Commit graph

17049 commits

Author SHA1 Message Date
Gusted
fe2df46d05
[SECURITY] Fix XSS in dismissed review
- It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.
- Pass `$reviewerName` trough `Escape`.
2024-02-22 15:04:36 +01:00
Gusted
92dae3a387
[SECURITY] Test XSS in wiki last commit information
On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. Verify it is sanitized.

(cherry picked from commit 565e331238)
2024-02-22 15:04:11 +01:00
Gusted
d24c37e132
[SECURITY] Fix XSS in wiki last commit information
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.
2024-02-22 13:04:47 +01:00
jolheiser
33af169223
[SECURITY] review(kn4ck3r): more template escapes
Signed-off-by: jolheiser <john.olheiser@gmail.com>
2024-02-22 12:54:34 +01:00
Earl Warren
2c567ea193 Merge pull request '[BUG] Initialize Git for hook regeneration' (#2421) from gusted/forgejo-bp-2416 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2421
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-21 14:41:45 +00:00
Gusted
2fb2e832c5
[BUG] Initalize Git for hook regeneration
- Backport of #2416
- The hook regeneration code relies on `git.SupportProcReceive` being
set to determine if the `proc-receive` hook should be written, this
variable is set when the git module is initialized.
- Resolves #2414

(cherry picked from commit 815abad84c)
2024-02-21 14:43:43 +01:00
Earl Warren
ceca25d374 Merge pull request '[gitea] v1.21 cherry-pick' (#2407) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2407
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-20 15:47:19 +00:00
Earl Warren
44906f85f7 Merge pull request '[SEMVER] 6.0.6+0-gitea-1.21.6' (#2409) from earl-warren/forgejo:wip-v1.21-semver into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2409
2024-02-20 11:22:31 +00:00
Earl Warren
5e31d1f37f
[SEMVER] 6.0.6+0-gitea-1.21.6 2024-02-20 10:41:03 +01:00
6543
8377ecbfe1
Workaround to clean up old reviews on creating a new one (#28554) (#29264)
close  #28542
backport #28554

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit c01b266d8680a270b1e8067e757ed25be38eea24)
2024-02-20 09:39:02 +01:00
Jason Song
861d0b9689
Do not use lower tag names to find releases/tags (#29261) (#29262)
Backport #29261.

Fix #26090, see
https://github.com/go-gitea/gitea/issues/26090#issuecomment-1952013206

Since `TagName` stores the original tag name and `LowerTagName` stores
the lower tag name, it doesn't make sense to use lowercase tags as
`TagNames` in `FindReleasesOptions`.

5e72526da4/services/repository/push.go (L396-L397)

While the only other usage looks correct:

5e72526da4/routers/web/repo/repo.go (L416)
(cherry picked from commit f79530c50ee1c7833cae13e56531e5d1fd66f5ba)
2024-02-20 09:36:37 +01:00
Tim-Nicas Oelschläger
a40762d929
Convert visibility to number (#29226) (#29244)
Backport #29226

Don't throw error while creating user (Fixes #29218)

---

The backport info from Giteabot
https://github.com/go-gitea/gitea/pull/29226#issuecomment-1951341322
needs to specify the version, because the default is v1.18

(cherry picked from commit 39735c43a8b6f7db3b3e3531ca9115a60335d524)
2024-02-20 09:36:28 +01:00
Lunny Xiao
8782275c9c
Fix push to create with capitalize repo name (#29090) (#29206)
Fix #29073
Backport #29090

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 933cc4da642c13b18423be99574944c43cc558c7)
2024-02-20 09:28:32 +01:00
KN4CK3R
aced7547c2
Use ghost user if user was not found (#29161) (#29169)
Backport #29161

(cherry picked from commit d823465d94b3b43945eace060000db9334eca52d)
2024-02-20 09:26:13 +01:00
6543
d3846df1f9
Dont load Review if Comment is CommentTypeReviewRequest (#28551) (#29160)
Backport #28551

RequestReview get deleted on review.
So we don't have to try to load them on comments.

