the sign up link at the bottom of the page. Using "tabindex" didn't work properly with the templating engine because many elements get assigned a tabindex of "0" by default disrupting the tab selection sequence.	2024-11-10 02:24:58 +01:00
Gusted	ef9df01cd2	Merge pull request '[v9.0/forgejo] [THEME] Copy ansi terminal colours from gitea to forgejo themes' (#5882) from bp-v9.0/forgejo-e58d5d4 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5882 Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2024-11-09 22:40:07 +00:00
Ragnar Groot Koerkamp	2e114bcaa0	[THEME] Copy ansi terminal colours from gitea to forgejo themes ... (cherry picked from commit e58d5d46c1)	2024-11-09 21:57:08 +00:00
Gusted	91a12abdaf	Merge pull request '[v9.0/forgejo] [PORT] Fix code owners will not be mentioned when a pull request comes from a forked repository (gitea#30476)' (#5879) from bp-v9.0/forgejo-2efc1f5-536e192 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5879 Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2024-11-09 19:21:37 +00:00
Gusted	79bc6e8c35	chore: add extra integration test ... (cherry picked from commit 536e1923b4)	2024-11-09 18:43:38 +00:00
Lunny Xiao	770fa89dc8	[PORT] Fix code owners will not be mentioned when a pull request comes from a forked repository (gitea#30476) ... Fix #30277 Caused by #29783 --- - Resolves #5842 - Regression from #2855 (cherry picked from commit c63060b130d34e3f03f28f4dccbf04d381a95c17) (cherry picked from commit 2efc1f5686)	2024-11-09 18:43:37 +00:00
Earl Warren	9a7b0c3f02	Merge pull request '[v9.0/forgejo] bug: require.Eventually must not test with assert' (#5870) from bp-v9.0/forgejo-2541a94 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5870 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>	2024-11-09 00:39:12 +00:00
Earl Warren	8c51053739	bug: require.Eventually must not test with assert ... Otherwise it fails the test instead of retrying if the condition fails at least once. (cherry picked from commit 2541a943ce)	2024-11-08 23:42:01 +00:00
Otto	3a4612cb2b	Merge pull request '[v9.0/forgejo] chore(renovate): only run if renovate workflow changed' (#5861) from bp-v9.0/forgejo-2eeb2fc into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5861 Reviewed-by: Michael Kriese <michael.kriese@gmx.de>	2024-11-08 12:58:13 +00:00
Michael Kriese	c0113bfbbe	chore(renovate): only run if renovate workflow changed ... (cherry picked from commit 2eeb2fcd35)	2024-11-08 12:43:09 +00:00
Renovate Bot	08396d566b	Update dependency happy-dom to v15.10.2 [SECURITY] (v9.0/forgejo) (#5854) ... Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org> Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>	2024-11-08 06:39:14 +00:00
Otto	66b6917923	Merge pull request '[v9.0/forgejo] fix: issue labels are not set after deleting one label' (#5844) from bp-v9.0/forgejo-db899c1-f06bdb0 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5844 Reviewed-by: Otto <otto@codeberg.org>	2024-11-07 11:22:14 +00:00
Earl Warren	397b3cf88f	chore(refactor): split ReloadLabels out of LoadLabels in issue model ... Functions modifying the labels in the database (DeleteIssueLabel, NewIssueLabels, NewIssueLabel, ReplaceIssueLabels) need to force reload them. Instead of: issue.isLabelsLoaded = false issue.Labels = nil if err = issue.LoadLabels(ctx); err != nil { return err } They can now use: if err = issue.ReloadLabels(ctx); err != nil { return err } (cherry picked from commit f06bdb0552)	2024-11-07 10:38:36 +00:00
Earl Warren	bcb72df356	fix: issue labels are not set after deleting one label ... Because issue.isLabelsLoaded = false is missing, LoadLabels is a noop and the issue.Labels is nil. (cherry picked from commit db899c19d8)	2024-11-07 10:38:36 +00:00
Earl Warren	ed2d5f6b73	Merge pull request '[v9.0/forgejo] fix: labels are missing in the pull request payload removing a label' (#5834) from bp-v9.0/forgejo-c801838 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5834 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>	2024-11-07 08:03:00 +00:00
