Template
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo synced 2024-11-22 09:54:24 +01:00
Commit graph

17207 commits

Author SHA1 Message Date
Gusted d3de80b9cc
[SECURITY] Test XSS in dismissed review
It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

(cherry picked from commit ca798e4cc2)
2024-02-22 15:35:04 +01:00
Gusted fe2df46d05
[SECURITY] Fix XSS in dismissed review
- It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.
- Pass `$reviewerName` trough `Escape`.
2024-02-22 15:04:36 +01:00
Gusted 92dae3a387
[SECURITY] Test XSS in wiki last commit information
On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. Verify it is sanitized.

(cherry picked from commit 565e331238)
2024-02-22 15:04:11 +01:00
Earl Warren 5048478147 Merge pull request '[gitea] v1.21 cherry-pick' (#2430) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2430
2024-02-22 13:00:38 +00:00
Zettat123 9a63c6f39a
Fix error display when merging PRs (#29288) (#29309)
Backport #29288
Partially fix #29071, regression of Modernize merge button #28140

Fix some missing `Redirect` -> `JSONRedirect`.

Thanks @yp05327 for the help in
https://github.com/go-gitea/gitea/issues/29071#issuecomment-1931261075

(cherry picked from commit dcb9c38568dc4e9502fc416de237cce0eac41cba)
2024-02-22 13:10:12 +01:00
Gusted d24c37e132
[SECURITY] Fix XSS in wiki last commit information
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.
2024-02-22 13:04:47 +01:00
jolheiser 33af169223
[SECURITY] review(kn4ck3r): more template escapes
Signed-off-by: jolheiser <john.olheiser@gmail.com>
2024-02-22 12:54:34 +01:00
yp05327 47e70bbf0e
Fix gitea-action user avatar broken on edited menu (#29190) (#29307)
Backport #29190

Fix #29178

(cherry picked from commit f80ea95eb538decad4d982ce96f640b18e430393)
2024-02-22 11:07:39 +01:00
wxiaoguang 3a061083d6
Fix missing link on outgoing new release notifications (#29079) (#29300)
Backport #29079

Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit c4a86b20a4ecef749caed4e9e1381c1736cb0309)
2024-02-22 11:07:31 +01:00
wxiaoguang 8a2c4e9ff2
Fix debian InRelease Acquire-By-Hash newline (#29204) (#29299)
Backport #29204

Co-authored-by: Robin Schoonover <robin@cornhooves.org>
(cherry picked from commit f634982d237b38e0634c5997612f50230898247e)
2024-02-22 11:07:28 +01:00
wxiaoguang a1fb6a2346
Always write proc-receive hook for all git versions (#29287) (#29291)
Backport #29287

(cherry picked from commit 9379352db638aa99ee9f4a7d2755966f3d866541)
2024-02-22 11:07:23 +01:00
Zettat123 c49dd9de9b
Do not show delete button when time tracker is disabled (#29257) (#29279)
Backport #29257
Fix #29233

The delete button of time logs won't be shown when the time tracker is
disabled.

![image](https://github.com/go-gitea/gitea/assets/15528715/5cc4e0c9-d2f9-4b8f-a2f5-fe202b94c191)

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit e940443b276fa4f30633902f025fd2adad1b22de)
2024-02-22 11:07:20 +01:00
Earl Warren 2c567ea193 Merge pull request '[BUG] Initialize Git for hook regeneration' (#2421) from gusted/forgejo-bp-2416 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2421
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-21 14:41:45 +00:00
Gusted 2fb2e832c5
[BUG] Initalize Git for hook regeneration
- Backport of #2416
- The hook regeneration code relies on `git.SupportProcReceive` being
set to determine if the `proc-receive` hook should be written, this
variable is set when the git module is initialized.
- Resolves #2414

(cherry picked from commit 815abad84c)
2024-02-21 14:43:43 +01:00
Earl Warren ceca25d374 Merge pull request '[gitea] v1.21 cherry-pick' (#2407) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2407
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-20 15:47:19 +00:00
Earl Warren 44906f85f7 Merge pull request '[SEMVER] 6.0.6+0-gitea-1.21.6' (#2409) from earl-warren/forgejo:wip-v1.21-semver into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2409
2024-02-20 11:22:31 +00:00
Earl Warren 5e31d1f37f
[SEMVER] 6.0.6+0-gitea-1.21.6 2024-02-20 10:41:03 +01:00
6543 8377ecbfe1
Workaround to clean up old reviews on creating a new one (#28554) (#29264)
close  #28542
backport #28554

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit c01b266d8680a270b1e8067e757ed25be38eea24)
2024-02-20 09:39:02 +01:00
Jason Song 861d0b9689
Do not use lower tag names to find releases/tags (#29261) (#29262)
Backport #29261.

