Commit Graph

17021 Commits

Author SHA1 Message Date
Giteabot 1389fa8a99
Prevent automatic OAuth grants for public clients (#30790) (#30835)
Backport #30790 by archer-321

This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section
10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: Archer <archer@beezig.eu>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-05-02 20:39:48 +02:00
Lunny Xiao 87bd47cff3
Upgrade binding to fix bug (#30742)
Fix #30518
2024-05-02 13:01:16 +02:00
Kemal Zebari 0f2035d52f
Don't have `redis-cluster` as possible cache/session adapter in docs (#30794) (#30806) 2024-05-01 18:24:38 -04:00
6543 954962ca61
Get repo assignees and reviewers should ignore deactivated users (#30770) (#30783)
Backport https://github.com/go-gitea/gitea/pull/30770

If an user is deactivated, it should not be in the list of users who are
suggested to be assigned or review-requested.

old assignees or reviewers are not affected.

---
*Sponsored by Kithara Software GmbH*
2024-04-30 15:20:34 +02:00
Zettat123 aa3c76159a
Fix duplicate status check contexts (#30660) (#30776)
Backport #30660.

Caused by #30076.

There may be some duplicate status check contexts when setting status
checks for a branch protection rule. The duplicate contexts should be
removed.

Before:
<img

src="https://github.com/go-gitea/gitea/assets/15528715/97f4de2d-4868-47a3-8a99-5a180f9ac0a3"
width="600px" />

After:
<img

src="https://github.com/go-gitea/gitea/assets/15528715/ff7289c5-9793-4090-ba31-e8cb3c85f8a3"
width="600px" />
2024-04-30 16:01:57 +08:00
Giteabot 224c48e16b
Suppress browserslist warning in webpack target (#30571) (#30727)
Backport #30571 by @silverwind

1. Set
[`BROWSERSLIST_IGNORE_OLD_DATA`](c6ddf7b387/node.js (L400))
to avoid warning on outdated browserslist data which the end user can
likely not do anything about and which is currently visible in the v1.21
branch.
2. Suppress all command echoing and add a "Running webpack..." message
in place.

Warning in question was this:

```
Browserslist: caniuse-lite is outdated. Please run:
  npx update-browserslist-db@latest
  Why you should do it regularly: https://github.com/browserslist/update-db#readme
```

Co-authored-by: silverwind <me@silverwind.io>
2024-04-27 22:06:06 +08:00
silverwind 7aba99af5e
Update mermaid and its dependencies (#30714)
Update mermaid and its dependencies on v1.21. Should fix
https://github.com/go-gitea/gitea/issues/30596 because it includes the
fixed version of the `cytoscape` indirect dependency.
2024-04-27 03:30:14 -04:00
silverwind c5f37af8cd
Update generate-images dependencies and rebuild (#30689)
This upgrades `generate-images.js` on v1.21 to the latest version from
main branch and I ran it which generated some minor diff in the SVGs. It
fixes one issue mentioned in
https://github.com/go-gitea/gitea/issues/30596#issuecomment-2075483451
by removing `--no-package-lock`.
2024-04-25 18:30:33 +02:00
sillyguodong 7aa8b8e2d2
Interpolate runs-on with variables when scheduling tasks(#30640) (#30672)
backport: #30640

Co-authored-by: Giteabot <teabot@gitea.io>
2024-04-24 22:37:05 +02:00
Zettat123 ddf64b84e4
Add a db consistency check to remove runners that do not belong to a repository (#30614) (#30653)
Backport #30614
2024-04-24 00:08:06 +00:00
Christoph Lange 03518d3e18
DOC: in ssh forwarding, user git must be allowed to run docker (#29634)
Added to doc for rootless Docker installation: for SSH passthrough, the
ssh user (git) has to be able to run docker.

