Commit Graph

344 Commits

Author SHA1 Message Date
silverwind b270b30aeb
Update `golang.org/x/image` to v0.18.0 (#31541)
Result of `go get -u  golang.org/x/image && make tidy`

Fixes: https://github.com/go-gitea/gitea/security/dependabot/67
2024-07-02 15:41:14 -04:00
techknowlogick a4899ffa24
bump golang deps (#31422) 2024-06-24 13:26:42 +00:00
Yarden Shoham 9c8092807a
Switch to upstream of `gorilla/feeds` (#31400)
They merged the PR we waited for.

- Reference: https://github.com/gorilla/feeds/pull/107
- Follows: https://github.com/go-gitea/gitea/pull/28860

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-06-18 16:05:28 +08:00
silverwind 24dace8f76
Update `golang.org/x/net` (#31260)
Result of `go get -u golang.org/x/net && make tidy`. ~~Fixes
https://pkg.go.dev/vuln/GO-2024-2887.~~
2024-06-06 04:29:42 +00:00
silverwind 6a3c487d07
Add replacement module for `mholt/archiver` (#31267)
Switch to this fork tag:
https://github.com/anchore/archiver/releases/tag/v3.5.2 which includes
82ca88a2eb.

Ref: https://pkg.go.dev/vuln/GO-2024-2698
Ref: https://github.com/advisories/GHSA-rhh4-rh7c-7r5v

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2024-06-06 03:37:08 +00:00
silverwind a7557494ca
Update chroma to v2.14.0 (#31177)
https://github.com/alecthomas/chroma/releases/tag/v2.14.0

Tested it with a typescript file.
2024-06-04 05:34:34 +00:00
Lunny Xiao fb7b743bd0
Azure blob storage support (#30995)
This PR implemented object storages(LFS/Packages/Attachments and etc.)
for Azure Blob Storage. It depends on azure official golang SDK and can
support both the azure blob storage cloud service and azurite mock
server.

Replace #25458
Fix #22527 

- [x] CI Tests
- [x] integration test, MSSQL integration tests will now based on
azureblob
  - [x] unit test 
- [x] CLI Migrate Storage
- [x] Documentation for configuration added

------

TODO (other PRs):
- [ ] Improve performance of `blob download`.

---------

Co-authored-by: yp05327 <576951401@qq.com>
2024-05-30 07:33:50 +00:00
silverwind 9235442ba5
Remove external API calls in `TestPassword` (#30716)
The test had a dependency on `https://api.pwnedpasswords.com` which
caused many failures on CI recently:

```
--- FAIL: TestPassword (2.37s)
    pwn_test.go:41: Get "https://api.pwnedpasswords.com/range/e6b6a": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
FAIL
coverage: 82.9% of statements
```
2024-05-02 14:43:23 +00:00
Lunny Xiao cb9e1a3ff6
Upgrade chi-binding (#30826)
Front port #30742
2024-05-02 14:09:38 +00:00
Chongyi Zheng b2013be910
Bump `github.com/google/go-github` to v61 (#30738) 2024-04-28 01:20:23 -04:00
Lunny Xiao e865de1e9d
Use maintained gziphandler (#30592)
Replace #27894

---------

Co-authored-by: delvh <dev.lh@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2024-04-21 00:53:45 +00:00
Lunny Xiao f0bfad29ea
Replace MSSQL driver with a better maintained version (#30390)
As the latest tag of `github.com/denisenkom/go-mssqldb` is in 2022, but
as a fork of it, `github.com/microsoft/go-mssqldb` has more activities
than the original repository. We can convert the driver to the fork.

Since the interface of Go database driver are the same, it should have
no any affect for the end users.
2024-04-11 01:12:40 +00:00
silverwind 95504045cc
Upgrade `golang.org/x/net` to v0.24.0 (#30283)
Result of `go get -u golang.org/x/net; make tidy`.

