Commit graph

1429 commits

Author SHA1 Message Date
Gusted
16419b6fc3
fix: disallow basic authorization when security keys are enrolled
- This unifies the security behavior of enrolling security keys with
enrolling TOTP as a 2FA method. When TOTP is enrolled, you cannot use
basic authorization (user:password) to make API request on behalf of the
user, this is now also the case when you enroll security keys.
- The usage of access tokens are the only method to make API requests on
behalf of the user when a 2FA method is enrolled for the user.
- Integration test added.

(cherry picked from commit e6bbecb02d)
2024-11-15 12:02:14 +01:00
Gusted
b770282d45
fix: extend forgejo_auth_token table
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.

(cherry picked from commit 1ce33aa38d)

v7: Removed migration - XORM can handle this case automatically without migration.

assert.Equal(t, `doesnotexist@example.com`, msgs[0].To) in tests
because v7 does not include the user name to the recipient.
2024-11-15 12:02:14 +01:00
Gusted
5b53a150c0
Improve usage of HMAC output for mailer tokens
- If the incoming mail feature is enabled, tokens are being sent with
outgoing mails. These tokens contains information about what type of
action is allow with such token (such as replying to a certain issue
ID), to verify these tokens the code uses the HMAC-SHA256 construction.
- The output of the HMAC is truncated to 80 bits, because this is
recommended by RFC2104, but RFC2104 actually doesn't recommend this. It
recommends, if truncation should need to take place, it should use
max(80, hash_len/2) of the leftmost bits. For HMAC-SHA256 this works out
to 128 bits instead of the currently used 80 bits.
- Update to token version 2 and disallow any usage of token version 1,
token version 2 are generated with 128 bits of HMAC output.
- Add test to verify the deprecation of token version 1 and a general
MAC check test.

(cherry picked from commit 9508aa7713)
2024-11-15 12:02:09 +01:00
Gusted
5488ec7d96
security: add permission check to 'delete branch after merge'
- Add a permission check that the doer has write permissions to the head
repository if the the 'delete branch after merge' is enabled when
merging a pull request.
- Unify the checks in the web and API router to `DeleteBranchAfterMerge`.
- Added integration tests.

(cherry picked from commit 266e0b2ce9)

Conflicts:
	tests/integration/pull_merge_test.go
  trivial context conflict
2024-10-28 06:32:10 +01:00
Gusted
ce10ec2878 [SEC] Ensure propagation of API scopes for Conan and Container authentication
- The Conan and Container packages use a different type of
authentication. It first authenticates via the regular way (api tokens
or user:password, handled via `auth.Basic`) and then generates a JWT
token that is used by the package software (such as Docker) to do the
action they wanted to do. This JWT token didn't properly propagate the
API scopes that the token was generated for, and thus could lead to a
'scope escalation' within the Conan and Container packages, read
access to write access.
- Store the API scope in the JWT token, so it can be propagated on
subsequent calls that uses that JWT token.
- Integration test added.
- Resolves #5128

(cherry picked from commit 5a871f6095)
2024-08-28 08:44:58 +00:00
Otto Richter
402cf29da6 fix: correct doctor commands and rename to forgejo
The syntax is `doctor check --run` , see https://forgejo.org/docs/latest/admin/command-line/#doctor

(cherry picked from commit 94af0e53e5)
2024-08-27 01:44:00 +00:00
Zoupers Zou
8e8a07cc15
Fix #31185 try fix lfs download from bitbucket failed (#31201)
Fix #31185

(cherry picked from commit e25d6960b5749fbf7f88ebb6b27878c0459817da)
(cherry picked from commit baad8337f9)
2024-08-18 07:01:03 +02:00
Michael Kriese
7e847ad879 fix(agit): run full pr checks on force-push
(cherry picked from commit 2d05e922a2)
2024-08-13 18:26:33 +00:00
TheFox0x7
072dd9f8bc enable linter testifylint on v7 (#4572)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4572
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Co-committed-by: TheFox0x7 <thefox0x7@gmail.com>
2024-07-30 19:42:06 +00:00
yonas
24ea13a684 Replace Gitea with Forgejo
(cherry picked from commit 9ad23f9ede)
2024-07-24 21:40:48 +00:00
Twenty Panda
14b37bb607 fix(actions): no edited event triggered when a title is changed
When the title of an issue or a pull request is changed, the edited
event must be triggered, in the same way it is when the body of the
description is changed.

The web endpoints and the API endpoints for both pull requests and
issues rely on issue_service.ChangeTitle which calls
notify_service.IssueChangeTitle.