Fix #26090, see
https://github.com/go-gitea/gitea/issues/26090#issuecomment-1952013206

Since `TagName` stores the original tag name and `LowerTagName` stores
the lower tag name, it doesn't make sense to use lowercase tags as
`TagNames` in `FindReleasesOptions`.

5e72526da4/services/repository/push.go (L396-L397)

While the only other usage looks correct:

5e72526da4/routers/web/repo/repo.go (L416)
(cherry picked from commit f79530c50ee1c7833cae13e56531e5d1fd66f5ba)
2024-02-20 09:36:37 +01:00
Tim-Nicas Oelschläger a40762d929
Convert visibility to number (#29226) (#29244)
Backport #29226

Don't throw error while creating user (Fixes #29218)

---

The backport info from Giteabot
https://github.com/go-gitea/gitea/pull/29226#issuecomment-1951341322
needs to specify the version, because the default is v1.18

(cherry picked from commit 39735c43a8b6f7db3b3e3531ca9115a60335d524)
2024-02-20 09:36:28 +01:00
Lunny Xiao 8782275c9c
Fix push to create with capitalize repo name (#29090) (#29206)
Fix #29073
Backport #29090

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 933cc4da642c13b18423be99574944c43cc558c7)
2024-02-20 09:28:32 +01:00
KN4CK3R aced7547c2
Use ghost user if user was not found (#29161) (#29169)
Backport #29161

(cherry picked from commit d823465d94b3b43945eace060000db9334eca52d)
2024-02-20 09:26:13 +01:00
6543 d3846df1f9
Dont load Review if Comment is CommentTypeReviewRequest (#28551) (#29160)
Backport #28551

RequestReview get deleted on review.
So we don't have to try to load them on comments.

(cherry picked from commit 0ac3186267b717bce7076ef44f883df7720d7a2d)
2024-02-20 09:22:26 +01:00
Earl Warren 60a4c05d23 Merge pull request '[BUG] Restrict when to make link absolute in markdown' (#2406) from gusted/forgejo-bp-2403 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2406
Reviewed-by: Otto <otto@codeberg.org>
2024-02-20 07:12:22 +00:00
Gusted 6c100083c2
[BUG] Restrict when to make link absolute in markdown
- Backport of #2403
- In markdown, links are proccessed to be made absolute against the
relevant base in that context. Such that `./src` will be transformed
into `http://example.com/owner/repo/src/branch/main/src`.
- Don't try to make the link absolute if the link has a schema that's
defined in `[markdown].CUSTOM_URL_SCHEMES`, because they can't be made
absolute and doing so could lead to problems (see test case, double
slash was transformed to single slash).
- Adds unit test.
- Resolves https://codeberg.org/Codeberg/Community/issues/1489

(cherry picked from commit 65b9a959b8)
2024-02-19 23:30:12 +01:00
Earl Warren 6c5121aac5 Merge pull request '[GITEA] Fix cancelled migration deletion modal' (#2405) from gusted/forgejo-bp-1805 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2405
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-19 21:55:09 +00:00
Gusted 53460829f7
[GITEA] Fix cancelled migration deletion modal
- Backport of #1805
- https://codeberg.org/forgejo/forgejo/pulls/1473 made that dangerous
actions such as deletion also would need to type in the owner's name.
This was apparently not reflected to the deletion modal for migrations
that failed or were cancelled.
- Resolves #2404

(cherry picked from commit c38dbd6f88)
2024-02-19 21:00:26 +01:00
Gusted 84ef9bba44 Merge pull request '[BUG] Fix relative links on orgmode' (#2391) from gusted/forgejo-bp-2385 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2391
Reviewed-by: Otto <otto@codeberg.org>
2024-02-19 12:29:21 +00:00
Gusted fa700333ba
[BUG] Fix relative links on orgmode
- Backport of #2385
- For regular non-image nonvideo links, they should be made relative,
this was done against `r.Ctx.Links.Base`, but since 637451a45e, that
should instead be done by `SrcLink()` if there's branch information set
in the context, because branch and treepath information are no longer
set in `r.Ctx.Links.Base`.
- This is consistent with how #2166 _fixed_ relative links.
- Media is not affected, `TestRender_Media` test doesn't fail.
- Adds unit tests.
- Ref https://codeberg.org/Codeberg/Community/issues/1485

(cherry picked from commit a2442793d2)
2024-02-19 12:15:40 +01:00
Earl Warren cd8a59e7bd Merge pull request '[BUG] Fix Ctrl+Enter on submitting review comment' (#2374) from gusted/forgejo-bp-2370 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2374
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-17 16:25:27 +00:00
Gusted 1c3a31d851
[BUG] Fix Ctrl+Enter on submitting review comment
- Backport of #2370
- When a event is caused by `Ctrl+Enter` jQuery might not wrap the event
and in that case `originalEvent` is not defined. Check for this case.
- Log the error along with showing an toast.
- Resolves #2363

