Commit graph

19172 commits

Author SHA1 Message Date
Earl Warren
ec3321a02d Merge pull request 'Update dependency mermaid to v10.9.3 [SECURITY] (v7.0/forgejo)' (#5725) from renovate/v7.0/forgejo-npm-mermaid-vulnerability into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5725
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-10-28 07:59:16 +00:00
Earl Warren
20848116a6 Merge pull request '[v7.0/forgejo] use constant time check for internal token' (#5723) from bp-v7.0/forgejo-53231ba into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5723
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-10-28 07:21:14 +00:00
Renovate Bot
23dc779f94 Update dependency mermaid to v10.9.3 [SECURITY] 2024-10-28 06:28:51 +00:00
Gusted
1f40efc60b fix(sec): use constant time check for internal token
(cherry picked from commit 53231bad61)
2024-10-28 06:17:16 +00:00
Earl Warren
cc343f27e9 Merge pull request '[v7.0/forgejo] add permission check to 'delete branch after merge'' (#5720) from earl-warren/forgejo:wip-v7.0-delete-branch into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5720
2024-10-28 06:15:56 +00:00
Gusted
5488ec7d96
security: add permission check to 'delete branch after merge'
- Add a permission check that the doer has write permissions to the head
repository if the the 'delete branch after merge' is enabled when
merging a pull request.
- Unify the checks in the web and API router to `DeleteBranchAfterMerge`.
- Added integration tests.

(cherry picked from commit 266e0b2ce9)

Conflicts:
	tests/integration/pull_merge_test.go
  trivial context conflict
2024-10-28 06:32:10 +01:00
0ko
d9d434217f Merge pull request 'Translation backports to v7' (#5401) from 0ko/forgejo:i18n-backport-20240926-v7 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5401
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-09-27 12:46:28 +00:00
Codeberg Translate
80f501c9ad [v7.0/forgejo] i18n: update of translations from Codeberg Translate
Backport: https://codeberg.org/forgejo/forgejo/pulls/5309.

Co-authored-by: 0ko <0ko@users.noreply.translate.codeberg.org>
Co-authored-by: Outbreak2096 <Outbreak2096@users.noreply.translate.codeberg.org>
Co-authored-by: aleksi <aleksi@users.noreply.translate.codeberg.org>
Co-authored-by: Vaclovas Intas <Gateway_31@protonmail.com>
Co-authored-by: toasterbirb <toasterbirb@users.noreply.translate.codeberg.org>
Co-authored-by: Salif Mehmed <mail@salif.eu>
Co-authored-by: Zughy <Zughy@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5309
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>

(cherry picked from commit 6d57cbe5c8)
(cherry picked from commit 9791010feb)
2024-09-26 22:39:12 +05:00
Codeberg Translate
698b9e3766 [v7.0/forgejo] i18n: update of translations from Codeberg Translate
Backport: https://codeberg.org/forgejo/forgejo/pulls/5231.

Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Co-authored-by: xtex <xtexchooser@duck.com>
Co-authored-by: emansije <emansije@users.noreply.translate.codeberg.org>
Co-authored-by: Monti <contact@montidaproot.xyz>
Co-authored-by: muhaaliss <muhaaliss@users.noreply.translate.codeberg.org>
Co-authored-by: EssGeeEich <EssGeeEich@users.noreply.translate.codeberg.org>
Co-authored-by: Zughy <Zughy@users.noreply.translate.codeberg.org>
Co-authored-by: Marco Ciampa <ciampix@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5231
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>

(cherry picked from commit 2d3fc00d02)
(cherry picked from commit 884b5aab8b)
2024-09-26 22:36:58 +05:00
Codeberg Translate
7d994178c4 [v7.0/forgejo] i18n: update of translations from Codeberg Translate
Backport: https://codeberg.org/forgejo/forgejo/pulls/5182.

