Commit graph

21174 commits

Author SHA1 Message Date
Gusted
90e05e7d52 bug: correctly generate oauth2 jwt signing key
- When RS256, RS384, ES384, ES512 was specified as the JWT signing
algorithm they would generate RS512 and ES256 respectively.
- Added unit test.

(cherry picked from commit 7d59060dc6)
2024-11-16 17:07:01 +00:00
Earl Warren
6569f1f25f Merge pull request '[v9.0/forgejo] fix: 15 November 2024 security fixes batch' (#5975) from earl-warren/forgejo:wip-v9.0-security-15-11 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5975
Reviewed-by: Otto <otto@codeberg.org>
2024-11-15 11:57:38 +00:00
Earl Warren
2f72bec100
[v9.0/forgejo] chore(release-notes): 15 November 2024 security fixes 2024-11-15 11:46:38 +01:00
Gusted
42f3644409
fix: disallow basic authorization when security keys are enrolled
- This unifies the security behavior of enrolling security keys with
enrolling TOTP as a 2FA method. When TOTP is enrolled, you cannot use
basic authorization (user:password) to make API request on behalf of the
user, this is now also the case when you enroll security keys.
- The usage of access tokens are the only method to make API requests on
behalf of the user when a 2FA method is enrolled for the user.
- Integration test added.

(cherry picked from commit e6bbecb02d)
2024-11-15 11:33:45 +01:00
Gusted
1770117178
fix: extend forgejo_auth_token table
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.

(cherry picked from commit 1ce33aa38d)

v9: Removed migration - XORM can handle this case automatically without
migration. Add `DEFAULT 'long_term_authorization'`.
2024-11-15 11:33:17 +01:00
Gusted
1379914c45
Improve usage of HMAC output for mailer tokens
- If the incoming mail feature is enabled, tokens are being sent with
outgoing mails. These tokens contains information about what type of
action is allow with such token (such as replying to a certain issue
ID), to verify these tokens the code uses the HMAC-SHA256 construction.
- The output of the HMAC is truncated to 80 bits, because this is
recommended by RFC2104, but RFC2104 actually doesn't recommend this. It
recommends, if truncation should need to take place, it should use
max(80, hash_len/2) of the leftmost bits. For HMAC-SHA256 this works out
to 128 bits instead of the currently used 80 bits.
- Update to token version 2 and disallow any usage of token version 1,
token version 2 are generated with 128 bits of HMAC output.
- Add test to verify the deprecation of token version 1 and a general
MAC check test.

(cherry picked from commit 9508aa7713)
2024-11-15 11:33:08 +01:00
Gusted
254bded75e
fix: strict matching of allowed content for sanitizer
- _Simply_ add `^$` to regexp that didn't had it yet, this avoids any
content being allowed that simply had the allowed content as a
substring.
- Fix file-preview regex to have `$` instead of `*`.

(cherry picked from commit 7067cc7da4)

v9: added fix for ref-issue, this is already fixed in forgejo branch but
not backported as it was part of a feature.
2024-11-15 11:32:51 +01:00
Gusted
a88e3e6ac0
fix: anomynous users code search for private/limited user's repository
- Consider private/limited users in the `AccessibleRepositoryCondition`
query, previously this only considered private/limited organization.
This limits the ability for anomynous users to do code search on
private/limited user's repository
- Unit test added.

(cherry picked from commit b70196653f)
2024-11-15 11:32:38 +01:00
Gusted
6c75d1a504
fix: require code permissions for branch feed
- The RSS and atom feed for branches exposes details about the code, it
therefore should be guarded by the requirement that the doer has access
to the code of that repository.
- Added integration testing.

(cherry picked from commit 3e3ef76808)
2024-11-15 11:32:24 +01:00
Gusted
36300be94e
fix: don't show private forks in forks list
- If a repository is forked to a private or limited user/organization,
the fork should not be visible in the list of forks depending on the
doer requesting the list of forks.
- Added integration testing for web and API route.

(cherry picked from commit 061abe6004)
2024-11-15 11:32:09 +01:00
Gusted
c8c8377acb
fix: add ID check for updating push mirror interval
- Ensure that the specified push mirror ID belongs to the requested
repository, otherwise it is possible to modify the intervals of the push
mirrors that do not belong to the requested repository.
- Integration test added.