(cherry picked from commit f04589defd)
2024-02-17 16:19:21 +01:00
Earl Warren 8283305d53 Merge pull request '[BUG] split code conversations in diff tab' (#2362) from oliverpool/forgejo:bg2306 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2362
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-17 10:50:48 +00:00
Earl Warren 91703b7214 Merge pull request 'Preview: set font-size on preview content' (#2366) from gusted/forgejo-bp-2349 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2366
Reviewed-by: Otto <otto@codeberg.org>
2024-02-17 10:48:33 +00:00
Gusted a904558380
Preview: set font-size on preview content
- Backport of #2349
- When previewing the content in a review, no font size was set. This
resulted in the previewed content being bigger than other text and
therefor creating an noticable inconsistency.
- Set the font size of the previewed content, 14px, this is consistent
with how the content would be rendered.
- `comment-code-cloud` is the class used for the review boxes.
`.ui.tab.markup` means it only applies to the preview tab.

(cherry picked from commit b1aabbf174)
2024-02-16 22:29:12 +01:00
oliverpool 07bc099401 [BUG] split code conversations in diff tab (#2306)
Follow-up of #2282 and #2296 (which tried to address #2278)

One of the issue with the previous PR is that when a conversation on the Files tab was marked as "resolved", it would fetch all the comments for that line (even the outdated ones, which should not be shown on this page - except when explicitly activated).

To properly fix this, I have changed `FetchCodeCommentsByLine` to `FetchCodeConversation`. Its role is to fetch all comments related to a given (review, path, line) and reverted my changes in the template (which were based on a misunderstanding).

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2306
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
2024-02-16 14:06:43 +01:00
Earl Warren 45c0fa4905 Merge pull request '[BUG] Workaround borked Git version' (#2342) from gusted/forgejo-bp-2335 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2342
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-14 10:55:22 +00:00
Earl Warren 31ca6d8160 Merge pull request '[gitea] v1.21 cherry-pick' (#2340) from earl-warren/forgejo:wip-v1.21-forgejo into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2340
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-14 10:54:42 +00:00
Gusted ff468ab5e4
[BUG] Workaround borked Git version
- Backport #2335
- In Git version v2.43.1, the behavior of `GIT_FLUSH` was accidentially
flipped. This causes Forgejo to hang on the `check-attr` command,
because no output was being flushed.
- Workaround this by detecting if Git v2.43.1 is used and set
`GIT_FLUSH=0` thus getting the correct behavior.
- Ref: https://lore.kernel.org/git/CABn0oJvg3M_kBW-u=j3QhKnO=6QOzk-YFTgonYw_UvFS1NTX4g@mail.gmail.com/
- Resolves #2333.

(cherry picked from commit f68f880974)
2024-02-13 21:07:24 +01:00
CEnnis91 fab6780fda
Fix swift packages not resolving (#29095) (#29102)
(cherry picked from commit 1aaeec6da7fdbbe363e417a0445f21ed3b750aba)
2024-02-13 14:29:41 +01:00
Giteabot 614ba2b257
Avoid showing unnecessary JS errors when there are elements with different origin on the page (#29081) (#29089)
Backport #29081 by wxiaoguang

Try to fix #29080

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 9a4d283e9ac472dca869356c27db05039673c638)
2024-02-13 14:18:07 +01:00
Giteabot 628e1036cf
Fix gitea-origin-url with default ports (#29085) (#29088)
Backport #29085 by @silverwind

When setting `url.host` on a URL object with no port specified (like is
the case of default port), the resulting URL's port will not change.
Workaround this quirk in the URL standard by explicitely setting port
for the http and https protocols.

Extracted the logic to a function for the purpose of testing. Initially
I wanted to have the function in utils.js, but it turns out esbuild can
not treeshake the unused functions which would result in the
webcomponents chunk having all 2kB utils.js inlined, so it seemed not
worth.

Fixes: https://github.com/go-gitea/gitea/issues/29084

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit fb7f28e9a7ee441e85dc957ac507278650af2f63)
2024-02-13 14:17:58 +01:00
Giteabot e6f59f6e14
fix: Elasticsearch: Request Entity Too Large #28117 (#29062) (#29075)
Backport #29062 by @inferno-umar

Fix for gitea putting everything into one request without batching and
sending it to Elasticsearch for indexing as issued in #28117

This issue occured in large repositories while Gitea tries to
index the code using ElasticSearch.