Co-authored-by: Vaclovas Intas <Gateway_31@protonmail.com>
Co-authored-by: Monti <contact@montidaproot.xyz>
Co-authored-by: sclu1034 <sclu1034@users.noreply.translate.codeberg.org>
Co-authored-by: Dirk <Dirk@users.noreply.translate.codeberg.org>
Co-authored-by: 0ko <0ko@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5182
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>

(cherry picked from commit fb4a8b24cc)
(cherry picked from commit 1fc2e1f02d)
2024-09-26 22:36:04 +05:00
Earl Warren
a12e0308da Merge pull request 'Update dependency go to v1.22.7 (v7.0/forgejo)' (#5241) from renovate/v7.0/forgejo-patch-golang-packages into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5241
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-09-06 22:52:38 +00:00
Earl Warren
7644435aed Merge pull request '[v7.0/forgejo] replace v-html with v-text in branch search inputbox for XSS protection' (#5246) from bp-v7.0/forgejo-bb8796b into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5246
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-09-06 11:15:13 +00:00
Lunny Xiao
bb811ee28a fix: replace v-html with v-text in branch search inputbox
Co-authored-by: techknowlogick <techknowlogick@noreply.gitea.com>
(cherry picked from commit 7eef261c3ebf9bfe37fe0dceb51bde9a79bbaf17)
(cherry picked from commit bb8796b3be)
2024-09-06 10:38:00 +00:00
Renovate Bot
a0c1c1fdc7 Update dependency go to v1.22.7 2024-09-06 05:18:52 +00:00
Earl Warren
367ccad622 Merge pull request 'Update dependency webpack to v5.94.0 [SECURITY] (v7.0/forgejo)' (#5201) from renovate/v7.0/forgejo-npm-webpack-vulnerability into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5201
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-09-03 08:36:50 +00:00
Renovate Bot
af756c76a7 Update dependency webpack to v5.94.0 [SECURITY] 2024-09-02 06:22:11 +00:00
0ko
08e37d130a Merge pull request '[v7.0/forgejo] i18n: update of translations from Codeberg Translate' (#5181) from bp-v7.0/forgejo-b73fd55 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5181
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-08-30 19:06:38 +00:00
Codeberg Translate
fa7fffdeef i18n: update of translations from Codeberg Translate (#5070)
Translations update from [Codeberg Translate](https://translate.codeberg.org) for [Forgejo/forgejo](https://translate.codeberg.org/projects/forgejo/forgejo/).

Current translation status:

![Weblate translation status](https://translate.codeberg.org/widget/forgejo/forgejo/horizontal-auto.svg)

<!--start release-notes-assistant-->

## Draft release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Localization
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/5070): <!--number 5070 --><!--line 0 --><!--description aTE4bjogdXBkYXRlIG9mIHRyYW5zbGF0aW9ucyBmcm9tIENvZGViZXJnIFRyYW5zbGF0ZQ==-->i18n: update of translations from Codeberg Translate<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Co-authored-by: Xinayder <Xinayder@users.noreply.translate.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: Kita Ikuyo <searinminecraft@courvix.com>
Co-authored-by: Fjuro <fjuro@alius.cz>
Co-authored-by: 0ko <0ko@users.noreply.translate.codeberg.org>
Co-authored-by: hugoalh <hugoalh@users.noreply.translate.codeberg.org>
Co-authored-by: Outbreak2096 <Outbreak2096@users.noreply.translate.codeberg.org>
Co-authored-by: Eryk Michalak <gnu.ewm@protonmail.com>
Co-authored-by: Caesar Schinas <caesar@caesarschinas.com>
Co-authored-by: hankskyjames777 <hankskyjames777@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5070
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>
(cherry picked from commit 45198cef64)
(cherry picked from commit b73fd55374)
2024-08-30 18:28:49 +00:00
Earl Warren
47cd797dd3 Merge pull request '[gitea] week 2024-35-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#5113) from earl-warren/wcp/2024-35-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5113
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-28 10:30:46 +00:00
Gusted
41f7faf4fe Merge pull request '[v7.0/forgejo] [SEC] Ensure propagation of API scopes for Conan and Container authentication' (#5150) from bp-v7.0/forgejo-5a871f6 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5150
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-28 09:55:33 +00:00
Gusted
ce10ec2878 [SEC] Ensure propagation of API scopes for Conan and Container authentication
- The Conan and Container packages use a different type of
authentication. It first authenticates via the regular way (api tokens
or user:password, handled via `auth.Basic`) and then generates a JWT
token that is used by the package software (such as Docker) to do the
action they wanted to do. This JWT token didn't properly propagate the
API scopes that the token was generated for, and thus could lead to a
'scope escalation' within the Conan and Container packages, read
access to write access.
- Store the API scope in the JWT token, so it can be propagated on
subsequent calls that uses that JWT token.
- Integration test added.
- Resolves #5128