---------

Co-authored-by: techknowlogick <matti@mdranta.net>
2024-04-23 14:08:58 -04:00
Lunny Xiao fcdc57d811
Fix wrong table name (#30557) (#30652)
Backport #30557 

The table name should be `oauth2_application` but `o_auth2_application`

Caused by

https://github.com/go-gitea/gitea/pull/21316/files#diff-9610efbc608a41f1f2eaff5790423f0a187906f6ff0beb23a5e8d18366cc2ccfR38
2024-04-23 09:44:31 +00:00
Lunny Xiao f394cd70ac
Show more settings for empty repositories (#29130) (#30635)
Fix #30620 
Manullay Backport #29130

Shows more settings for empty repositories (Fixes #29060)

Co-authored-by: Tim-Nicas Oelschläger <72873130+zokkis@users.noreply.github.com>
2024-04-23 17:15:44 +08:00
wxiaoguang 32f895f2d7
Fix queue test (#30646) (#30650)
Backport #30553 and #30646
2024-04-23 08:30:32 +00:00
Lunny Xiao d95408bd5d
Use maintained gziphandler (#30592) (#30638)
Replace #27894
Backport #30592

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-04-23 02:39:27 +00:00
Lunny Xiao 1c1c94b061
Enable npm cache on `setup-node` action (#30577) (#30590)
Backport #30577 

Enable npm dependency cache in
[setup-node](https://github.com/actions/setup-node). This should work
reliably and across branches as well.

---------

Co-authored-by: silverwind <me@silverwind.io>
2024-04-22 14:27:13 +08:00
Giteabot 0e20ccfe32
Use action user as the trigger user of schedules (#30581) (#30609)
Backport #30581 by @yp05327

Follow https://github.com/go-gitea/gitea/pull/30357

When user push to default branch, the schedule trigger user will be the
user.
When disable then enable action units in settings, the schedule trigger
user will be action user.
When repo is a mirror, the schedule trigger user will be action user. (
before it will return error, fixed by #30357)

As scheduled job is a cron, the trigger user should be action user from
Gitea, not a real user.

Co-authored-by: yp05327 <576951401@qq.com>
2024-04-20 10:46:17 +08:00
Giteabot 08822651a6
Fix commit file status parser (#30602) (#30606)
Backport #30602 by wxiaoguang

Try to fix  #30492

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-04-19 15:16:02 +00:00
Giteabot 79484e1cb7
Fix HEAD method for robots.txt (#30603) (#30604)
Backport #30603 by wxiaoguang

Fix #30601
2024-04-19 22:43:50 +08:00
wxiaoguang 667427b4b9
Fix project description rendering for org (#30587) (#30599)
Backport #30587

Manually tested with 1.21:



![image](https://github.com/go-gitea/gitea/assets/2114189/fbe9a2c9-0563-4d69-bcdb-8e5e41f288a1)
2024-04-19 13:28:18 +00:00
wxiaoguang 2566f6ce8a
Fix changelog (1.21) (#30583) 2024-04-19 10:20:09 +00:00
Giteabot 944f1ec54c
Avoid importing `modules/web/middleware` in `modules/session` (#30584) (#30588)
Backport #30584 by @wolfogre

Related to #30375.

It doesn't make sense to import `modules/web/middleware` and
`modules/setting` in `modules/web/session` since the last one is more
low-level.

And it looks like a workaround to call `DeleteLegacySiteCookie` in
`RegenerateSession`, so maybe we could reverse the importing by
registering hook functions.

Co-authored-by: Jason Song <i@wolfogre.com>
2024-04-19 09:18:11 +02:00
Giteabot a05d098a37
Fixup app.example.ini for task section, which is now queue.task (#30555) (#30562)
Backport #30555 by xor-gate

Config section `[task]` has been deprecated in favor of `[queue.task]`

Co-authored-by: Jerry Jacobs <xor-gate@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-04-18 15:15:50 +02:00
Giteabot 332ee359ce
Disable enter key for accepting code completion in Monaco (#30548) (#30558)
Backport #30548 by @silverwind

Fixes https://github.com/go-gitea/gitea/issues/28114 and behaviour
matches vscode on desktop as well.