(cherry picked from commit 786dfc7fb8)
2024-11-15 11:31:28 +01:00
Earl Warren
fd4a68b4de Merge pull request '[v9.0/forgejo] chore(ci): ROLE forgejo-coding & forgejo-testing' (#5952) from earl-warren/forgejo:wip-v9.0-testing-only into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5952
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-11-14 11:28:49 +00:00
Earl Warren
78f69040fc
chore(ci): ROLE forgejo-coding & forgejo-testing (part two)
When the CI vars.ROLE is forgejo-coding, it is assumed to be the
repository where collaborative coding happens,
i.e. https://codeberg.org/forgejo/forgejo

When the CI vars.ROLE is forgejo-testing, it is assumed that only codebase
testing is to be run and no other tests such as release build
integration, label constraints, backporting etc.

(cherry picked from commit 068558accd)

Conflicts:
	.forgejo/workflows/testing.yml
  was in .forgejo/workflows/e2e.yml
2024-11-14 10:12:36 +01:00
Earl Warren
3465f73e2c
chore(ci): ROLE forgejo-coding & forgejo-testing
When the CI vars.ROLE is forgejo-coding, it is assumed to be the
repository where collaborative coding happens,
i.e. https://codeberg.org/forgejo/forgejo

When the CI vars.ROLE is forgejo-testing, it is assumed that only codebase
testing is to be run and no other tests such as release build
integration, label constraints, backporting etc.

(cherry picked from commit f82840f1ea)

Conflicts:
	.forgejo/workflows/merge-requirements.yml
2024-11-14 10:09:44 +01:00
Otto
86496d701d Merge pull request '[v9.0/forgejo] fix: handle renamed dependency for cargo registry' (#5945) from bp-v9.0/forgejo-bb93d3e into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5945
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-13 23:13:42 +00:00
Gusted
de389f2ecc fix: handle renamed dependency for cargo registery
- When a dependency is renamed, specified via `package="actual-name"` in
Cargo.toml, this should become the name of the depedency when the
package is retrieved from the registery by cargo and the old name should
be available in the `package` field.
- The reference implementation also does this: 490e66a9d6/src/controllers/krate/publish.rs (L702-L705)
- Resolves #5936
- Unit test added.

(cherry picked from commit bb93d3e6c8)
2024-11-13 22:56:30 +00:00
Earl Warren
e43533cd1b Merge pull request '[v9.0/forgejo] chore(release): also copy the release to code.forgejo.org' (#5937) from bp-v9.0/forgejo-7492330 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5937
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-11-13 18:33:57 +00:00
Earl Warren
2a78dba95b chore(ci): trigger a mirror when a release is publish
Notify https://code.forgejo.org/forgejo/forgejo that a new release was
published by setting the trigger label to
https://code.forgejo.org/forgejo/forgejo/issues/5.

It is only ever useful when a stable release is published, the
experimental releases are not mirrored. But it is triggered in all
cases. This will waste a few mirror check daily, when experimental
releases are built. This is an improvement compared to the current
situation where mirrors are checked hourly:

* Instead of being checked 24 times per day it will be down to less
  than 5
* The mirror happens immediately after the release is published
  instead of waiting for the next run of the cron job.

If a mirror operation is in progress, as evidenced by the presence of
the trigger label on the issure, it means two releases are being
published. Wait up to 1h for the mirror to complete and remove the
trigger label.

(cherry picked from commit 7492330721)
2024-11-13 16:53:43 +00:00
Earl Warren
e9cd753b98 Merge pull request '[v9.0/forgejo] fix(ci): synchronize updates the commit status asynchronously' (#5926) from bp-v9.0/forgejo-983aed4 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5926
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-11-12 12:33:20 +00:00
Earl Warren
dac13b7fc3 fix(ci): synchronize updates the commit status asynchronously
When a new commit is pushed to an existing pull request, the update of
the commit status will happen asynchronously, via the git hook.

   --- FAIL: TestPullRequestCommitStatus/synchronize (2.14s)
        actions_trigger_test.go:331:
            	Error Trace:	/workspace/forgejo/forgejo/tests/integration/actions_trigger_test.go:331
            	Error:      	Should be true
            	Test:       	TestPullRequestCommitStatus/synchronize

(cherry picked from commit 983aed4268)
2024-11-12 11:53:06 +00:00
Otto
0db515dfec Merge pull request '[v9.0/forgejo] fix: Move forgot_password-link to fix login tab order' (#5887) from fnetx/bp-5838 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5887
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-10 13:41:51 +00:00
Gusted
336ccf45c8 Merge pull request '[v9.0/forgejo] fix(ui): Details icon in repo settings sidebar' (#5891) from bp-v9.0/forgejo-5932b86 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5891
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-10 12:54:50 +00:00
Otto Richter
70aefc810c fix(ui): Details icon in repo settings sidebar
Consistent classes between both details/summary constructs in the sidebar, ensuring they have the same style.