(cherry picked from commit 5a871f6095)
2024-08-28 08:44:58 +00:00
Otto
619fe48af7 Merge pull request 'Backports of #4889 and #4984 to v7' (#5138) from 0ko/forgejo:i18n-backport-20240827-v7 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5138
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-27 17:36:59 +00:00
Earl Warren
4b5f4ec788 Merge pull request '[v7.0/forgejo] fix: correct doctor commands and rename to forgejo' (#5134) from bp-v7.0/forgejo-94af0e5 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5134
Reviewed-by: Otto <otto@codeberg.org>
2024-08-27 06:13:36 +00:00
Codeberg Translate
250bf845bd [v7.0/forgejo] i18n: update of translations from Codeberg Translate
Backport: #4984.

Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Co-authored-by: qui <qui@users.noreply.translate.codeberg.org>
Co-authored-by: hahahahacker2009 <hahahahacker2009@users.noreply.translate.codeberg.org>
Co-authored-by: Fjuro <fjuro@alius.cz>
Co-authored-by: Outbreak2096 <Outbreak2096@users.noreply.translate.codeberg.org>
Co-authored-by: Wuzzy <Wuzzy@users.noreply.translate.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: fnetX <otto@codeberg.org>
Co-authored-by: Panagiotis \"Ivory\" Vasilopoulos <git@n0toose.net>
Co-authored-by: emansije <emansije@users.noreply.translate.codeberg.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4984
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>
(cherry picked from commit d30be160c9)
(cherry picked from commit 619f2faf98)
2024-08-27 08:29:22 +05:00
0ko
7191018661 [v7.0/forgejo] i18n: update of translations from Codeberg Translate
Backport: #4889.

Co-authored-by: earl-warren <earl-warren@users.noreply.translate.codeberg.org>
Co-authored-by: Outbreak2096 <Outbreak2096@users.noreply.translate.codeberg.org>
Co-authored-by: Panagiotis \"Ivory\" Vasilopoulos <git@n0toose.net>
Co-authored-by: dragon <dragon@users.noreply.translate.codeberg.org>
Co-authored-by: hoovad <hoovad@users.noreply.translate.codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: hankskyjames777 <hankskyjames777@users.noreply.translate.codeberg.org>
Co-authored-by: emansije <emansije@users.noreply.translate.codeberg.org>
Co-authored-by: hugoalh <hugoalh@users.noreply.translate.codeberg.org>
Co-authored-by: zub <zub@users.noreply.translate.codeberg.org>
Co-authored-by: Fjuro <fjuro@alius.cz>
Co-authored-by: 0ko <0ko@users.noreply.translate.codeberg.org>
Co-authored-by: Kita Ikuyo <searinminecraft@courvix.com>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4889
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Codeberg Translate <translate@noreply.codeberg.org>
Co-committed-by: Codeberg Translate <translate@noreply.codeberg.org>
(cherry picked from commit 17fa75074d)
(cherry picked from commit c13d13f7cc)
2024-08-27 08:27:23 +05:00
Otto Richter
402cf29da6 fix: correct doctor commands and rename to forgejo
The syntax is `doctor check --run` , see https://forgejo.org/docs/latest/admin/command-line/#doctor

(cherry picked from commit 94af0e53e5)
2024-08-27 01:44:00 +00:00
Earl Warren
5df3029bf2
chore(release-notes): weekly cherry-pick week 2024-35-v7.0 2024-08-25 17:49:20 +02:00
Giteabot
bf07064e40
add CfTurnstileSitekey context data to all captcha templates (#31874) (#31876)
Backport #31874 by @bohde

In the OpenID flows, the "CfTurnstileSitekey" wasn't populated, which
caused those flows to fail if using Turnstile as the Captcha
implementation.

This adds the missing context variables, allowing Turnstile to be used
in the OpenID flows.

Co-authored-by: Rowan Bohde <rowan.bohde@gmail.com>
(cherry picked from commit 0affb5c775280622b277bba2223c01968bafa8b7)
2024-08-25 17:41:08 +02:00
Otto
3dbe5be281 Merge pull request '[PORT] Fix overflow for images on project cards (gitea#31683)' (#5033) from gusted/forgejo-bp-5029-v7 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5033
Reviewed-by: Otto <otto@codeberg.org>
2024-08-20 21:35:23 +00:00
Gusted
9ed7adcbf8
[UI] Remove snapping for images on project cards
Remove the snapping of the images on the projects cards, the images are
way too small to notice that when scrolling you're being snapped to
these images and when you do notice it, it doesn't make sense as you
wouldn't expect it to be snapped.