Co-authored-by: silverwind <me@silverwind.io>
2024-04-18 11:38:24 +02:00
yp05327 a82bf022bf
Fix empty field login_name in API response JSON when creating user (#30511) (#30532)
Backport #30511
Fix ci error in #30515
2024-04-17 11:06:12 +02:00
Lunny Xiao acdcfcc6eb
Fix cache bug (#30510)
Cache cannot be disabled from v1.22. So it still maybe `nil` in v1.21,
we have to check whether cache is `nil`.
2024-04-16 10:59:15 +08:00
Lunny Xiao 727b1914b4
Update 1.21.11 changelog (#30403)
Add #30394 into changelog

---------

Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: yp05327 <576951401@qq.com>
2024-04-16 10:10:47 +08:00
Lunny Xiao 60181eb599
Fix code owners will not be mentioned when a pull request comes from a forked repository (#30476) (#30497)
Backport #30476 
Fix #30277
Caused by #29783
2024-04-16 08:27:01 +08:00
Lunny Xiao a0ca311165
Fix commit status cache which missed target_url (#30426) (#30445)
Fix #30421
Backport #30426

Co-authored-by: Jason Song <i@wolfogre.com>
2024-04-15 07:43:20 +00:00
Lunny Xiao 430fe6c0c1
Avoid losing token when updating mirror settings (#30429) (#30466)
Fix #30416.
Backport #30429 

Before (it shows as "Unset" while there's a token):

<img width="980" alt="image"

src="https://github.com/go-gitea/gitea/assets/9418365/d7148e3e-62c9-4d2e-942d-3d795b79515a">

After:

<img width="977" alt="image"

src="https://github.com/go-gitea/gitea/assets/9418365/24aaa1db-5baa-4204-9081-470b15ea72b5">

The username shows as "oauth2" because of

f9fdac9809/services/migrations/dump.go (L99)

I have checked that all usage of `MirrorRemoteAddress` has been updated.

<img width="1806" alt="image"

src="https://github.com/go-gitea/gitea/assets/9418365/2f042501-2824-4511-9203-c84a6731a02d">

However, it needs to be checked again when backporting.

Co-authored-by: Jason Song <i@wolfogre.com>
2024-04-15 11:29:42 +08:00
Lunny Xiao b6379d2f16
Change the default maxPerPage for gitbucket (#30392) (#30471)
Backport #30392 

This patch improves the migration from gitbucket to gitea.

The gitbucket uses it's own internal perPage value (= 25) for paging and
ignore per_page arguments in the requested URL. This cause gitea to
migrate only 25 issues and 25 PRs from gitbucket repository. This may
not happens on old gitbucket. But recent gitbucket 4.40 or 4.38.4 has
this problem.

This patch change to use this internally hardcoded perPage of gitbucket
as gitea's maxPerPage numer when migrating from gitbucket. There are
several perPage values in gitbucket like 25 for Isseus/PRs and 10 for
Releases. Some of those API doesn't support paging yet. It sounds
difficult to implement, but using the minimum number among them worked
out very well. So, I use 10 in this patch.

Brief descriptions of problems and this patch are also available in
https://github.com/go-gitea/gitea/issues/30316.

In addition, I'm not sure what kind of test cases are possible to write
here. It's a test for migration, so it requires testing gitbucket server
and gitea server, I guess. Please let me know if it is possible to write
such test cases here. Thanks!

Co-authored-by: Kazushi (Jam) Marukawa <jam@pobox.com>
2024-04-14 12:42:50 +00:00
yp05327 928c0d4f46
Fix mirror error when mirror repo is empty (#30432) (#30467)
Backport #30432
Fix https://github.com/go-gitea/gitea/issues/30424

ps: convert `gitrepo.OpenRepository` to `git.OpenRepository`
remove `ctx` from `checkAndUpdateEmptyRepository`

Co-authored-by: Giteabot <teabot@gitea.io>
2024-04-14 14:18:06 +02:00
Giteabot 222d16e6ea
fix: Fix to delete cookie when AppSubURL is non-empty (#30375) (#30468)
Backport #30375 by @jtran

Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons
(eg: changed CookiePath behavior in code). The legacy cookie should be
removed correctly.

