mirror of
1
Fork 0
Commit Graph

323 Commits

Author SHA1 Message Date
Meisam f3370eeaee
verify nodeinfo response by schema (#22137)
... using
[github.com/xeipuuv/gojsonschema](https://github.com/xeipuuv/gojsonschema)

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-12-17 01:22:34 -05:00
KN4CK3R 0e2d04601a
Update xorm (#22094) 2022-12-10 18:53:32 -05:00
Jason Song f59a74852b
Update gitea-vet to check FSFE REUSE (#22004)
Related to:
- #21840
- https://gitea.com/gitea/gitea-vet/pulls/21

What it looks like when it's working:
https://drone.gitea.io/go-gitea/gitea/64040/1/5

All available SPDX license identifiers: [SPDX License
List](https://spdx.org/licenses/).

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-12-02 22:14:57 +08:00
silverwind f0bd219a5e
Update chroma to v2.4.0 (#22000)
Did a few cursory tests, seems to work well.
2022-12-01 16:44:38 -05:00
Jason Song e4eaa68a2b
Replace yaml.v2 with yaml.v3 (#21832)
I don't see why we have to use two versions of yaml. The difference
between the two versions has nothing to do with our usage.
2022-11-21 16:36:59 +08:00
Gusted bea25d77ce
Upgrade golang.org/x/crypto (#21792)
- Update the crypto dependency to include
6fad3dfc18
- Resolves #17798

Executed: `go get
golang.org/x/crypto@6fad3dfc18918c2ac9c112e46b32473bd2e5e2f9 && rm
go.sum && go mod tidy`
2022-11-12 22:14:35 -06:00
Lunny Xiao 4eeea7b30e
Update binding to fix bugs (#21556)
Fix #19698
2022-10-23 13:50:48 +03:00
Gusted 5ba23066ff
Bump `golang.org/x/text` (#21412)
- Update the `golang.org/x/text` dependency, this fixes [a security
issue](https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ).
2022-10-11 20:01:07 +01:00
Clark Boylan f1f911df41
Update to go-enry v2.8.3 (#21360)
This fixes an issue with enry's isVendor() method being too greedy. This
lead to gitea classifying unvendored code as vendored. The impact of
this is fairly minimal, but our Gitea users did notice which led me to
fixing this in go-enry. Some files will be tagged with a vendored flag
in the UI. I think it also impacts the calculation of language
statistics in the repo as vendored files are not incorporated into the
stats.

For more information on the issue see the go-enry bug:
  https://github.com/go-enry/go-enry/issues/135
2022-10-06 21:51:38 +01:00
techknowlogick 726afe8a9e
Update Golang deps (#21304) 2022-10-01 08:49:30 -05:00
6543 5a3b9ac875
Update bluemonday (#21281)
https://github.com/microcosm-cc/bluemonday/releases/tag/v1.0.20

Co-authored-by: Lauris BH <lauris@nix.lv>
2022-09-27 22:02:41 -04:00
silverwind ec0a06e52c
Upgrade chroma to v2.3.0 (#21259)
The behaviour of `PreventSurroundingPre` has changed in
https://github.com/alecthomas/chroma/pull/618 so that apparently it now
causes line wrapper tags to be no longer emitted, but we need some form
of indication to split the HTML into lines, so I did what
https://github.com/yuin/goldmark-highlighting/pull/33 did and added the
`nopWrapper`.

Maybe there are more elegant solutions but for some reason, just
splitting the HTML string on `\n` did not work.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-09-26 13:50:03 +08:00
zeripath 88c2e24360
Add KaTeX rendering to Markdown. (#20571)
This PR adds mathematical rendering with KaTeX.

The first step is to add a Goldmark extension that detects the latex
(and tex) mathematics delimiters.

The second step to make this extension only run if math support is
enabled.

The second step is to then add KaTeX CSS and JS to the head which will
load after the dom is rendered.

Fix #3445

Signed-off-by: Andrew Thornton <art27@cantab.net>

Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2022-09-14 00:33:37 +08:00
zeripath 38a4961f9e
Update a few go dependencies (#21022)
There are a lot of go dependencies that appear old and we should update them.