This is related to the following vulncheck warning:
```
There are 2 vulnerabilities in modules that you require that are
neither imported nor called. You may not need to take any action.
See https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck for details.

Vulnerability #1: GO-2024-2687
    HTTP/2 CONTINUATION flood in net/http
  More info: https://pkg.go.dev/vuln/GO-2024-2687
  Module: golang.org/x/net
    Found in: golang.org/x/net@v0.22.0
    Fixed in: golang.org/x/net@v0.23.0

Vulnerability #2: GO-2022-0470
    No access control in github.com/blevesearch/bleve and bleve/v2
  More info: https://pkg.go.dev/vuln/GO-2022-0470
  Module: github.com/blevesearch/bleve/v2
    Found in: github.com/blevesearch/bleve/v2@v2.3.10
    Fixed in: N/A
```
2024-04-05 02:45:59 +00:00
wxiaoguang abb330e613
Upgrade Go 1.22 and upgrade dependency (#29869) 2024-03-17 15:40:05 +00:00
JakobDev 3e7ae79f99
Update Chroma to v2.13.0 (#29732)
This adds new lexers and includes some fixes. See
https://github.com/alecthomas/chroma/releases/tag/v2.13.0 for the full
changelog.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2024-03-12 22:40:43 +01:00
sillyguodong a1f5dd7677
Make runs-on support variable expression (#29468)
As title.
Close issue: https://gitea.com/gitea/act_runner/issues/445
Follow: https://gitea.com/gitea/act/pulls/91

Move `getSecretsOfTask` and `getVariablesOfTask` under `models` because
of circular dependency issues.
2024-03-08 06:14:35 +00:00
wxiaoguang 29a8c8de77
Partially enable MSSQL case-sensitive collation support (#29238)
Follow #28662
2024-03-08 03:19:35 +00:00
techknowlogick 06039bf0b7
bump protobuf module (#29617) 2024-03-05 20:35:29 -05:00
6543 4ba642d07d
Revert "Support SAML authentication (#25165)" (#29358)
This reverts #25165 (5bb8d1924d), as there
was a chance some important reviews got missed.

so after reverting this patch it will be resubmitted for reviewing again

https://github.com/go-gitea/gitea/pull/25165#issuecomment-1960670242

temporary Open #5512 again
2024-02-24 12:18:49 +08:00
techknowlogick 5bb8d1924d
Support SAML authentication (#25165)
Closes https://github.com/go-gitea/gitea/issues/5512

This PR adds basic SAML support
- Adds SAML 2.0 as an auth source
- Adds SAML configuration documentation
- Adds integration test:
- Use bare-bones SAML IdP to test protocol flow and test account is
linked successfully (only runs on Postgres by default)
- Adds documentation for configuring and running SAML integration test
locally

Future PRs:
- Support group mapping
- Support auto-registration (account linking)

Co-Authored-By: @jackHay22

---------

Co-authored-by: jackHay22 <jack@allspice.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Jason Song <i@wolfogre.com>
Co-authored-by: morphelinho <morphelinho@users.noreply.github.com>
Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: silverwind <me@silverwind.io>
2024-02-23 00:08:17 +00:00
KN4CK3R ba24e0ba61
Use new RPM constants (#28931)
https://github.com/sassoftware/go-rpmutils/pull/24 got merged.
2024-01-25 21:40:24 +00:00
wxiaoguang 82acf22d9c
Update go dependencies and fix go-git (#28893)
More details are in the comment of repo_base_gogit.go

And ref: https://github.com/go-git/go-git/issues/1006
2024-01-23 05:40:00 +00:00
Lunny Xiao 4abd63d378
Upgrade xorm to v1.3.7 to fix a resource leak problem caused by Iterate (#28891)
Mainly fix an error https://gitea.com/xorm/xorm/issues/2393
2024-01-22 18:24:55 +08:00
Yarden Shoham 5574968ecb
Set the `isPermaLink` attribute to `false` in the `guid` sub-element (#28860)
Our `guid` is not a valid URL so according to the RSS spec the
`isPermaLink` attribute needs to be set to `false`.

Example:
```diff
<item>
  <title>yardenshoham opened issue &lt;a href=&#34;https://3000-yardenshoham-gitea-jqlxjixsez9.ws-us107.gitpod.io/yardenshoham/test/issues/2&#34;&gt;yardenshoham/test#2&lt;/a&gt;</title>
  <link>https://3000-yardenshoham-gitea-jqlxjixsez9.ws-us107.gitpod.io/yardenshoham/test/issues/2</link>
  <description>2#hey</description>
  <content:encoded><![CDATA[2#hey]]></content:encoded>
  <author>yardenshoham</author>
- <guid>355: https://3000-yardenshoham-gitea-jqlxjixsez9.ws-us107.gitpod.io/yardenshoham/test/issues/2</guid>
+ <guid isPermaLink="false">355: https://3000-yardenshoham-gitea-jqlxjixsez9.ws-us107.gitpod.io/yardenshoham/test/issues/2</guid>
  <pubDate>Tue, 16 Jan 2024 18:54:36 +0000</pubDate>
</item>
```