Co-authored-by: Jonathan Tran <jonnytran@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Kyle D <kdumontnu@gmail.com>
2024-04-14 13:45:51 +02:00
Lunny Xiao 09df5c9c7d
Use db.ListOptions directly instead of Paginator interface to make iteasier to use and fix performance of /pulls and /issues (#29990) (#30447)
backport #29990

This PR uses `db.ListOptions` instead of `Paginor` to make the code
simpler.
And it also fixed the performance problem when viewing /pulls or
/issues. Before the counting in fact will also do the search.

Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: silverwind <me@silverwind.io>
2024-04-13 17:44:57 +00:00
Lunny Xiao fc4e08f804
Upgrade go-sqlite to v1.14.22 (#30462) 2024-04-13 08:33:50 -05:00
Giteabot 68bd1dd89d
Fix rename branch 500 when the target branch is deleted but exist in database (#30430) (#30437)
Backport #30430 by @lunny

Fix #30428

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-04-12 23:09:16 +08:00
Zettat123 55990ebf92
Check the token's owner and repository when registering a runner (#30406) (#30412)
Backport #30406

Fix #30378
2024-04-11 11:29:53 +00:00
Giteabot 245e8d10c2
Avoid user does not exist error when detecting schedule actions when the commit author is an external user (#30357) (#30408)
Backport #30357 by @yp05327


![image](https://github.com/go-gitea/gitea/assets/18380374/ddf6ee84-2242-49b9-b066-bd8429ba4d76)

When repo is a mirror, and commit author is an external user, then
`GetUserByEmail` will return error.

reproduce/test:
- mirror Gitea to your instance
- disable action and enable it again, this will trigger
`DetectAndHandleSchedules`

ps: also follow #24706, it only fixed normal runs, not scheduled runs.

Co-authored-by: yp05327 <576951401@qq.com>
2024-04-11 15:39:27 +08:00
Giteabot 529604a044
Update actions variables documents (#30394) (#30404)
Backport #30394 by @lunny

Fix #30393

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Zettat123 <zettat123@gmail.com>
2024-04-11 12:04:21 +08:00
Jason Song 6cfe67cfc3
No global variables (#30402)
Fix #30361, regression of #29782 which is a backport, not the original
#29468.

#29468 did a small refactor which introduced a new function
`GetVariablesOfRun`. However, it's designed for v1.22 which supports
global variables.

After backporting it to v1.21, it will still try to get global
variables, which causes it to retrieve all variables.
2024-04-11 03:25:05 +00:00
Lunny Xiao 9149221845
Add changelog for 1.21.11 (#30314)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-04-11 10:52:02 +08:00
Lunny Xiao 6e3aaa9975
Performance optimization for git push (#30104) (#30354)
Agit returned result should be from `ProcReceive` hook but not
`PostReceive` hook. Then for all non-agit pull requests, it will not
check the pull requests for every pushing `refs/pull/%d/head`.

Backport #30104
2024-04-10 14:12:19 +08:00
Lunny Xiao 3f6ddd9bee
Fix create commit status (#30225) (#30340)
Partially backport #30223

This PR uses the service layer `CreateCommitstatus` method instead of
the git model method.
2024-04-08 23:30:55 +00:00
Lunny Xiao 65d96725bb
Fix possible renderer security problem(#30136) (#30315)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-04-09 00:24:35 +02:00
Giteabot 4588c7b705
Close file in the Upload func (#30262) (#30269)
Co-authored-by: guangwu <guoguangwu@magic-shield.com>
2024-04-03 15:20:18 +00:00
Giteabot 47de6e3b54
Add -u git to docs when using docker exec with root installation (#29314) (#30264)
Backport #29314 by @scribblemaniac

This fixes a minor issue in the documentation for SSH Container
Passthrough for non-rootless installs. The non-rootless Dockerfile and
docker-compose do not set `USER`/`user` instructions so `docker exec`
will run as root by default. While running as root, gitea commands will
refuse to execute, breaking these approaches. For containers built with
the rootless instructions, `docker exec` will run as git by default so
this is not necessary in that case.