(cherry picked from commit 5932b86af4)
2024-11-10 02:13:45 +00:00
MrSmoer
6025b93664 Remove unused css class "form-field-content-aside-label"
This css class was used to display the "forgot password"-link right and above the password field.
cd75519a0b moves this link, so this class is now unused
2024-11-10 02:24:58 +01:00
MrSmoer
e823122f19 fix: Move "forgot_password"-link to fix login tab order
Previously hitting tab in the username field set the focus to the "forgot password" link. Only on the next hit the password field was selected.
This is an issue for some password managers (keepassdx android keyboard) and not as nice for accessibility.
Now the forgot link is below the sign up link at the bottom of the page.
Using "tabindex" didn't work properly with the templating engine because many elements get assigned a tabindex of "0" by default disrupting the tab selection sequence.
2024-11-10 02:24:58 +01:00
Gusted
ef9df01cd2 Merge pull request '[v9.0/forgejo] [THEME] Copy ansi terminal colours from gitea to forgejo themes' (#5882) from bp-v9.0/forgejo-e58d5d4 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5882
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-09 22:40:07 +00:00
Ragnar Groot Koerkamp
2e114bcaa0 [THEME] Copy ansi terminal colours from gitea to forgejo themes
(cherry picked from commit e58d5d46c1)
2024-11-09 21:57:08 +00:00
Gusted
91a12abdaf Merge pull request '[v9.0/forgejo] [PORT] Fix code owners will not be mentioned when a pull request comes from a forked repository (gitea#30476)' (#5879) from bp-v9.0/forgejo-2efc1f5-536e192 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5879
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-09 19:21:37 +00:00
Gusted
79bc6e8c35 chore: add extra integration test
(cherry picked from commit 536e1923b4)
2024-11-09 18:43:38 +00:00
Lunny Xiao
770fa89dc8 [PORT] Fix code owners will not be mentioned when a pull request comes from a forked repository (gitea#30476)
Fix #30277
Caused by #29783

---

- Resolves #5842
- Regression from #2855

(cherry picked from commit c63060b130d34e3f03f28f4dccbf04d381a95c17)
(cherry picked from commit 2efc1f5686)
2024-11-09 18:43:37 +00:00
Earl Warren
9a7b0c3f02 Merge pull request '[v9.0/forgejo] bug: require.Eventually must not test with assert' (#5870) from bp-v9.0/forgejo-2541a94 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5870
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-11-09 00:39:12 +00:00
Earl Warren
8c51053739 bug: require.Eventually must not test with assert
Otherwise it fails the test instead of retrying if the condition fails
at least once.

(cherry picked from commit 2541a943ce)
2024-11-08 23:42:01 +00:00
Otto
3a4612cb2b Merge pull request '[v9.0/forgejo] chore(renovate): only run if renovate workflow changed' (#5861) from bp-v9.0/forgejo-2eeb2fc into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5861
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-11-08 12:58:13 +00:00
Michael Kriese
c0113bfbbe chore(renovate): only run if renovate workflow changed
(cherry picked from commit 2eeb2fcd35)
2024-11-08 12:43:09 +00:00
Renovate Bot
08396d566b Update dependency happy-dom to v15.10.2 [SECURITY] (v9.0/forgejo) (#5854)
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-08 06:39:14 +00:00
Otto
66b6917923 Merge pull request '[v9.0/forgejo] fix: issue labels are not set after deleting one label' (#5844) from bp-v9.0/forgejo-db899c1-f06bdb0 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5844
Reviewed-by: Otto <otto@codeberg.org>
2024-11-07 11:22:14 +00:00
Earl Warren
397b3cf88f chore(refactor): split ReloadLabels out of LoadLabels in issue model
Functions modifying the labels in the database (DeleteIssueLabel,
NewIssueLabels, NewIssueLabel, ReplaceIssueLabels) need to force
reload them. Instead of:

	issue.isLabelsLoaded = false
	issue.Labels = nil
	if err = issue.LoadLabels(ctx); err != nil {
		return err
	}

They can now use:

	if err = issue.ReloadLabels(ctx); err != nil {
		return err
	}

(cherry picked from commit f06bdb0552)
2024-11-07 10:38:36 +00:00
Earl Warren
bcb72df356 fix: issue labels are not set after deleting one label
Because issue.isLabelsLoaded = false is missing, LoadLabels is a noop
and the issue.Labels is nil.