(cherry picked from commit f6000c3760)
2024-07-22 11:46:38 +00:00
0ko
15dd004f43 [v7] i18n(*): freeze translations of register_notify
This string has been in v9 (c773ca37ad) and now includes a template for app name instead of hardcoded software name.
v7 and v8 do not expect this string to have any templates. Prevent breaking translations by backports by freezing translations of this string for v7 and v8.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4562
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
(cherry picked from commit f07d1aed2e)
2024-07-18 12:57:01 +05:00
wxiaoguang
5464e37673
Use old behavior for telegram webhook (#31588)
Fix #31182

(cherry picked from commit 43c63c33aea1b0725ed1fe7b4a55dd85050f0beb)
2024-07-14 20:20:53 +02:00
Lunny Xiao
e953bce5d7 fix(repository): git push to an adopted repository fails
Fix adopt repository has empty object name in database (#31333)

Fix #31330
Fix #31311

A workaround to fix the old database is to update object_format_name to
`sha1` if it's empty or null.

(cherry picked from commit 1968c2222dcf47ebd1697afb4e79a81e74702d31)

With tests services/repository/adopt_test.go

(cherry picked from commit 8efef06fb1)
2024-06-16 18:15:02 +00:00
Earl Warren
e17e243624 Merge pull request '[v7.0/forgejo] test(oauth): coverage for the redirection of a denied grant' (#4029) from bp-v7.0/forgejo-32c882a into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4029
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-06-05 17:17:29 +00:00
Zettat123
d841e95191
Return access_denied error when an OAuth2 request is denied (#30974)
According to [RFC
6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1),
when the resource owner or authorization server denied an request, an
`access_denied` error should be returned. But currently in this case
Gitea does not return any error.

For example, if the user clicks "Cancel" here, an `access_denied` error
should be returned.

<img width="360px"
src="https://github.com/go-gitea/gitea/assets/15528715/be31c09b-4c0a-4701-b7a4-f54b8fe3a6c5"
/>

(cherry picked from commit f1d9f18d96050d89a4085c961f572f07b1e653d1)
(cherry picked from commit 886a675f62)
2024-06-05 17:19:22 +02:00
Earl Warren
cf2d8b57ae
test(avatar): deleting a user avatar is idempotent
If the avatar file in storage does not exist, it is not an error and
the database can be updated.

See 1be797faba Fix bug on avatar

(cherry picked from commit d2c4d833f4)
2024-06-05 16:02:24 +02:00
Lunny Xiao
32d8ada0e7
Fix bug on avatar (#31008)
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 58a03e9fadb345de5653345c2a68ecfd0750940a)
(cherry picked from commit 1be797faba)
2024-06-05 08:04:10 +02:00
Earl Warren
3ba58114c7 test(avatar): deleting a user avatar and file is atomic
The avatar must not be unset in the database if there is a failure to
remove the avatar file from storage (file or S3). The two operations
are wrapped in a transaction for that purpose and this test verifies
it is effective.

See 1be797faba Fix bug on avatar

(cherry picked from commit c139efb1e9)
2024-06-04 22:39:38 +00:00
Lunny Xiao
d462b6d495
Fix push multiple branches error with tests (#31151)
(cherry picked from commit 5c1b550e00e9460078e00c41a32d206b260ef482)

Conflicts:
	tests/integration/git_push_test.go
	trivial context conflict because of
	2ac3dcbd43 test: hook post-receive for sha256 repos
(cherry picked from commit 62448bfb93)
(cherry picked from commit e8c776c79384c1c0a4d707ce5084b27347703848)
2024-06-03 09:47:51 +02:00
Earl Warren
2df082393e
fix(hook): repo admins are wrongly denied the right to force merge
The right to force merge is uses the wrong predicate and
applies to instance admins:

  ctx.user.IsAdmin

It must apply to repository admins and use the following predicate:

 ctx.userPerm.IsAdmin()

This regression is from the ApplyToAdmins implementation in
79b7089360.

Fixes: https://codeberg.org/forgejo/forgejo/issues/3780
(cherry picked from commit 09f3518069)
2024-06-02 22:05:16 +02:00
Earl Warren
d900842fd7 test(mock): DeletePushMirrors & AddPushMirrorRemote
make them into variables that can be mocked

(cherry picked from commit 5747951cc7)
2024-06-02 15:45:31 +00:00
Gergely Nagy
acbd44a186 migrations: Map non-existant external users to Ghost
When performing migrations, and need to remap external users to local
ones, when no local mapping is possible, map the external user to Ghost,
rather than the user who initiated the migration.

Mapping the external user to the migration initiator has the potential
of breaking assumptions elsewhere, like only having one review per pull
request per user. Mapping these migrated, locally unavailable users to
Ghost makes sure these - often hidden - assumptions do not break.