This issue was already discussed in #19065, but it does not appear this
part of the issue was ever added to the documentation.

Co-authored-by: scribblemaniac <scribblemaniac@users.noreply.github.com>
2024-04-03 13:44:11 +00:00
Giteabot 5123ed3191
Fixes #27605: inline math blocks can't be preceeded/followed by alphanumerical characters (#30175) (#30250)
Backport #30175 by @jmlt2002

- Inline math blocks couldn't be preceeded or succeeded by
alphanumerical characters due to changes introduced in PR #21171.
Removed the condition that caused this (precedingCharacter condition)
and added a new exit condition of the for-loop that checks if a specific
'$' was escaped using '\' so that the math expression can be rendered as
intended.
- Additionally this PR fixes another bug where math blocks of the type
'$xyz$abc$' where the dollar sign was not escaped by the user, generated
an error (shown in the screenshots below)
- Altered the tests to accomodate for the changes

Former behaviour (from try.gitea.io):

![image](https://github.com/go-gitea/gitea/assets/114936010/8f0cbb21-321d-451c-b871-c67a8e1e9235)

Fixed behaviour (from my local build):

![image](https://github.com/go-gitea/gitea/assets/114936010/5c22687c-6f11-4407-b5e7-c14b838bc20d)

(Edit) Source code for the README.md file:
```
$x$ -$x$ $x$-

a$xa$ $xa$a 1$xb$ $xb$1

$a a$b b$

a$b $a a$b b$

$a a\$b b$
```

Signed-off-by: João Tiago <joao.leal.tintas@tecnico.ulisboa.pt>
Co-authored-by: João Tiago <114936010+jmlt2002@users.noreply.github.com>
2024-04-03 06:06:39 +00:00
Giteabot 9f2a1a55e6
Add -u git to docs when using docker exec with root installation (#29314) (#30258)
Backport #29314 by @scribblemaniac

This fixes a minor issue in the documentation for SSH Container
Passthrough for non-rootless installs. The non-rootless Dockerfile and
docker-compose do not set `USER`/`user` instructions so `docker exec`
will run as root by default. While running as root, gitea commands will
refuse to execute, breaking these approaches. For containers built with
the rootless instructions, `docker exec` will run as git by default so
this is not necessary in that case.

This issue was already discussed in #19065, but it does not appear this
part of the issue was ever added to the documentation.

Co-authored-by: scribblemaniac <scribblemaniac@users.noreply.github.com>
2024-04-03 01:44:13 -04:00
Giteabot 935bfe6445
Fix missing 0 prefix of GPG key id (#30245) (#30247)
Backport #30245 by @KN4CK3R

Fixes #30235

If the key id "front" byte has a single digit, `%X` is missing the 0
prefix.
` 38D1A3EADDBEA9C` instead of
`038D1A3EADDBEA9C`
When using the `IssuerFingerprint` slice `%X` is enough but I changed it
to `%016X` too to be consistent.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-04-02 16:13:07 +00:00
Giteabot 2ac78c75d0
Include encoding in signature payload (#30174) (#30181)
Backport #30174 by @KN4CK3R

Fixes #30119

Include the encoding in the signature payload.

before

![grafik](https://github.com/go-gitea/gitea/assets/1666336/01ab94a3-8af5-4d6f-be73-a10b65a15421)

after

![grafik](https://github.com/go-gitea/gitea/assets/1666336/3a37d438-c70d-4d69-b178-d170e74aa683)

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2024-04-01 09:47:11 +08:00