(cherry picked from commit 0764b7c18b)
2024-08-20 18:34:45 +02:00
Simon Priet
7d133488b7
[PORT] Scroll images in project issues separately from the remaining issue (gitea#31683)
As discussed in https://github.com/go-gitea/gitea/issues/31667 &
https://github.com/go-gitea/gitea/issues/26561, when a card on a Project
contains images, they can overflow the card on its containing column.
This aims to fix this issue via snapping scrollbars.

---
Backport: #5029
Conflict resolution: none
Modification: Remove the snapping of the images on the projects cards, the images are way too small to notice that when scrolling you're being snapped to these images and when you do notice it, it doesn't make sense as you wouldn't expect it to be snapped.

(cherry picked from commit 8e46efef95)
2024-08-20 18:34:11 +02:00
Gusted
a84730775a Merge pull request '[PORT] Remove jQuery class from the comment context menu (gitea#30179)' (#5019) from gusted/forgejo-bp-gt-30179 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5019
Reviewed-by: Otto <otto@codeberg.org>
2024-08-20 13:46:11 +00:00
Earl Warren
db585f082a Merge pull request '[gitea] week 2024-34-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#4999) from earl-warren/wcp/2024-34-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4999
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-20 05:43:22 +00:00
Yarden Shoham
d6a21fcb79
[PORT] Remove jQuery class from the comment context menu (gitea #30179)
- Switched from jQuery class functions to plain JavaScript
- Tested the comment context menu functionality and it works as before

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: silverwind <me@silverwind.io>

---

Resolves #5016

(cherry picked from commit 66f7d47d2c702bab4ca9bcedc1c0ba9ddfa49a17)
2024-08-20 01:30:51 +02:00
Gusted
684c3106b4 Merge pull request '[v7.0/forgejo] [UI] Fix misalignment of authors for repo acctivity' (#5005) from bp-v7.0/forgejo-72f4130 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5005
Reviewed-by: Otto <otto@codeberg.org>
2024-08-18 20:53:59 +00:00
Gusted
a6c74df161 [UI] Fix misalignment of authors for repo acctivity
- Regression of #4571
- We aren't showing the ticks generated by chartjs, because we want to
show the avatar of the person instead. You can't *realy* disable that
tick, so instead I opted to make them transparent in #4571, however they
still affected the generation of ticks so if enough authors were being
shown, for some the ticks were being skipped. Adjust the settings to
make sure they are always being shown.
- Resolves https://codeberg.org/forgejo/forgejo/issues/4982

(cherry picked from commit 72f41306c2)
2024-08-18 20:12:27 +00:00
Earl Warren
6becfc016f
chore(release-notes): weekly cherry-pick week 2024-34-v7.0 2024-08-18 07:11:37 +02:00
Giteabot
64c7687308
Fix panic of ssh public key page after deletion of auth source (#31829) (#31836)
Backport #31829 by @lunny

Fix #31730

This PR rewrote the function `PublicKeysAreExternallyManaged` with a
simple test. The new function removed the loop to make it more readable.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 5fa90ad9bc7fe800d657e909462e5e1caefc7193)
2024-08-18 07:11:32 +02:00
Giteabot
4c5e4e672d
Show lock owner instead of repo owner on LFS setting page (#31788) (#31817)
Backport #31788 by @wolfogre

Fix #31784.

Before:

<img width="1648" alt="image"
src="https://github.com/user-attachments/assets/03f32545-4a85-42ed-bafc-2b193a5d8023">

After:

<img width="1653" alt="image"
src="https://github.com/user-attachments/assets/e5bcaf93-49cb-421f-aac1-5122bc488b02">

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit a39fe5325266f1c079e0e54abc68e6470764eb44)

Conflicts:
	models/git/lfs_lock.go
  trivial context conflict
2024-08-18 07:01:03 +02:00
Zoupers Zou
8e8a07cc15
Fix #31185 try fix lfs download from bitbucket failed (#31201)
Fix #31185