(cherry picked from commit db899c19d8)
2024-11-07 10:38:36 +00:00
Earl Warren
ed2d5f6b73 Merge pull request '[v9.0/forgejo] fix: labels are missing in the pull request payload removing a label' (#5834) from bp-v9.0/forgejo-c801838 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5834
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-11-07 08:03:00 +00:00
Earl Warren
eda6b436dc fix: labels are missing in the pull request payload removing a label
When ReplaceIssueLabels calls issue.LoadLabels it was a noop because
issue.isLabelsLoaded is still set to true because of the call  to
issue.LoadLabels that was done at the beginning of the function.

(cherry picked from commit c801838690)
2024-11-06 17:38:04 +00:00
Earl Warren
09a35a7cb8 Merge pull request '[v9.0/forgejo] Add label to Forgejo Actions PR labeled/unlabeled events and update the commit status' (#5810) from bp-v9.0/forgejo-58e3c1f-66c85b7-f56fc51 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5810
Reviewed-by: Otto <otto@codeberg.org>
2024-11-06 16:13:39 +00:00
Otto
a68a37f59c Merge pull request '[v9.0/forgejo] chore(ci): deprecate legacy infrastructure supporting v*.next' (#5823) from bp-v9.0/forgejo-ece87d0 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5823
Reviewed-by: Otto <otto@codeberg.org>
2024-11-05 22:30:44 +00:00
Earl Warren
2b86ff6768 chore(ci): deprecate legacy infrastructure supporting v*.next
https://code.forgejo.org/infrastructure/k8s/ was replaced with
https://code.forgejo.org/infrastructure/k8s-cluster/
(cherry picked from commit ece87d0569)
2024-11-05 21:43:31 +00:00
Earl Warren
8a65c4d28d chore(release-notes): related pull requests workflow fixes
(cherry picked from commit f56fc51c74)
2024-11-04 14:10:27 +00:00
Earl Warren
d624a5edd6 fix: Actions PR workflows must update the commit status
When a workflow has

on:
  pull_request:
    types:
      - labeled
      - unlabeled

The outcome of the workflow (success or failure) must be associated
with the head sha commit status. Otherwise it cannot be used as a
requirement for merging the pull request (branch protections).

(cherry picked from commit 66c85b7d8b)
2024-11-04 14:10:27 +00:00
Earl Warren
11f71dcb09 fix: add label to issues and PR labeled/unlabeled events
When a workflow has

on:
  pull_request:
    types:
      - labeled
      - unlabeled

The payload misses the label field describing the added or removed
label.

The unlabeled event type was also incorrectly mapped to the labeled
event type.

(cherry picked from commit 58e3c1fbdb)
2024-11-04 14:10:27 +00:00
Earl Warren
7ec30b6ee9 Merge pull request '[v9.0/forgejo] chore(ci): notify the k8s cluster about experimental releases' (#5807) from earl-warren/forgejo:wip-v9.0-next-digest into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5807
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-11-04 13:52:05 +00:00
Earl Warren
13a5d9f3af
[v9.0/forgejo] chore(ci): notify the k8s cluster about experimental releases
This is in preparation of the migration of the v*.next.forgejo.org
instances currently managed at https://code.forgejo.org/infrastructure/k8s

The key difference is that the former system relies on ad-hoc scripts
and creates one k8s cluster for each instance, sharing nothing between
them.

The newer k8s cluster is used for all and requires significantly less
ad-hoc tooling.

See also:

* https://code.forgejo.org/infrastructure/next-digest
* https://code.forgejo.org/infrastructure/k8s-cluster/src/branch/main/k8s.md#updating-v-next-forgejo-org

(cherry picked from commit dab156b452)
2024-11-04 14:30:53 +01:00
Gusted
a429dbad98 Merge pull request '[v9.0/forgejo] fix: support www.github.com for migrations' (#5800) from bp-v9.0/forgejo-284ffe4 into v9.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5800
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-11-03 18:21:04 +00:00
Michael Kriese
0c0fd333f3 fix: support www.github.com for migrations
(cherry picked from commit 284ffe4e00)
2024-11-03 17:28:30 +00:00