Co-authored-by: dark-angel <70754989+inferno-umar@users.noreply.github.com>
(cherry picked from commit f0d34cd3b97dd2c9f29fc401ec58ea0661b7ca7d)
2024-02-13 14:17:49 +01:00
Giteabot 941c47f08f
Hide code links on release page if user cannot read code (#29064) (#29066)
Backport #29064 by @wolfogre

On the release list page, if the user doesn't have the permission to
read code, the code links will lead to 404 pages or api errors:

<img width="1297" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/a74fbc63-6dd6-43c6-853c-28acdbfdcb4e">

After this PR:

<img width="1297" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/a626373d-c2df-40a9-8fed-1b12ff6bc56f">

And this PR also removed some dead code. After #23465, the tag list page
has an independent template, and all `IsTag` in the release list
template are always false.

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit 7ed79b748f772e931317f941390695be3ac0d0bd)
2024-02-13 14:17:43 +01:00
Giteabot 3c54a1dbf6
Avoid sending update/delete release notice when it is draft (#29008) (#29025)
Backport #29008 by @yp05327

Fix #27157

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 8def405047)
2024-02-13 14:17:34 +01:00
Giteabot 8c20eb668b
Wrap contained tags and branches again (#29021) (#29026)
Backport #29021 by @delvh

Fixes #29016

## After

![grafik](https://github.com/go-gitea/gitea/assets/51889757/2c72ee8f-439e-4328-85df-77772e0f4aef)

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 5ac41026f9)
2024-02-13 14:17:25 +01:00
Giteabot 565b4efe4d
Fix incorrect button CSS usages (#29015) (#29023)
Backport #29015 by @wxiaoguang

Fix 2 problems:

1. Remove the legacy (non-existing) CSS: `class="btn btn-gray
btn-radius"`
2. Remove the button styles inside the `ui message`, according to:
https://fomantic-ui.com/collections/message.html , the button shouldn't
have any border/padding.

### Before

![image](https://github.com/go-gitea/gitea/assets/2114189/4c7e98e2-4e8a-493f-9b7e-446a365066a1)

![image](https://github.com/go-gitea/gitea/assets/2114189/05221251-7a79-4c96-8973-fb4588275672)

### After

![image](https://github.com/go-gitea/gitea/assets/2114189/8bc3edbc-42a6-40bd-85fd-de40e94841d4)

![image](https://github.com/go-gitea/gitea/assets/2114189/93f69143-d835-437c-b5eb-0f6dddde97a1)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 333d02ddfd)
2024-02-13 14:17:18 +01:00
Giteabot c148156409
Strip trailing newline in markdown code copy (#29019) (#29022)
Behaviour now matches GH. Safeguard added in the for loop because
`textContent` may be null in which case it does not make sense to render
the copy button.

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 5d1abdce3e)
2024-02-13 14:17:07 +01:00
Earl Warren bb5f4fd81b Merge pull request '[ACTIONS] skip superflous pull request synchronized event (#2314)' (#2338) from earl-warren/forgejo:wip-v1.21-superfluous into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2338
2024-02-13 12:37:58 +00:00
Earl Warren ce96379aef
[ACTIONS] skip superflous pull request synchronized event (#2314)
Skip a HookEventPullRequestSync event if it has the same CommitSHA as an existing HookEventPullRequest event in the ActionRun table. A HookEventPullRequestSync event must only create an ActionRun if the CommitSHA is different from what it was when the PR was open.

This guards against a race that can happen when the following is done in parallel:

* A commit C is pushed to a repo on branch B
* A pull request with head on branch B

it is then possible that the pull request is created first, successfully. The commit that was just pushed is not known yet but the PR only references the repository and the B branch so it is fine.

A HookEventPullRequest event is sent to the notification queue but not processed immediately.

The commit C is pushed and processed successfully. Since the PR already exists and has a head that matches the branch, the head of the PR is updated with the commit C and a HookEventPullRequestSync event is sent to the notification queue.

The HookEventPullRequest event is processed and since the head of the PR was updated to be commit C, an ActionRun with CommitSHA C is created.

The HookEventPullRequestSync event is then processed and also has a CommitSHA equal to C.

Refs: https://codeberg.org/forgejo/forgejo/issues/2009
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2314
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
(cherry picked from commit 7b4dba3aa0)

Conflicts:
	services/actions/notifier_helper.go
	tests/integration/actions_trigger_test.go
	trivial context conficts
	services/actions/main_test.go is different in v1.21
2024-02-13 12:00:27 +01:00
Earl Warren 5697a6e82f Merge pull request '[CI] pin go v1.21' (#2318) from earl-warren/forgejo:wip-v1.21-ci into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2318
2024-02-09 17:48:18 +00:00