(cherry picked from commit e25d6960b5749fbf7f88ebb6b27878c0459817da)
(cherry picked from commit baad8337f9)
2024-08-18 07:01:03 +02:00
oliverpool
45d96b4765
Add container.FilterSlice function (gitea#30339) (skip using it)
Many places have the following logic:
```go
func (jobs ActionJobList) GetRunIDs() []int64 {
	ids := make(container.Set[int64], len(jobs))
	for _, j := range jobs {
		if j.RunID == 0 {
			continue
		}
		ids.Add(j.RunID)
	}
	return ids.Values()
}
```

this introduces a `container.FilterMapUnique` function, which reduces
the code above to:
```go
func (jobs ActionJobList) GetRunIDs() []int64 {
	return container.FilterMapUnique(jobs, func(j *ActionRunJob) (int64, bool) {
		return j.RunID, j.RunID != 0
	})
}
```
Conflicts:
models/issues/comment_list.go due to premature refactor in #3116

(cherry picked from commit 525accfae6)

Conflicts:
	models/issues/comment_list.go
  only cherry-pick the container.FilterSlice function, for the sake of backporting
2024-08-18 06:55:15 +02:00
Michael Kriese
1a4c399652 Merge pull request '[v7.0/forgejo] fix: Run full PR checks on agit push' (#4950) from bp-v7.0/forgejo-2d05e92 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4950
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-08-13 19:04:58 +00:00
Michael Kriese
7e847ad879 fix(agit): run full pr checks on force-push
(cherry picked from commit 2d05e922a2)
2024-08-13 18:26:33 +00:00
Earl Warren
44b34ea2ac Merge pull request '[gitea] week 2024-33-v7.0 cherry pick (release/v1.22 -> v7.0/forgejo)' (#4925) from earl-warren/wcp/2024-33-v7.0 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4925
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-12 21:26:24 +00:00
Giteabot
3e091b9bac
Fix IsObjectExist with gogit (#31790) (#31806)
Backport #31790 by @wolfogre

Fix #31271.

When gogit is enabled, `IsObjectExist` calls
`repo.gogitRepo.ResolveRevision`, which is not correct. It's for
checking references not objects, it could work with commit hash since
it's both a valid reference and a commit object, but it doesn't work
with blob objects.

So it causes #31271 because it reports that all blob objects do not
exist.

Co-authored-by: Jason Song <i@wolfogre.com>
(cherry picked from commit 144648a4afdd93d534875a86c50ec61c860878f3)
2024-08-11 09:41:23 +02:00
Earl Warren
3a18717c6b Merge pull request '[v7.0/forgejo] [BUG] Return blocking errors as JSON errors' (#4917) from bp-v7.0/forgejo-d97cf0e into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4917
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-08-10 06:42:40 +00:00
Gusted
e988d1a8bb [BUG] Return blocking errors as JSON errors
- These endspoints are since b71cb7acdc
JSON-based and should therefore return JSON errors.
- Integration tests adjusted.

(cherry picked from commit d97cf0e854)
2024-08-10 05:53:00 +00:00
Earl Warren
29afb54daf Merge pull request '[v7.0/forgejo] disallow javascript: URI in the repository description' (#4900) from bp-v7.0/forgejo-bb448f3 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4900
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2024-08-09 06:58:26 +00:00
Gusted
542281ab9f disallow javascript: URI in the repository description
- Fixes an XSS that was introduced in
https://codeberg.org/forgejo/forgejo/pulls/1433
- This XSS allows for `href`s in anchor elements to be set to a
`javascript:` uri in the repository description, which would upon
clicking (and not upon loading) the anchor element execute the specified
javascript in that uri.
- [`AllowStandardURLs`](https://pkg.go.dev/github.com/microcosm-cc/bluemonday#Policy.AllowStandardURLs) is now called for the repository description
policy, which ensures that URIs in anchor elements are `mailto:`,
`http://` or `https://` and thereby disallowing the `javascript:` URI.
It also now allows non-relative links and sets `rel="nofollow"` on
anchor elements.
- Unit test added.

(cherry picked from commit bb448f3dc2)
2024-08-09 05:57:13 +00:00
Earl Warren
8373749002 Merge pull request 'i18n: backport of #4568 #4668 and #4783 to v7' (#4882) from 0ko/forgejo:i18n-backport-20240808-v7 into v7.0/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/4882
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-08-08 09:31:02 +00:00