Fixes #3860.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit ade7304eea)
2024-05-28 16:44:23 +00:00
oliverpool
8f99d82cf2 mysql: use inner join for hook_task deletion
Attempt to fix #3678

(cherry picked from commit 4ffda656e8)
2024-05-24 12:46:33 +00:00
oliverpool
cef84d7abf test: check hook_task deletion
move test to integration to ensure Sqlite + MySQL testing

(cherry picked from commit bb165fadf6)
2024-05-24 12:46:33 +00:00
oliverpool
1c99c289f6 refactor: sourcehut_builds ignore unused fields
(cherry picked from commit 1f6f909b2e)
2024-05-24 00:26:19 +00:00
oliverpool
287253ff7d fix: sourcehut_builds preserve unused fields
Fix #3820

(cherry picked from commit c9f38e2813)
2024-05-24 00:26:19 +00:00
oliverpool
855f95f7a2 test: sourcehut_builds trigger
(cherry picked from commit 7b47cb43c1)
2024-05-24 00:26:19 +00:00
Earl Warren
4ecbb2ef1b Merge pull request '[gitea] week 2024-20-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#3772) from earl-warren/wcp/2024-20-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3772
Reviewed-by: Beowulf <beowulf@noreply.codeberg.org>
2024-05-16 15:36:08 +00:00
oliverpool
3f9f6f1350 fix: hook post-receive for sha256 repos
(cherry picked from commit 5e73c67d67)
2024-05-15 21:08:15 +00:00
yp05327
37fc6cdaf6
Fix incorrect default branch when adopt a repository (#30912) (#30928)
Backport #30912

ps: removed useless `u *user_model.User` for `adoptRepository`
(cherry picked from commit 2200c41ffd7dc84faa1de61941603af11b3412f2)
2024-05-14 16:09:33 +02:00
Zettat123
65529bd334
Update issue indexer after merging a PR (#30715)
Fix #30684

(cherry picked from commit f09e68ec33262d5356779572a0b1c66e6e86590f)

Conflicts:
	tests/integration/pull_merge_test.go
	trivial context conflict
(cherry picked from commit 8f0f6bf89c)

(cherry picked from commit df5513978a630355a28b6b42fcc63fe5d70652d8)
2024-05-14 16:00:57 +02:00
Lunny Xiao
7e81775184
Move database operations of merging a pull request to post receive hook and add a transaction (#30805)
Merging PR may fail because of various problems. The pull request may
have a dirty state because there is no transaction when merging a pull
request. ref
https://github.com/go-gitea/gitea/pull/25741#issuecomment-2074126393

This PR moves all database update operations to post-receive handler for
merging a pull request and having a database transaction. That means if
database operations fail, then the git merging will fail, the git client
will get a fail result.

There are already many tests for pull request merging, so we don't need
to add a new one.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit ebf0c969403d91ed80745ff5bd7dfbdb08174fc7)

Conflicts:
	modules/private/hook.go
	routers/private/hook_post_receive.go
	trivial conflicts because
	  263a716cb5 * Performance optimization for git push (#30104)
	was not cherry-picked and because of
	  998a431747 Do not update PRs based on events that happened before they existed
(cherry picked from commit eb792d9f8a)

(cherry picked from commit ec3f5f9992d7ff8250c044a4467524d53bd50210)
2024-05-14 15:37:32 +02:00
Giteabot
220594bacc
Make "sync branch" also sync object format and add tests (#30878) (#30880)
Backport #30878 by wxiaoguang

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit ad5a8d043c6818c0c496ebae2f5ea9373219bcd6)
2024-05-14 15:28:38 +02:00
Beowulf
1f08add260
Replace reply with a forked version to fix the cut-off of the incoming mail text (#3747)
replace reply with forgejos forked version

If plain text is selected as the message format in e.g. Apple Mail, the inline attachments are no longer at the end of the mail, but instead directly where they are in the mail. When parsing the mail, these inline attachments are replaced by "--". The new reply version no longer cuts the text at the first "--".

Tests for this are present in reply (7dc5750c6d).

Fixes https://codeberg.org/forgejo/forgejo/issues/3496#issuecomment-1798416

---

Additionally, I reduced the allocations for the inline attachments.
2024-05-13 23:51:40 +02:00
Giteabot
f30c648037
Ignore useless error message "broken pipe" (#30801) (#30842)
Backport #30801 by wxiaoguang

Fix #30792

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit ab2ef1ae49bc5e81d0debac85aee687a64fde8b3)
2024-05-07 08:15:36 +01:00
varp0n
c91f7d3599 FIX gogs migration if gogs is hosted at a subpath (#3572)
Also add a test for GogsDownloaderFactory.New() to make sure
that the URL of the source repository is parsed correctly.

When the source gogs instance is hosted at a subpath like `https://git.example.com/gogs/<username>/<reponame>` the migration fails.
This PR fixes that.