The following packages have been updated:

* codeberg.org/gusted/mcaptcha
* github.com/markbates/goth
* github.com/buildkite/terminal-to-html
* github.com/caddyserver/certmagic
* github.com/denisenkom/go-mssqldb
* github.com/duo-labs/webauthn
* github.com/editorconfig/editorconfig-core-go/v2
* github.com/felixge/fgprof
* github.com/gliderlabs/ssh
* github.com/go-ap/activitypub
* github.com/go-git/go-git/v5
* github.com/go-ldap/ldap/v3
* github.com/go-swagger/go-swagger
* github.com/go-testfixtures/testfixtures/v3
* github.com/golang-jwt/jwt/v4
* github.com/klauspost/compress
* github.com/lib/pq
* gitea.com/lunny/dingtalk_webhook - instead of github.com
* github.com/mattn/go-sqlite3
* github/matn/go-isatty
* github.com/minio/minio-go/v7
* github.com/niklasfasching/go-org
* github.com/prometheus/client_golang
* github.com/stretchr/testify
* github.com/unrolled/render
* github.com/xanzy/go-gitlab
* gopkg.in/ini.v1

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-09-01 23:13:17 +02:00
zeripath bb0ff77e46
Share HTML template renderers and create a watcher framework (#20218)
The recovery, API, Web and package frameworks all create their own HTML
Renderers. This increases the memory requirements of Gitea
unnecessarily with duplicate templates being kept in memory.

Further the reloading framework in dev mode for these involves locking
and recompiling all of the templates on each load. This will potentially
hide concurrency issues and it is inefficient.

This PR stores the templates renderer in the context and stores this
context in the NormalRoutes, it then creates a fsnotify.Watcher
framework to watch files.

The watching framework is then extended to the mailer templates which
were previously not being reloaded in dev.

Then the locales are simplified to a similar structure.

Fix #20210 
Fix #20211
Fix #20217

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-08-28 10:43:25 +01:00
Gusted 58de07e5fd
Add support mCaptcha as captcha provider (#20458)
https://mcaptcha.org/

Co-authored-by: Felipe Leopoldo Sologuren Gutiérrez <fsologureng@users.noreply.github.com>
2022-08-10 15:20:10 +02:00
zeripath 7fe77f0167
Update lunny/levelqueue to prevent NPE when reads are performed after close (#20534) 2022-07-29 13:41:13 +02:00
6543 1818149527
update xorm.io/xorm v1.3.2-0.20220714055524-c3bce556200f (#20371)
Xorm 1.3.2-0.20220714055524 contains a fix for interpreting db column sizes. Prior to this fix xorm would assume that the size of a column was within the range of an `int`. This is correct on 64bit machines where `int` is typical equivalent to `int64` however, on 32bit machines `int` tends to be `int32`. 

Unfortunately the size of a LONGTEXT field is actually `max_uint32`, thus using `strconv.Atoi` on these fields will fail and thus #20161 occurs on 32 bit arm. Xorm 1.3.2-0.20220714055524 changes this field to use int64 instead.

Fix  #20161
2022-07-14 19:40:30 +01:00
Gusted 11c0748146
Update goldmark (#20300)
Update goldmark to v1.4.13 to fix a issue with quotes after a empty
list item(See https://github.com/yuin/goldmark/issues/313) and
downstream issue https://codeberg.org/Codeberg/Community/issues/645
2022-07-09 19:58:22 +01:00
zeripath 9d9bf66c3b
Update Bluemonday to v1.0.19 (#20199)
The current version of bluemonday is double escaping attributes.

This PR updates bluemonday to the version that fixes this.

(See: microcosm-cc/bluemonday#143 )

Fix #19860

Signed-off-by: Andrew Thornton art27@cantab.net
2022-07-01 20:50:06 +02:00
Anthony Wang e86f18a05a
User keypairs and HTTP signatures for ActivityPub federation using go-ap (#19133)
* go.mod: add go-fed/{httpsig,activity/pub,activity/streams} dependency

go get github.com/go-fed/activity/streams@master
go get github.com/go-fed/activity/pub@master
go get github.com/go-fed/httpsig@master

* activitypub: implement /api/v1/activitypub/user/{username} (#14186)

Return informations regarding a Person (as defined in ActivityStreams
https://www.w3.org/TR/activitystreams-vocabulary/#dfn-person).