(cherry picked from commit 0ac3186267b717bce7076ef44f883df7720d7a2d)
2024-02-20 09:22:26 +01:00
Earl Warren
60a4c05d23 Merge pull request '[BUG] Restrict when to make link absolute in markdown' (#2406) from gusted/forgejo-bp-2403 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2406
Reviewed-by: Otto <otto@codeberg.org>
2024-02-20 07:12:22 +00:00
Gusted
6c100083c2
[BUG] Restrict when to make link absolute in markdown
- Backport of #2403
- In markdown, links are proccessed to be made absolute against the
relevant base in that context. Such that `./src` will be transformed
into `http://example.com/owner/repo/src/branch/main/src`.
- Don't try to make the link absolute if the link has a schema that's
defined in `[markdown].CUSTOM_URL_SCHEMES`, because they can't be made
absolute and doing so could lead to problems (see test case, double
slash was transformed to single slash).
- Adds unit test.
- Resolves https://codeberg.org/Codeberg/Community/issues/1489

(cherry picked from commit 65b9a959b8)
2024-02-19 23:30:12 +01:00
Earl Warren
6c5121aac5 Merge pull request '[GITEA] Fix cancelled migration deletion modal' (#2405) from gusted/forgejo-bp-1805 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2405
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-19 21:55:09 +00:00
Gusted
53460829f7
[GITEA] Fix cancelled migration deletion modal
- Backport of #1805
- https://codeberg.org/forgejo/forgejo/pulls/1473 made that dangerous
actions such as deletion also would need to type in the owner's name.
This was apparently not reflected to the deletion modal for migrations
that failed or were cancelled.
- Resolves #2404

(cherry picked from commit c38dbd6f88)
2024-02-19 21:00:26 +01:00
Gusted
84ef9bba44 Merge pull request '[BUG] Fix relative links on orgmode' (#2391) from gusted/forgejo-bp-2385 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2391
Reviewed-by: Otto <otto@codeberg.org>
2024-02-19 12:29:21 +00:00
Gusted
fa700333ba
[BUG] Fix relative links on orgmode
- Backport of #2385
- For regular non-image nonvideo links, they should be made relative,
this was done against `r.Ctx.Links.Base`, but since 637451a45e, that
should instead be done by `SrcLink()` if there's branch information set
in the context, because branch and treepath information are no longer
set in `r.Ctx.Links.Base`.
- This is consistent with how #2166 _fixed_ relative links.
- Media is not affected, `TestRender_Media` test doesn't fail.
- Adds unit tests.
- Ref https://codeberg.org/Codeberg/Community/issues/1485

(cherry picked from commit a2442793d2)
2024-02-19 12:15:40 +01:00
Earl Warren
cd8a59e7bd Merge pull request '[BUG] Fix Ctrl+Enter on submitting review comment' (#2374) from gusted/forgejo-bp-2370 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2374
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-17 16:25:27 +00:00
Gusted
1c3a31d851
[BUG] Fix Ctrl+Enter on submitting review comment
- Backport of #2370
- When a event is caused by `Ctrl+Enter` jQuery might not wrap the event
and in that case `originalEvent` is not defined. Check for this case.
- Log the error along with showing an toast.
- Resolves #2363

(cherry picked from commit f04589defd)
2024-02-17 16:19:21 +01:00
Earl Warren
8283305d53 Merge pull request '[BUG] split code conversations in diff tab' (#2362) from oliverpool/forgejo:bg2306 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2362
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-17 10:50:48 +00:00
Earl Warren
91703b7214 Merge pull request 'Preview: set font-size on preview content' (#2366) from gusted/forgejo-bp-2349 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2366
Reviewed-by: Otto <otto@codeberg.org>
2024-02-17 10:48:33 +00:00
Gusted
a904558380
Preview: set font-size on preview content
- Backport of #2349
- When previewing the content in a review, no font size was set. This
resulted in the previewed content being bigger than other text and
therefor creating an noticable inconsistency.
- Set the font size of the previewed content, 14px, this is consistent
with how the content would be rendered.
- `comment-code-cloud` is the class used for the review boxes.
`.ui.tab.markup` means it only applies to the preview tab.

(cherry picked from commit b1aabbf174)
2024-02-16 22:29:12 +01:00
oliverpool
07bc099401 [BUG] split code conversations in diff tab (#2306)
Follow-up of #2282 and #2296 (which tried to address #2278)

One of the issue with the previous PR is that when a conversation on the Files tab was marked as "resolved", it would fetch all the comments for that line (even the outdated ones, which should not be shown on this page - except when explicitly activated).

To properly fix this, I have changed `FetchCodeCommentsByLine` to `FetchCodeConversation`. Its role is to fetch all comments related to a given (review, path, line) and reverted my changes in the template (which were based on a misunderstanding).

