forgejo/modules
Gusted f7cb37ca5a
fix: ensure correct ssh public key is used for authentication
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.

(cherry picked from commit 3e1b03838e)

Conflicts:
	go.mod
	go.sum
  trivial context conflict
2024-12-12 07:02:14 +01:00
..
actions enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
activitypub enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
analyze Rename code_langauge.go to code_language.go (#26377) 2023-08-07 15:00:53 -04:00
assetfs enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
auth enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
avatar enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
base fix: extend forgejo_auth_token table 2024-11-15 12:02:14 +01:00
cache enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
charset enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
container Add container.FilterSlice function (gitea#30339) (skip using it) 2024-08-18 06:55:15 +02:00
csv enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
emoji Update emoji set to Unicode 15 (#25595) 2023-06-29 16:29:48 +00:00
eventsource Final round of db.DefaultContext refactor (#27587) 2023-10-14 08:37:24 +00:00
generate enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
git Fix IsObjectExist with gogit (#31790) (#31806) 2024-08-11 09:41:23 +02:00
gitgraph models/asymkey: Implement Tag verification 2024-04-01 13:42:11 +00:00
gitrepo Move get/set default branch from git package to gitrepo package to hide repopath (#29126) 2024-03-11 23:36:59 +07:00
graceful enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
hcaptcha Consume hcaptcha and pwn deps (#22610) 2023-01-29 09:49:51 -06:00
highlight enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
hostmatcher Support allowed hosts for webhook to work with proxy (#27655) 2023-10-18 09:44:36 +00:00
html Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
httpcache [BRANDING] add X-Forgejo-* headers 2024-02-05 16:02:14 +01:00
httplib enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
indexer enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
issue/template Extend issue template yaml engine (#29274) 2024-03-06 12:10:47 +08:00
json Replace interface{} with any (#25686) 2023-07-04 18:36:08 +00:00
label Make label templates have consistent behavior and priority (#23749) 2023-04-10 16:44:02 +08:00
lfs Fix #31185 try fix lfs download from bitbucket failed (#31201) 2024-08-18 07:01:03 +02:00
log enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
markup fix: strict matching of allowed content for sanitizer 2024-11-15 11:59:35 +01:00
mcaptcha Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
metrics Reduce usage of db.DefaultContext (#27073) 2023-09-14 17:09:32 +00:00
migration enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
nosql s/Gitea/Forgejo in various log messages and comments 2024-04-22 14:41:17 +00:00
optional enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
options Use a general approach to access custom/static/builtin assets (#24022) 2023-04-12 18:16:45 +08:00
packages enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
paginator Use more specific test methods (#24265) 2023-04-22 17:56:27 -04:00
pprof Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
private Move database operations of merging a pull request to post receive hook and add a transaction (#30805) 2024-05-14 15:37:32 +02:00
process [FIX] make pprof labels conformant with prometheus spec 2024-04-01 18:22:11 +00:00
proxy Use proxy for pull mirror (#22771) 2023-02-11 08:39:50 +08:00
proxyprotocol Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
public enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
queue enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
recaptcha Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
references enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
regexplru enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
repository enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
secret enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
session Avoid importing modules/web/middleware in modules/session (#30584) (#30589) 2024-04-21 18:16:09 +02:00
setting enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
sitemap enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
ssh fix: ensure correct ssh public key is used for authentication 2024-12-12 07:02:14 +01:00
storage enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
structs enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
svg Refactor backend SVG package and add tests (#26335) 2023-08-05 04:34:59 +00:00
sync Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
system enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
templates enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
test test(util): MockProtect when mocking multiple times 2024-06-02 14:32:00 +00:00
testlogger Merge pull request '[v7.0/forgejo] [FEAT] Mark database errors in tests as failure' (#2978) from bp-v7.0/forgejo-2dabd20 into v7.0/forgejo 2024-04-02 15:53:23 +00:00
timeutil Remove the time-since class (#29826) 2024-03-20 08:46:30 +01:00
translation enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
turnstile Add new captcha: cloudflare turnstile (#22369) 2023-02-05 15:29:03 +08:00
typesniffer enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
updatechecker enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
uri enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
user enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
util enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
validation [GITEA] add option for banning dots in usernames 2024-02-05 16:05:50 +01:00
web enable linter testifylint on v7 (#4572) 2024-07-30 19:42:06 +00:00
webhook [FEAT] sourcehut webhooks 2024-04-05 19:36:04 +00:00