References:
-
https://www.rssboard.org/rss-specification#ltguidgtSubelementOfLtitemgt
- Fixes https://github.com/go-gitea/gitea/issues/28734
- https://github.com/gorilla/feeds/issues/78
- https://github.com/go-gitea/gitea/pull/21550
- https://github.com/gorilla/feeds/pull/107

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
2024-01-20 02:38:16 +00:00
Chongyi Zheng fee80a1847
Update github.com/cloudflare/circl (#28789)
cloudflare/circl: https://github.com/advisories/GHSA-9763-4f94-gfch

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-01-15 11:14:26 +08:00
wxiaoguang 2df7563f31
Recommend/convert to use case-sensitive collation for MySQL/MSSQL (#28662)
Mainly for MySQL/MSSQL.

It is important for Gitea to use case-sensitive database charset
collation. If the database is using a case-insensitive collation, Gitea
will show startup error/warning messages, and show the errors/warnings
on the admin panel's Self-Check page.

Make `gitea doctor convert` work for MySQL to convert the collations of
database & tables & columns.

* Fix #28131

## ⚠️ BREAKING ⚠️

It is not quite breaking, but it's highly recommended to convert the
database&table&column to a consistent and case-sensitive collation.
2024-01-10 11:03:23 +00:00
Lunny Xiao da58bb85fa
Upgrade xorm to new version which supported update join for all supported databases (#28590)
Fix https://github.com/go-gitea/gitea/pull/28547#issuecomment-1867740842

Since https://gitea.com/xorm/xorm/pulls/2383 merged, xorm now supports
UPDATE JOIN.
To keep consistent from different databases, xorm use
`engine.Join().Update`, but the actural generated SQL are different
between different databases.

For MySQL, it's `UPDATE talbe1 JOIN table2 ON join_conditions SET xxx
Where xxx`.

For MSSQL, it's `UPDATE table1 SET xxx FROM TABLE1, TABLE2 WHERE
join_conditions`.

For SQLITE per https://www.sqlite.org/lang_update.html, sqlite support
`UPDATE table1 SET xxx FROM table2 WHERE join conditions` from
3.33.0(2020-8-14).

POSTGRES is the same as SQLITE.
2023-12-31 05:00:35 +00:00
wxiaoguang 11f0519ad8
Update go dependencies (#28518)
Update golang.org/x/crypto for CVE-2023-48795 and update other packages.
`go-git` is not updated because it needs time to figure out why some
tests fail.
2023-12-19 09:18:42 +08:00
Yevhen Pavlov cd2ff6e83d
Bump google/go-github to v57 (#28514) 2023-12-18 15:42:04 -06:00
wxiaoguang 047c69bd85
Improve CLI code and descriptions (#28482)
* Close #28444 
* Actually, it doesn't need to use that trick because it looks like it
is not necessary, no user really needs it
* Remove the hidden (legacy) "doctor" subcommand and update documents
* Fix "actions" usage


![image](https://github.com/go-gitea/gitea/assets/2114189/3c2b34a7-4f92-4a6c-96fd-9505e413d4ec)
2023-12-15 15:49:01 +00:00
Earl Warren da0c4b8d10
Remove SSH workaround (#27893)
Revert the workaround of #26409 and fix #26411, update github.com/gliderlabs/ssh to include 02f9d57300
2023-11-03 15:21:05 +00:00
Nanguan Lin e75b89ea6e
Upgrade xorm to 1.3.4 (#27807)
Noticeable change: 
Remove the `OrderBy("1") `
[patch](https://github.com/go-gitea/gitea/pull/27673#issuecomment-1768570142)
for mssql since xorm has [fixed
it](0f085408af).
2023-10-27 13:28:53 +02:00
bt90 8d6577dabd
Chroma v2.10.0 (#27803)
Bump the chroma version to v2.10.0:
https://github.com/alecthomas/chroma/releases/tag/v2.10.0

This release includes a better Java lexer
https://github.com/alecthomas/chroma/pull/873
2023-10-26 23:42:24 +02:00
Nanguan Lin e91d4f106b
Upgrade xorm (#27673)
Related to https://gitea.com/xorm/xorm/pulls/2341
2023-10-19 10:25:57 +00:00
Chongyi Zheng b5a4ec0fb1
Upgrade go dependencies (#27599)
Upgrade all dependencies in `go.mod`