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2306
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
2024-02-16 14:06:43 +01:00
Earl Warren
45c0fa4905 Merge pull request '[BUG] Workaround borked Git version' (#2342) from gusted/forgejo-bp-2335 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2342
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-14 10:55:22 +00:00
Earl Warren
31ca6d8160 Merge pull request '[gitea] v1.21 cherry-pick' (#2340) from earl-warren/forgejo:wip-v1.21-forgejo into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2340
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-14 10:54:42 +00:00
Gusted
ff468ab5e4
[BUG] Workaround borked Git version
- Backport #2335
- In Git version v2.43.1, the behavior of `GIT_FLUSH` was accidentially
flipped. This causes Forgejo to hang on the `check-attr` command,
because no output was being flushed.
- Workaround this by detecting if Git v2.43.1 is used and set
`GIT_FLUSH=0` thus getting the correct behavior.
- Ref: https://lore.kernel.org/git/CABn0oJvg3M_kBW-u=j3QhKnO=6QOzk-YFTgonYw_UvFS1NTX4g@mail.gmail.com/
- Resolves #2333.

(cherry picked from commit f68f880974)
2024-02-13 21:07:24 +01:00
CEnnis91
fab6780fda
Fix swift packages not resolving (#29095) (#29102)
(cherry picked from commit 1aaeec6da7fdbbe363e417a0445f21ed3b750aba)
2024-02-13 14:29:41 +01:00
Giteabot
614ba2b257
Avoid showing unnecessary JS errors when there are elements with different origin on the page (#29081) (#29089)
Backport #29081 by wxiaoguang

Try to fix #29080

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 9a4d283e9ac472dca869356c27db05039673c638)
2024-02-13 14:18:07 +01:00
Giteabot
628e1036cf
Fix gitea-origin-url with default ports (#29085) (#29088)
Backport #29085 by @silverwind

When setting `url.host` on a URL object with no port specified (like is
the case of default port), the resulting URL's port will not change.
Workaround this quirk in the URL standard by explicitely setting port
for the http and https protocols.

Extracted the logic to a function for the purpose of testing. Initially
I wanted to have the function in utils.js, but it turns out esbuild can
not treeshake the unused functions which would result in the
webcomponents chunk having all 2kB utils.js inlined, so it seemed not
worth.

Fixes: https://github.com/go-gitea/gitea/issues/29084

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit fb7f28e9a7ee441e85dc957ac507278650af2f63)
2024-02-13 14:17:58 +01:00
Giteabot
e6f59f6e14
fix: Elasticsearch: Request Entity Too Large #28117 (#29062) (#29075)
Backport #29062 by @inferno-umar

Fix for gitea putting everything into one request without batching and
sending it to Elasticsearch for indexing as issued in #28117

This issue occured in large repositories while Gitea tries to
index the code using ElasticSearch.

Co-authored-by: dark-angel <70754989+inferno-umar@users.noreply.github.com>
(cherry picked from commit f0d34cd3b97dd2c9f29fc401ec58ea0661b7ca7d)
2024-02-13 14:17:49 +01:00
Giteabot
941c47f08f
Hide code links on release page if user cannot read code (#29064) (#29066)
Backport #29064 by @wolfogre

On the release list page, if the user doesn't have the permission to
read code, the code links will lead to 404 pages or api errors:

<img width="1297" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/a74fbc63-6dd6-43c6-853c-28acdbfdcb4e">

After this PR:

<img width="1297" alt="image"
src="https://github.com/go-gitea/gitea/assets/9418365/a626373d-c2df-40a9-8fed-1b12ff6bc56f">

And this PR also removed some dead code. After #23465, the tag list page
has an independent template, and all `IsTag` in the release list
template are always false.

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit 7ed79b748f772e931317f941390695be3ac0d0bd)
2024-02-13 14:17:43 +01:00
Giteabot
3c54a1dbf6
Avoid sending update/delete release notice when it is draft (#29008) (#29025)
Backport #29008 by @yp05327

Fix #27157

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 8def405047)
2024-02-13 14:17:34 +01:00
Giteabot
8c20eb668b
Wrap contained tags and branches again (#29021) (#29026)
Backport #29021 by @delvh

Fixes #29016

## After

![grafik](https://github.com/go-gitea/gitea/assets/51889757/2c72ee8f-439e-4328-85df-77772e0f4aef)

Co-authored-by: delvh <dev.lh@web.de>
(cherry picked from commit 5ac41026f9)
2024-02-13 14:17:25 +01:00
Giteabot
565b4efe4d
Fix incorrect button CSS usages (#29015) (#29023)
Backport #29015 by @wxiaoguang

Fix 2 problems:

1. Remove the legacy (non-existing) CSS: `class="btn btn-gray
btn-radius"`
2. Remove the button styles inside the `ui message`, according to:
https://fomantic-ui.com/collections/message.html , the button shouldn't
have any border/padding.