Refs: https://github.com/go-gitea/gitea/issues/14186

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: add the public key to Person (#14186)

Refs: https://github.com/go-gitea/gitea/issues/14186

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: go-fed conformant Clock instance

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: signing http client

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: implement the ReqSignature middleware

Signed-off-by: Loïc Dachary <loic@dachary.org>

* activitypub: hack_16834

Signed-off-by: Loïc Dachary <loic@dachary.org>

* Fix CI checks-backend errors with go mod tidy

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Change 2021 to 2022, properly format package imports

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Run make fmt and make generate-swagger

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Use Gitea JSON library, add assert for pkp

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Run make fmt again, fix err var redeclaration

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Remove LogSQL from ActivityPub person test

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Assert if json.Unmarshal succeeds

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Cleanup, handle invalid usernames for ActivityPub person GET request

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Rename hack_16834 to user_settings

Signed-off-by: Anthony Wang <ta180m@pm.me>

* Use the httplib module instead of http for GET requests

* Clean up whitespace with make fmt

* Use time.RFC1123 and make the http.Client proxy-aware

* Check if digest algo is supported in setting module

* Clean up some variable declarations

* Remove unneeded copy

* Use system timezone instead of setting.DefaultUILocation

* Use named constant for httpsigExpirationTime

* Make pubKey IRI #main-key instead of /#main-key

* Move /#main-key to #main-key in tests

* Implemented Webfinger endpoint.

* Add visible check.

* Add user profile as alias.

* Add actor IRI and remote interaction URL to WebFinger response

* fmt

* Fix lint errors

* Use go-ap instead of go-fed

* Run go mod tidy to fix missing modules in go.mod and go.sum

* make fmt

* Convert remaining code to go-ap

* Clean up go.sum

* Fix JSON unmarshall error

* Fix CI errors by adding @context to Person() and making sure types match

* Correctly decode JSON in api_activitypub_person_test.go

* Force CI rerun

* Fix TestActivityPubPersonInbox segfault

* Fix lint error

* Use @mariusor's suggestions for idiomatic go-ap usage

* Correctly add inbox/outbox IRIs to person

* Code cleanup

* Remove another LogSQL from ActivityPub person test

* Move httpsig algos slice to an init() function

* Add actor IRI and remote interaction URL to WebFinger response

* Update TestWebFinger to check for ActivityPub IRI in aliases

* make fmt

* Force CI rerun

* WebFinger: Add CORS header and fix Href -> Template for remote interactions

The CORS header is needed due to https://datatracker.ietf.org/doc/html/rfc7033#section-5 and fixes some Peertube <-> Gitea federation issues

* make lint-backend

* Make sure Person endpoint has Content-Type application/activity+json and includes PreferredUsername, URL, and Icon

Setting the correct Content-Type is essential for federating with Mastodon

* Use UTC instead of GMT

* Rename pkey to pubKey

* Make sure HTTP request Date in GMT

* make fmt

* dont drop err

* Make sure API responses always refer to username in original case

Copied from what I wrote on #19133 discussion: Handling username case is a very tricky issue and I've already encountered a Mastodon <-> Gitea federation bug due to Gitea considering Ta180m and ta180m to be the same user while Mastodon thinks they are two different users. I think the best way forward is for Gitea to only use the original case version of the username for federation so other AP software don't get confused.

* Move httpsig algs constant slice to modules/setting/federation.go

* Add new federation settings to app.example.ini and config-cheat-sheet

* Return if marshalling error

* Make sure Person IRIs are generated correctly

This commit ensures that if the setting.AppURL is something like "http://127.0.0.1:42567" (like in the integration tests), a trailing slash will be added after that URL.

* If httpsig verification fails, fix Host header and try again

This fixes a very rare bug when Gitea and another AP server (confirmed to happen with Mastodon) are running on the same machine, Gitea fails to verify incoming HTTP signatures. This is because the other AP server creates the sig with the public Gitea domain as the Host. However, when Gitea receives the request, the Host header is instead localhost, so the signature verification fails. Manually changing the host header to the correct value and trying the veification again fixes the bug.


