mirrors/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2025-03-04 00:04:43 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
19239 commits 13 branches 241 tags 688 MiB
Commit graph

19239 commits

This branch
This branch
All branches
Author SHA1 Message Date
Renovate Bot
8284515808 Update module golang.org/x/crypto to v0.35.0 2025-02-28 16:53:35 +00:00
Earl Warren
957774e5e7 [v7.0/forgejo] fix(release): the rootless image version label is not set (#7049)
Some checks failed
Integration tests for the release process / release-simulation (push) Has been cancelled
Details
/ release (push) Has been cancelled
Details
testing / backend-checks (push) Has been cancelled
Details
testing / frontend-checks (push) Has been cancelled
Details
testing / test-unit (push) Has been cancelled
Details
testing / test-mysql (push) Has been cancelled
Details
testing / test-pgsql (push) Has been cancelled
Details
testing / test-sqlite (push) Has been cancelled
Details 
Backport: https://codeberg.org/forgejo/forgejo/pulls/7038

There is a test for that but it was a false positive.

Refs: https://code.forgejo.org/forgejo/forgejo-build-publish/pulls/27
(cherry picked from commit 078ca85d87)

```
Conflicts:
	Dockerfile.rootless
  trivial context conflict
```

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7049
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
 2025-02-25 07:31:47 +00:00
Renovate Bot
d75b11583c Update https://code.forgejo.org/forgejo/forgejo-build-publish action to v5.3.4 (v7.0/forgejo) (#7051)
Some checks are pending
Integration tests for the release process / release-simulation (push) Waiting to run
Details
/ release (push) Waiting to run
Details
testing / backend-checks (push) Waiting to run
Details
testing / frontend-checks (push) Waiting to run
Details
testing / test-unit (push) Blocked by required conditions
Details
testing / test-mysql (push) Blocked by required conditions
Details
testing / test-pgsql (push) Blocked by required conditions
Details
testing / test-sqlite (push) Blocked by required conditions
Details 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [https://code.forgejo.org/forgejo/forgejo-build-publish](https://code.forgejo.org/forgejo/forgejo-build-publish) | action | minor | `v5.2.1` -> `v5.3.4` |
| [https://code.forgejo.org/forgejo/forgejo-build-publish](https://code.forgejo.org/forgejo/forgejo-build-publish) | action | minor | `v5.1.1` -> `v5.3.4` |

---

### Release Notes

<details>
<summary>forgejo/forgejo-build-publish (https://code.forgejo.org/forgejo/forgejo-build-publish)</summary>

### [`v5.3.4`](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.3.3...v5.3.4)

[Compare Source](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.3.3...v5.3.4)

### [`v5.3.3`](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.3.2...v5.3.3)

[Compare Source](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.3.2...v5.3.3)

### [`v5.3.2`](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.3.1...v5.3.2)

[Compare Source](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.3.1...v5.3.2)

### [`v5.3.1`](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.3.0...v5.3.1)

[Compare Source](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.3.0...v5.3.1)

### [`v5.3.0`](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.2.1...v5.3.0)

[Compare Source](https://code.forgejo.org/forgejo/forgejo-build-publish/compare/v5.2.1...v5.3.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNzguMSIsInVwZGF0ZWRJblZlciI6IjM5LjE3OC4xIiwidGFyZ2V0QnJhbmNoIjoidjcuMC9mb3JnZWpvIiwibGFiZWxzIjpbImRlcGVuZGVuY3ktdXBncmFkZSIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7051
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
 2025-02-24 10:54:30 +00:00
Earl Warren
1ddb0f55a0 [v7.0/forgejo] fix(sec): Forgejo Actions web routes (#6845) 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6845
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
 2025-02-08 09:15:43 +00:00
0ko
d0e10205fc [v7.0/forgejo] fix(sec): permission check for project issue (#6846) (merge commit) 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6846
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
 2025-02-08 08:09:36 +00:00
Earl Warren
c8293d0e3c
chore(refactor): remove deadcode from port of Add API for Variables (#29520) 2025-02-08 07:50:19 +00:00
Gusted
4c3227eeed
fix(sec): web route test edit and delete variable 
Exhaustively test each combination of deleting and updating a action
action variable via the web route.

(cherry picked from commit cd0334f85ac46db7b1b42770c9b4e809ea6f4254)
 2025-02-08 07:50:19 +00:00
Gusted
6e13dd44d6
fix(sec): add tests for web route delete runner 
Exhaustively test each combination of deleting and updating a action
runner via the web route. Although updating an action runner was not
impacted, its good to have a test nonetheless.