`golang.org/x/net` v0.17.0 also fixes
[CVE-2023-39325](https://github.com/advisories/GHSA-4374-p667-p6c8)

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-10-13 16:11:15 +00:00
silverwind e51f96829f
Downgrade `go-co-op/gocron` to v1.31.1 (#27511) 2023-10-07 18:54:02 -04:00
techknowlogick e3229c8e9b
bump go-deps (#27489) 2023-10-07 05:55:08 +00:00
techknowlogick 9e446dbf04
bump bleve (#27300)
Co-authored-by: yp05327 <576951401@qq.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-09-27 07:10:58 +00:00
delvh da0467e3b6
Update go-enry to 2.8.5 (#27215)
Fixes #27214
2023-09-23 13:09:01 -04:00
silverwind 539ecc24a3
Update chroma to v2.9.1 (#26990) 2023-09-09 14:37:38 +00:00
wxiaoguang fc039167d2
Use Go 1.21 and update dependencies (#26878)
To make sure Gitea's next release's lifecycle could have active Golang
support.

And min/max are builtin now.
2023-09-03 10:34:57 +00:00
wxiaoguang 1432d4eab9
Update go dependencies (#26534) 2023-08-16 12:02:40 +00:00
Lunny Xiao cad22512b8
Upgrade x/net to 0.13.0 (#26297) 2023-08-03 08:29:57 +00:00
Lunny Xiao c7f6e9fc2f
Update xorm version (#26128)
Test new xorm version compatible with Gitea

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-07-25 20:27:44 +00:00
Chongyi Zheng f2138d6968
Replace gogs/cron with go-co-op/gocron (#25977)
Replace `github.com/gogs/cron` with `github.com/go-co-op/gocron` as the
former package is not maintained for many years.

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-07-24 04:13:41 +00:00
wxiaoguang d0dbe52e76
Refactor to use urfave/cli/v2 (#25959)
Replace #10912

And there are many new tests to cover the CLI behavior

There were some concerns about the "option order in hook scripts"
(https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314),
it's not a problem now. Because the hook script uses `/gitea hook
--config=/app.ini pre-receive` format. The "config" is a global option,
it can appear anywhere.

----

## ⚠️ BREAKING ⚠️

This PR does it best to avoid breaking anything. The major changes are:

* `gitea` itself won't accept web's options: `--install-port` / `--pid`
/ `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's
options.
    * Use `./gitea web --pid ....` instead
* `./gitea` can still run the `web` sub-command as shorthand, with
default options
* The sub-command's options must follow the sub-command
* Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd
--sub-opt` (well, might not ...)
    * After: only `./gitea subcmd --sub-opt` could be used
    * The global options like `--config` are not affected
2023-07-21 17:28:19 +08:00
harryzcy ec227d6682
Remove nfnt/resize and oliamb/cutter (#25999)
The package `github.com/nfnt/resize` is deprecated and archived by the
author. `github.com/oliamb/cutter` is not maintained since 2018. We
could use `golang.org/x/image/draw` instead.
2023-07-20 19:52:42 +08:00
harryzcy 0f9f6567bb
Bump github.com/golang-jwt/jwt to v5 (#25975)
Bumping `github.com/golang-jwt/jwt` from v4 to v5.

`github.com/golang-jwt/jwt` v5 is bringing some breaking changes:

- standard `Valid()` method on claims is removed. It's replaced by
`ClaimsValidator` interface implementing `Validator()` method instead,
which is called after standard validation. Gitea doesn't seem to be
using this logic.
- `jwt.Token` has a field `Valid`, so it's checked in `ParseToken`
function in `services/auth/source/oauth2/token.go`

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-19 09:57:10 +00:00
KN4CK3R 8af96f585f
Disallow dangerous url schemes (#25960)
Regression: https://github.com/go-gitea/gitea/pull/24805
Closes: #25945

- Disallow `javascript`, `vbscript` and `data` (data uri images still
work) url schemes even if all other schemes are allowed
- Fixed older `cbthunderlink` tests

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-07-18 15:18:37 +00:00
harryzcy c5e187c389
Upgrade go dependencies (#25819) 2023-07-14 11:00:31 +08:00