### Before

![image](https://github.com/go-gitea/gitea/assets/2114189/4c7e98e2-4e8a-493f-9b7e-446a365066a1)

![image](https://github.com/go-gitea/gitea/assets/2114189/05221251-7a79-4c96-8973-fb4588275672)

### After

![image](https://github.com/go-gitea/gitea/assets/2114189/8bc3edbc-42a6-40bd-85fd-de40e94841d4)

![image](https://github.com/go-gitea/gitea/assets/2114189/93f69143-d835-437c-b5eb-0f6dddde97a1)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 333d02ddfd)
2024-02-13 14:17:18 +01:00
Giteabot
c148156409
Strip trailing newline in markdown code copy (#29019) (#29022)
Behaviour now matches GH. Safeguard added in the for loop because
`textContent` may be null in which case it does not make sense to render
the copy button.

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 5d1abdce3e)
2024-02-13 14:17:07 +01:00
Earl Warren
bb5f4fd81b Merge pull request '[ACTIONS] skip superflous pull request synchronized event (#2314)' (#2338) from earl-warren/forgejo:wip-v1.21-superfluous into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2338
2024-02-13 12:37:58 +00:00
Earl Warren
ce96379aef
[ACTIONS] skip superflous pull request synchronized event (#2314)
Skip a HookEventPullRequestSync event if it has the same CommitSHA as an existing HookEventPullRequest event in the ActionRun table. A HookEventPullRequestSync event must only create an ActionRun if the CommitSHA is different from what it was when the PR was open.

This guards against a race that can happen when the following is done in parallel:

* A commit C is pushed to a repo on branch B
* A pull request with head on branch B

it is then possible that the pull request is created first, successfully. The commit that was just pushed is not known yet but the PR only references the repository and the B branch so it is fine.

A HookEventPullRequest event is sent to the notification queue but not processed immediately.

The commit C is pushed and processed successfully. Since the PR already exists and has a head that matches the branch, the head of the PR is updated with the commit C and a HookEventPullRequestSync event is sent to the notification queue.

The HookEventPullRequest event is processed and since the head of the PR was updated to be commit C, an ActionRun with CommitSHA C is created.

The HookEventPullRequestSync event is then processed and also has a CommitSHA equal to C.

Refs: https://codeberg.org/forgejo/forgejo/issues/2009
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2314
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
(cherry picked from commit 7b4dba3aa0)

Conflicts:
	services/actions/notifier_helper.go
	tests/integration/actions_trigger_test.go
	trivial context conficts
	services/actions/main_test.go is different in v1.21
2024-02-13 12:00:27 +01:00
Earl Warren
5697a6e82f Merge pull request '[CI] pin go v1.21' (#2318) from earl-warren/forgejo:wip-v1.21-ci into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2318
2024-02-09 17:48:18 +00:00
Earl Warren
9a61bcb91f
[CI] pin go v1.21 2024-02-09 18:11:08 +01:00
Earl Warren
38800476bd Merge pull request '[GITEA] Generate install if condition for Alpine' (#2286) from earl-warren/forgejo:wip-v1.21-alpine into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2286
2024-02-04 19:23:15 +00:00
oliverpool
f8fe66d737 Merge pull request '[GITEA] Internal Server Error when resolving comments' (#2289) from oliverpool/forgejo:forgejo-bp-2282 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2289
Reviewed-by: crystal <crystal@noreply.codeberg.org>
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-04 14:15:08 +00:00
oliverpool
ad67d9ef1a [GITEA] always load outdated comments 2024-02-04 12:44:13 +01:00
oliverpool
d5bb14de66 [GITEA] add test showing bug on resolving invalidated review comment 2024-02-04 12:44:13 +01:00
Gusted
7afbc62057
[GITEA] Generate install if condition for Alpine
- If the APKINFO contains an install if condition, write it in the APKINDEX.
- No integration testing, as I don't have the files to regenerate the
hardcoded compressed(?) APKINFO in the test.
- Resolves #2174

(cherry picked from commit 11da776bef)
(cherry picked from commit 2824ae4cf2)
2024-02-03 19:30:48 +01:00
Gusted
d56bb1bc95 Merge pull request '[GITEA] Fix orgmode link resolver for text descriptions' (#2277) from gusted/forgejo-bp-2276 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2277
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-01 21:05:22 +00:00
Earl Warren
108c984945 Merge pull request 'Revert "Speed up loading the dashboard on mysql/mariadb (#28546)" (#29006) (#29007)' (#2279) from earl-warren/forgejo:wip-v1.21-performance into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2279
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-01 21:02:25 +00:00