(cherry picked from commit 4ace0e938e7c9efaa40cf17e9440b423ee572375)
 2025-02-08 07:50:19 +00:00
Gusted
4c8c215b75
fix(sec): web route update and delete runner variables 
The web route to update and delete variables of runners did not check if
the ID that was given belonged to the context it was requested in, this
made it possible to update and delete every existing runner variable of
a instance for any authenticated user.

The code has been reworked to always take into account the context of
the request (owner and repository ID).

(cherry picked from commit 5cb8fdfc8b9213cc368cd074aac93a1327ea20b0)
 2025-02-08 07:50:19 +00:00
sillyguodong
0e82cf121d
chore(refactor): partial port of Add API for Variables (#29520) 
The commit has, in addition to the implementation of the API, a few
function refactor that are useful in backports.

---

close #27801

---------

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 62b073e6f31645e446c7e8d6b5a506f61b47924e)

Conflicts:
	- modules/util/util.go
          Trivial resolution, only picking the newly introduced function
	- routers/api/v1/swagger/options.go
          Trivial resolution. We don't have UserBadges, don't pick that part.
	- templates/swagger/v1_json.tmpl
          Regenerated.
(cherry picked from commit 16696a42f5)
 2025-02-08 07:50:19 +00:00
Gusted
5b30b7dc6f
fix(sec): web route delete runner 
The web route to delete action runners did not check if the ID that was
given belonged to the context it was requested in, this made it possible
to delete every existing runner of a instance by a authenticated user.

The code was reworked to ensure that the caller of the delete
runner function retrieved the runner by ID and then checks if it belongs
to the context it was requested in, although this is not an optimal
solution it is consistent with the context checking of other code for
runners.

(cherry picked from commit 567765be03d56d6c8c36bb783c330c8ca70b1aca)

Conflicts:
	models/actions/runner.go
	models/actions/runner_test.go
  conflicting UUID bug fix and associated tests do not exist
 2025-02-08 07:50:19 +00:00
Gusted
4159529a06
fix(sec): add tests for private issues on projects 
- Add integration and unit tests to ensure that private issues on
projects are not shown in any way, shape or form when the doer has no
access to it.

(cherry picked from commit 55dcc1d06cb12ddb750a0289fbb6e212f93957a8)
 2025-02-05 22:29:24 +00:00
Earl Warren
913e3b536e
fix(sec): permission check for project issue 
- Do an access check when loading issues for a project board, currently
this is not done and exposes the title, labels and existence of a
private issue that the viewer of the project board may not have access
to.
- The number of issues cannot be calculated in a efficient manner
and stored in the database because their number may vary depending on
the visibility of the repositories participating in the project. The
previous implementation used the pre-calculated numbers stored in each
project, which did not reflect that potential variation.
- The code is derived from https://github.com/go-gitea/gitea/pull/22865

(cherry picked from commit 2193afaeb9954a5778f5a47aafd0e6fbbf48d000)
 2025-02-05 22:05:22 +00:00
Renovate Bot
0f1cf6dade Update dependency katex to v0.16.21 [SECURITY] (v7.0/forgejo) (#6693) 
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [katex](https://katex.org) ([source](https://github.com/KaTeX/KaTeX)) | dependencies | patch | [`0.16.10` -> `0.16.21`](https://renovatebot.com/diffs/npm/katex/0.16.10/0.16.21) |

---

### KaTeX \htmlData does not validate attribute names
[CVE-2025-23207](https://nvd.nist.gov/vuln/detail/CVE-2025-23207) / [GHSA-cg87-wmx4-v546](https://github.com/advisories/GHSA-cg87-wmx4-v546)

<details>
<summary>More information</summary>

#### Details
##### Impact
KaTeX users who render untrusted mathematical expressions with `renderToString` could encounter malicious input using `\htmlData` that runs arbitrary JavaScript, or generate invalid HTML.

##### Patches
Upgrade to KaTeX v0.16.21 to remove this vulnerability.

##### Workarounds
- Avoid use of or turn off the `trust` option, or set it to forbid `\htmlData` commands.
- Forbid inputs containing the substring `"\\htmlData"`.
- Sanitize HTML output from KaTeX.