* Revert "If httpsig verification fails, fix Host header and try again"

This reverts commit f53e46c721.

The bug was actually caused by nginx messing up the Host header when reverse-proxying since I didn't have the line `proxy_set_header Host $host;` in my nginx config for Gitea.

* Go back to using ap.IRI to generate inbox and outbox IRIs

* use const for key values

* Update routers/web/webfinger.go

* Use ctx.JSON in Person response to make code cleaner

* Revert "Use ctx.JSON in Person response to make code cleaner"

This doesn't work because the ctx.JSON() function already sends the response out and it's too late to edit the headers.

This reverts commit 95aad98897.

* Use activitypub.ActivityStreamsContentType for Person response Content Type

* Limit maximum ActivityPub request and response sizes to a configurable setting

* Move setting key constants to models/user/setting_keys.go

* Fix failing ActivityPubPerson integration test by checking the correct field for username

* Add a warning about changing settings that can break federation

* Add better comments

* Don't multiply Federation.MaxSize by 1<<20 twice

* Add more better comments

* Fix failing ActivityPubMissingPerson test

We now use ctx.ContextUser so the message printed out when a user does not exist is slightly different

* make generate-swagger

For some reason I didn't realize that /templates/swagger/v1_json.tmpl was machine-generated by make generate-swagger... I've been editing it by hand for three months! 🤦

* Move getting the RFC 2616 time to a separate function

* More code cleanup

* Update go-ap to fix empty liked collection and removed unneeded HTTP headers

* go mod tidy

* Add ed25519 to httpsig algorithms

* Use go-ap/jsonld to add @context and marshal JSON

* Change Gitea user agent from the default to Gitea/Version

* Use ctx.ServerError and remove all remote interaction code from webfinger.go
2022-06-19 07:25:12 +02:00
zeripath 90f3365d93
Add fgprof pprof profiler (#20005)
fgprof is a sampling Go profiler that allows you to analyze On-CPU as
well as Off-CPU (e.g. I/O) time together.

Go's builtin sampling CPU profiler can only show On-CPU time, but it's
better than fgprof at that. Go also includes tracing profilers that can
analyze I/O, but they can't be combined with the CPU profiler.

fgprof is designed for analyzing applications with mixed I/O and CPU
workloads. This kind of profiling is also known as wall-clock profiling.

Whilst fgprof can cause significant STW latencies in applications with a
lot of goroutines (> 1-10k), these latencies only occur if the profile
is requested - it doesn't cause a delay by simply being available.

The fgprof profile is mounted on
`http://localhost:6060/debug/fgprof?seconds=3`

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-06-18 11:04:52 +01:00
wxiaoguang 5f618248a9
Use Golang 1.18 for Gitea 1.17 release (#19918)
Use Golang 1.18 (as minimal requirement) for Gitea 1.17 release, make sure the Golang version is still actively supported during Gitea 1.17 lifecycle.

Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
2022-06-10 05:34:41 +02:00
zeripath 7948cb3149
Prevent NPE whilst migrating if there is a team request review (#19855)
A pr.Reviewer may be nil when migrating from Gitea if this is a team
request review.

We do not migrate teams therefore we cannot map these requests, but we can
migrate user requests.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-06-09 10:50:05 +08:00
Lauris BH f92b7a6331
Add support for rendering terminal output with colors (#19497) 2022-06-09 00:46:39 +03:00
Wim e528e2b435
Implement http signatures support for the API (#17565)
Fixes #12338

This allows use to talk to the API with our ssh certificate (and/or ssh-agent) without needing to fetch an API key or tokens.
It will just automatically work when users have added their ssh principal in gitea.

This needs client code in tea
Update: also support normal pubkeys

ref: https://tools.ietf.org/html/draft-cavage-http-signatures

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: zeripath <art27@cantab.net>
Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-06-05 08:16:14 +01:00
Lunny Xiao 12c742f8dc
Fix order by parameter (#19849)
Upgrade builder to v0.3.11
Upgrade xorm to v1.3.1 and fixed some hidden bugs.