Earl Warren	eda6b436dc	fix: labels are missing in the pull request payload removing a label ... When ReplaceIssueLabels calls issue.LoadLabels it was a noop because issue.isLabelsLoaded is still set to true because of the call to issue.LoadLabels that was done at the beginning of the function. (cherry picked from commit c801838690)	2024-11-06 17:38:04 +00:00
Earl Warren	09a35a7cb8	Merge pull request '[v9.0/forgejo] Add label to Forgejo Actions PR labeled/unlabeled events and update the commit status' (#5810) from bp-v9.0/forgejo-58e3c1f-66c85b7-f56fc51 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5810 Reviewed-by: Otto <otto@codeberg.org>	2024-11-06 16:13:39 +00:00
Otto	a68a37f59c	Merge pull request '[v9.0/forgejo] chore(ci): deprecate legacy infrastructure supporting v*.next' (#5823) from bp-v9.0/forgejo-ece87d0 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5823 Reviewed-by: Otto <otto@codeberg.org>	2024-11-05 22:30:44 +00:00
Earl Warren	2b86ff6768	chore(ci): deprecate legacy infrastructure supporting v*.next ... https://code.forgejo.org/infrastructure/k8s/ was replaced with https://code.forgejo.org/infrastructure/k8s-cluster/ (cherry picked from commit ece87d0569)	2024-11-05 21:43:31 +00:00
Earl Warren	8a65c4d28d	chore(release-notes): related pull requests workflow fixes ... (cherry picked from commit f56fc51c74)	2024-11-04 14:10:27 +00:00
Earl Warren	d624a5edd6	fix: Actions PR workflows must update the commit status ... When a workflow has on: pull_request: types: - labeled - unlabeled The outcome of the workflow (success or failure) must be associated with the head sha commit status. Otherwise it cannot be used as a requirement for merging the pull request (branch protections). (cherry picked from commit 66c85b7d8b)	2024-11-04 14:10:27 +00:00
Earl Warren	11f71dcb09	fix: add label to issues and PR labeled/unlabeled events ... When a workflow has on: pull_request: types: - labeled - unlabeled The payload misses the label field describing the added or removed label. The unlabeled event type was also incorrectly mapped to the labeled event type. (cherry picked from commit 58e3c1fbdb)	2024-11-04 14:10:27 +00:00
Earl Warren	7ec30b6ee9	Merge pull request '[v9.0/forgejo] chore(ci): notify the k8s cluster about experimental releases' (#5807) from earl-warren/forgejo:wip-v9.0-next-digest into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5807 Reviewed-by: Michael Kriese <michael.kriese@gmx.de>	2024-11-04 13:52:05 +00:00
Earl Warren	13a5d9f3af	[v9.0/forgejo] chore(ci): notify the k8s cluster about experimental releases ... This is in preparation of the migration of the v*.next.forgejo.org instances currently managed at https://code.forgejo.org/infrastructure/k8s The key difference is that the former system relies on ad-hoc scripts and creates one k8s cluster for each instance, sharing nothing between them. The newer k8s cluster is used for all and requires significantly less ad-hoc tooling. See also: * https://code.forgejo.org/infrastructure/next-digest * https://code.forgejo.org/infrastructure/k8s-cluster/src/branch/main/k8s.md#updating-v-next-forgejo-org (cherry picked from commit dab156b452)	2024-11-04 14:30:53 +01:00
Gusted	a429dbad98	Merge pull request '[v9.0/forgejo] fix: support www.github.com for migrations' (#5800) from bp-v9.0/forgejo-284ffe4 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5800 Reviewed-by: Michael Kriese <michael.kriese@gmx.de>	2024-11-03 18:21:04 +00:00
Michael Kriese	0c0fd333f3	fix: support www.github.com for migrations ... (cherry picked from commit 284ffe4e00)	2024-11-03 17:28:30 +00:00
Earl Warren	d96cef1ac4	Merge pull request '[v9.0/forgejo] fix: reset history.scrollRestoration if set to manual and no issue anchor in url' (#5753) from bp-v9.0/forgejo-ec4a0e1 into v9.0/forgejo ... Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5753 Reviewed-by: Otto <otto@codeberg.org> Reviewed-by: Michael Kriese <michael.kriese@gmx.de>	2024-11-01 10:10:25 +00:00