##### Details
`\htmlData` did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts.

##### For more information
If you have any questions or comments about this advisory:

- Open an issue or security advisory in the [KaTeX repository](https://github.com/KaTeX/KaTeX/)
- Email us at [katex-security@mit.edu](mailto:katex-security@mit.edu)

#### Severity
- CVSS Score: 6.3 / 10 (Medium)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L`

#### References
- [https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546](https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546)
- [https://nvd.nist.gov/vuln/detail/CVE-2025-23207](https://nvd.nist.gov/vuln/detail/CVE-2025-23207)
- [ff289955e8)
- [https://github.com/KaTeX/KaTeX](https://github.com/KaTeX/KaTeX)

This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-cg87-wmx4-v546) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>KaTeX/KaTeX (katex)</summary>

### [`v0.16.21`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01621-2025-01-17)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.20...v0.16.21)

##### Bug Fixes

-   escape \htmlData attribute name ([57914ad](57914ad91e))

### [`v0.16.20`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01620-2025-01-12)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.19...v0.16.20)

##### Bug Fixes

-   \providecommand does not overwrite existing macro ([#&#8203;4000](https://github.com/KaTeX/KaTeX/issues/4000)) ([6d30fe4](6d30fe47b0)), closes [#&#8203;3928](https://github.com/KaTeX/KaTeX/issues/3928)

### [`v0.16.19`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01619-2024-12-29)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.18...v0.16.19)

##### Bug Fixes

-   **types:** improve `strict` function type ([#&#8203;4009](https://github.com/KaTeX/KaTeX/issues/4009)) ([4228b4e](4228b4eb52))

### [`v0.16.18`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01618-2024-12-18)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.17...v0.16.18)

##### Bug Fixes

-   Actually publish TypeScript type definitions ([#&#8203;4008](https://github.com/KaTeX/KaTeX/issues/4008)) ([629b873](629b87354f))

### [`v0.16.17`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01617-2024-12-17)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.16...v0.16.17)

##### Bug Fixes

-   MathML combines multidigit numbers with sup/subscript, comma separators, and multicharacter text when outputting to DOM ([#&#8203;3999](https://github.com/KaTeX/KaTeX/issues/3999)) ([7d79e22](7d79e220f4)), closes [#&#8203;3995](https://github.com/KaTeX/KaTeX/issues/3995)

### [`v0.16.16`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01616-2024-12-17)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.15...v0.16.16)

##### Features

-   ESM exports, TypeScript types ([#&#8203;3992](https://github.com/KaTeX/KaTeX/issues/3992)) ([ea9c173](ea9c173a0d))

### [`v0.16.15`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01615-2024-12-09)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.14...v0.16.15)

##### Features

-   italic sans-serif in math mode via `\mathsfit` command ([#&#8203;3998](https://github.com/KaTeX/KaTeX/issues/3998)) ([2218901](22189018b6))

### [`v0.16.14`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01614-2024-12-08)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.13...v0.16.14)

##### Features

-   \dddot and \ddddot support ([#&#8203;3834](https://github.com/KaTeX/KaTeX/issues/3834)) ([bda35cd](bda35cdb0a)), closes [#&#8203;2744](https://github.com/KaTeX/KaTeX/issues/2744)

### [`v0.16.13`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01613-2024-12-08)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.12...v0.16.13)

##### Bug Fixes

-   `\vdots` and `\rule` support in text mode ([#&#8203;3997](https://github.com/KaTeX/KaTeX/issues/3997)) ([0e08352](0e08352623)), closes [#&#8203;3990](https://github.com/KaTeX/KaTeX/issues/3990)

### [`v0.16.12`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01612-2024-12-08)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.11...v0.16.12)

##### Features

-   **css:** configurable margin for display math ([#&#8203;3638](https://github.com/KaTeX/KaTeX/issues/3638)) ([3405001](3405001225))

### [`v0.16.11`](https://github.com/KaTeX/KaTeX/blob/HEAD/CHANGELOG.md#01611-2024-07-02)

[Compare Source](https://github.com/KaTeX/KaTeX/compare/v0.16.10...v0.16.11)

##### Features

-   add \emph ([#&#8203;3963](https://github.com/KaTeX/KaTeX/issues/3963)) ([9f34da4](9f34da4b3c)), closes [#&#8203;3566](https://github.com/KaTeX/KaTeX/issues/3566)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xMzYuMCIsInVwZGF0ZWRJblZlciI6IjM5LjEzNi4wIiwidGFyZ2V0QnJhbmNoIjoidjcuMC9mb3JnZWpvIiwibGFiZWxzIjpbImRlcGVuZGVuY3ktdXBncmFkZSIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6693
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
 2025-01-28 11:34:30 +00:00
Earl Warren
70334a6f29 [v7.0/forgejo] fix: load settings for valid user and email check (#6679) 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6679
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
 2025-01-24 16:49:00 +00:00
Gusted
51e0b34fa8
[v7.0/forgejo] fix: load settings for valid user and email check 
- The doctor commands to check the validity of existing usernames and
email addresses depend on functionality that have configurable behavior
depending on the values of the `[service]` settings, so load them when
running the doctor command.
- Resolves #6664
- No unit test due to the architecture of doctor commands.