Co-authored-by: hecker <tomas.hecker@gmail.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3572
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: varp0n <tom@gkstn.de>
Co-committed-by: varp0n <tom@gkstn.de>
(cherry picked from commit 4a2959b3ec)
2024-05-01 16:32:17 +00:00
forgejo-backport-action
50b7009603 [v7.0/forgejo] Add inline attachments to comments and prevent double handling of mails (#3566)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/3504

If incoming email is configured and an email is sent, inline attachments are currently not added to the comment if it has the `Content-Disposition: inline` instead of `Content-Disposition: attachment` as e.g. with Apple Mail.

This adds inline attachments (`Content-Disposition: inline`) that *have a filename* as attachment to the comment. Other elements with `Content-Disposition: inline` are not attached as attachment to the comment.

In addition, a check has been added to prevent mails from being processed twice.

Fixes #3496

Co-authored-by: Beowulf <beowulf@beocode.eu>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3566
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2024-05-01 12:19:38 +00:00
Gergely Nagy
275f5326a1 Performance improvement for FindReposLastestCommitStatuses
If `commitstatus_service.FindReposLastestCommitStatuses` receives no
repos in its params, short-circuit, and return early, without performing
any potentially expensive work.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 33cd8446d3)
2024-05-01 05:36:50 +00:00
Earl Warren
cfbc52921e Merge pull request '[v7.0/forgejo] fix: webhook: send short ref on gitea create/delete payload' (#3560) from bp-v7.0/forgejo-0d3a9e6-cb0f361 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3560
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-04-30 12:51:43 +00:00
oliverpool
e97ffdae6f webhook: send short ref on gitea create/delete payload
(cherry picked from commit 0d3a9e6491)
2024-04-30 09:12:11 +00:00
oliverpool
67647d5f39 test: webhook gitea tag creation ref
(cherry picked from commit cb0f361171)
2024-04-30 09:12:10 +00:00
oliverpool
b15d2a6bc7 webhook: fix getPayloadBranch
(cherry picked from commit df06904f4a)
2024-04-30 08:17:11 +00:00
oliverpool
cd77a78a93 test: webhook fix branch filter tests
(cherry picked from commit 79380c209d)
2024-04-30 08:17:10 +00:00
oliverpool
a7570ce5ac test: LFS gc should not delete all metadata objects
and ComputeBlobHash should depend on the blob content (not only the
length)

(cherry picked from commit 3dfa5ba43a)
2024-04-26 10:27:01 +00:00
Gergely Nagy
9860af7f39 services/convert: Convert a Repository's ObjectFormatName too
When converting a `repo_model.Repository` to `api.Repository`, copy the
`ObjectFormatName` field too.

Fixes #3458.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit 2385f3c9db)
2024-04-26 08:55:40 +00:00
Earl Warren
f58e0d8617 fix(incoming): allow replies to comments
- allow attachments to code comments
- incoming mails from issue comments are now identified as comments

Fixes: https://codeberg.org/forgejo/forgejo/issues/3374
(cherry picked from commit 54285319f6)
2024-04-22 22:43:16 +00:00
0ko
c7ba51518c s/Gitea/Forgejo in various log messages and comments
(cherry picked from commit 469c214ec8)
2024-04-22 14:41:17 +00:00
yp05327
0a9bbdcfef
Use action user as the trigger user of schedules (#30581)
Follow https://github.com/go-gitea/gitea/pull/30357

When user push to default branch, the schedule trigger user will be the
user.
When disable then enable action units in settings, the schedule trigger
user will be action user.
When repo is a mirror, the schedule trigger user will be action user. (
before it will return error, fixed by #30357)

As scheduled job is a cron, the trigger user should be action user from
Gitea, not a real user.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
(cherry picked from commit cb6814adad4dc81a683b50826a211ce7bce731d7)

Conflicts:
	- services/actions/notifier_helper.go
	  Conflict resolved by keeping Forgejo's version of the line.
(cherry picked from commit 829c3c6838)
2024-04-21 18:17:35 +02:00
Giteabot
f436cb86d4
Fix branch_protection api shows users/teams who has no readAccess (#30291) (#30544)
Backport #30291 by @edwardzhanged

Add some logic in `convert.ToBranchProtection` to return only the names
associated with readAccess instead of returning all names. This will
ensure consistency in behavior between the frontend and backend.
Fixes: #27694

Co-authored-by: Edward Zhang <45360012+edwardzhanged@users.noreply.github.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.com>
Co-authored-by: wenzhuo.zhang <wenzhuo.zhang@geely.com>
(cherry picked from commit d88958bb99eabc07dead6965e396755e7b6d947f)
2024-04-21 18:10:34 +02:00