(cherry picked from commit 46e60ce966)
 2025-01-24 13:27:36 +01:00
Earl Warren
9cc7b6d19e [v7.0/forgejo] chore(security): update security.txt with new expiration date (#6669) 
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/6655

Same as https://forgejo.org/.well-known/security.txt

(cherry picked from commit 955f99b6a4)

```
Conflicts:
	public/.well-known/security.txt
  trivial context conflict
```

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6669
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
 2025-01-24 08:24:59 +00:00
Earl Warren
b5b8157485 Update module github.com/go-git/go-git/v5 to v5.13.1 (v7.0/forgejo) (#6483) 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6483
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
 2025-01-09 08:30:34 +00:00
Earl Warren
b097ff48c4 Update module github.com/go-git/go-git/v5 to v5.13.1 (license) 2025-01-09 07:44:50 +00:00
Renovate Bot
df17946734 Update module github.com/go-git/go-git/v5 to v5.13.1 2025-01-09 07:44:50 +00:00
Michael Kriese
b6b79892c9 chore: remove illegal git usage (#6501) 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6501
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
 2025-01-09 07:44:06 +00:00
Gusted
1c825edb1a
chore: remove illegal git usage 
This is no longer possible in future go-git versions, so lets hardcode it

(cherry picked from commit 58ee57d5f2e547ba0786b2b5ebe87caa3ca545d5)
 2025-01-09 07:13:41 +01:00
Earl Warren
9651e9d002 Merge pull request '[v7.0/forgejo] chore(release): link to the standalone release notes file' (#6325) from bp-v7.0/forgejo-0e02397 into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6325
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
 2024-12-19 09:49:40 +00:00
Earl Warren
64142ee149 chore(release): link to the standalone release notes file 
(cherry picked from commit 0e02397915)
 2024-12-19 08:38:46 +00:00
Earl Warren
b07b7f7687 Merge pull request 'Update module golang.org/x/net to v0.33.0 (v7.0/forgejo)' (#6317) from renovate/v7.0/forgejo-golang.org-x-net-0.x into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6317
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
 2024-12-19 07:01:59 +00:00
Earl Warren
be61fd0696
Update module golang.org/x/net to v0.33.0 (license) 2024-12-19 07:14:50 +01:00
Renovate Bot
dc13183803 Update module golang.org/x/net to v0.33.0 2024-12-18 23:16:05 +00:00
Earl Warren
4e0ab47c1c Merge pull request '[v7.0/forgejo] fix: ensure correct ssh public key is used for authentication' (#6252) from earl-warren/forgejo:wip-7.0-ssh into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6252
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
 2024-12-12 07:03:49 +00:00
Gusted
f7cb37ca5a
fix: ensure correct ssh public key is used for authentication 
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.

(cherry picked from commit 3e1b03838e)

Conflicts:
	go.mod
	go.sum
  trivial context conflict
 2024-12-12 07:02:14 +01:00
Earl Warren
d77e27304f Merge pull request 'Update module golang.org/x/crypto to v0.31.0 (v7.0/forgejo)' (#6246) from renovate/v7.0/forgejo-golang.org-x-crypto-0.x into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6246
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
 2024-12-12 05:06:14 +00:00
Earl Warren
157dd37035
Update module golang.org/x/crypto to v0.31.0 (licenses) 2024-12-12 05:50:19 +01:00
Renovate Bot
09162b8daf Update module golang.org/x/crypto to v0.31.0 2024-12-12 04:38:24 +00:00
Earl Warren
9191b4d192 Merge pull request '[v7.0/forgejo] chore(ci): set the milestone when a pull request is closed (take 4)' (#6230) from bp-v7.0/forgejo-6f53f7d into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6230
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
 2024-12-10 07:07:29 +00:00
Earl Warren
a23de662eb chore(ci): set the milestone when a pull request is closed (take 4) 
The milestone can only be determined to be final when a pull request
is merged.

It is possible that a pull request is opened during the development of
v10 and merged after it is published.

It is also possible that it is permanently closed without being merged.

(cherry picked from commit 6f53f7d007)
 2024-12-10 06:21:21 +00:00
Earl Warren
e9381b63be Merge pull request '[v7.0/forgejo] chore(ci): set the milestone when a pull request is open (take 3)' (#6224) from bp-v7.0/forgejo-bf9e19c into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6224
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
 2024-12-09 23:30:26 +00:00
Earl Warren
7259d3b73f chore(ci): set the milestone when a pull request is open (take 3) 
pull_request_target runs from the target branch, not the default branch

(cherry picked from commit bf9e19cc21)
 2024-12-09 22:56:13 +00:00
Earl Warren
2d1f6d7063 Merge pull request '[v7.0/forgejo] chore(ci): set the milestone when a pull request is open' (#6216) from bp-v7.0/forgejo-1f18d8d into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6216
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
 2024-12-09 16:46:21 +00:00
Earl Warren
abd626eca7
chore(ci): set the milestone when a pull request is open (take 2) 
Use the oci:ci image to get jq

(cherry picked from commit ebfe702df6)
 2024-12-09 17:43:20 +01:00
Earl Warren
4164e907e6 chore(ci): set the milestone when a pull request is open 
(cherry picked from commit 1f18d8d677)
 2024-12-09 16:17:28 +00:00
Earl Warren
5dbb2dbe0d Merge pull request '[v7.0/forgejo] fix: dbconsistency check adding missing quotes' (#6132) from bp-v7.0/forgejo-b525eec into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6132
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
 2024-12-03 09:27:58 +00:00
Gusted
2580cece8e Merge pull request 'fix: dbconsistency check adding missing quotes' (#6124) from 71rd/forgejo:dbconsistency-forgejo into forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6124
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
(cherry picked from commit b525eec82b)
 2024-12-03 07:31:41 +00:00
Gusted
f93a7a93a3 Merge pull request '[v7.0/forgejo] fix: Do not delete global Oauth2 applications' (#6056) from bp-v7.0/forgejo-665d5f7-1d5aee6 into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6056
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
 2024-11-25 03:10:52 +00:00
Otto Richter
2d75678303 fix: Do not delete global Oauth2 applications 
(cherry picked from commit 1d5aee6ef8)
 2024-11-23 22:48:34 +00:00
Otto Richter
a3c917b1c1 test: Global OAuth should not be deleted 
Expected to fail: Global (instance-wide) OAuth application should not be deleted, but it is

(cherry picked from commit 665d5f7317)
 2024-11-23 22:48:34 +00:00
Earl Warren
ed15e04b33 Merge pull request '[v7.0/forgejo] chore(ci): remove unused experimental DNS updates' (#6036) from earl-warren/forgejo:wip-v7.0-dns-update into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6036
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
 2024-11-20 16:48:39 +00:00
Earl Warren
4f85e369ec
chore(ci): remove unused experimental DNS updates 
(cherry picked from commit a69943085a)

Conflicts:
	.forgejo/workflows/publish-release.yml
  trivial context conflict
 2024-11-20 16:07:33 +00:00
Earl Warren
4c4e27cbd6 Merge pull request '[v7.0/forgejo] fix: 15 November 2024 security fixes batch' (#5976) from earl-warren/forgejo:wip-v7.0-security-15-11 into v7.0/forgejo 
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5976
 2024-11-15 12:00:23 +00:00
Earl Warren
579560bd72
chore(release-notes): 15 November 2024 security fixes 2024-11-15 12:10:02 +01:00
Gusted
16419b6fc3
fix: disallow basic authorization when security keys are enrolled 
- This unifies the security behavior of enrolling security keys with
enrolling TOTP as a 2FA method. When TOTP is enrolled, you cannot use
basic authorization (user:password) to make API request on behalf of the
user, this is now also the case when you enroll security keys.
- The usage of access tokens are the only method to make API requests on
behalf of the user when a 2FA method is enrolled for the user.
- Integration test added.

(cherry picked from commit e6bbecb02d)
 2024-11-15 12:02:14 +01:00
Gusted
b770282d45
fix: extend forgejo_auth_token table 
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.

(cherry picked from commit 1ce33aa38d)

v7: Removed migration - XORM can handle this case automatically without migration.

assert.Equal(t, `doesnotexist@example.com`, msgs[0].To) in tests
because v7 does not include the user name to the recipient.
 2024-11-15 12:02:14 +01:00