Replace #19821
Replace #19834
Included #19850

Co-authored-by: zeripath <art27@cantab.net>
2022-06-04 20:18:50 +01:00
6543 00a981d341
Update go-chi/cache to utilize Ping() (#19719)
* update gitea.com/go-chi/cache -> v0.2.0

* ajust to new interface

* refactor
2022-05-15 20:43:27 +02:00
6543 65ccff54ef
Update go deps (#19665)
* update gitea.com/go-chi/binding
* update github.com/42wim/sshsig
* update github.com/PuerkitoBio/goquery
* update github.com/blevesearch/bleve/v2
* update github.com/caddyserver/certmagic
* update github.com/duo-labs/webauthn
* update github.com/editorconfig/editorconfig-core-go/v2
* update github.com/emirpasic/gods
* update github.com/gliderlabs/ssh
* update github.com/go-chi/cors
* update github.com/go-enry/go-enry/v2
* update github.com/go-git/go-git/v5
* update github.com/go-ldap/ldap/v3
* update github.com/golang-jwt/jwt/v4
* update github.com/google/pprof
* update github.com/klauspost/compress
* update github.com/lib/pq
* update github.com/markbates/goth
* update github.com/minio/minio-go/v7
* update github.com/olivere/elastic/v7
* update github.com/unrolled/render
* update github.com/urfave/cli
* update github.com/xanzy/go-gitlab
* update github.com/yuin/goldmark
* adopt breaking changes of certmagic
2022-05-10 12:32:42 +02:00
wxiaoguang d242511e86
Remove legacy unmaintained packages, refactor to support change default locale (#19308)
Remove two unmaintained vendor packages `i18n` and `paginater`. Changes:
* Rewrite `i18n` package with a more clear fallback mechanism. Fix an unstable `Tr` behavior, add more tests.
* Refactor the legacy `Paginater` to `Paginator`, test cases are kept unchanged.

Trivial enhancement (no breaking for end users):
* Use the first locale in LANGS setting option as the default, add a log to prevent from surprising users.
2022-04-03 17:46:48 +08:00
Lunny Xiao cf5d4a7230
Upgrade xorm/builder from v0.3.9 to v0.3.10 (#19296)
xorm/builder v0.3.10 add support to EXISTS and NOT EXISTS.
2022-04-02 04:14:14 +08:00
wxiaoguang 4f27c28947
Remove legacy `unknwon/com` package (#19298)
Follows: #19284
* The `CopyDir` is only used inside test code
* Rewrite `ToSnakeCase` with more test cases
* The `RedisCacher` only put strings into cache, here we use internal `toStr` to replace the legacy `ToStr`
* The `UniqueQueue` can use string as ID directly, no need to call `ToStr`
2022-04-02 00:34:57 +08:00
Kevin Burke 242d71035a
go.mod: update kevinburke/ssh_config to v1.2.0 (#19286)
Previously if you tried to read a HostName in a config file that
looked like this:

```
Host github
    HostName github.com        # This is the host for code review
```

DefaultUserSettings.Get("HostName") would return "github.com        ",
which I think is unintuitive and unexpected.

This behavior is fixed in v1.2 which would return "github.com" in the
above example.
2022-04-01 00:05:57 +02:00
zeripath c88547ce71
Add Goroutine stack inspector to admin/monitor (#19207)
Continues on from #19202.

Following the addition of pprof labels we can now more easily understand the relationship between a goroutine and the requests that spawn them. 

This PR takes advantage of the labels and adds a few others, then provides a mechanism for the monitoring page to query the pprof goroutine profile.

The binary profile that results from this profile is immediately piped in to the google library for parsing this and then stack traces are formed for the goroutines.

If the goroutine is within a context or has been created from a goroutine within a process context it will acquire the process description labels for that process. 

The goroutines are mapped with there associate pids and any that do not have an associated pid are placed in a group at the bottom as unbound.

In this way we should be able to more easily examine goroutines that have been stuck.

A manager command `gitea manager processes` is also provided that can export the processes (with or without stacktraces) to the command line.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-03-31 19:01:43 +02:00
Justin Sievenpiper a2c20a6cab
Add Redis Sentinel Authentication Support (#19213)
Gitea was not able to supply any authentication parameters to it. So this brings support to do that, along with some light extraction of a couple of bits into some separate functions for easier testing.

I looked at other libraries supporting similar RedisUri-style connection strings (e.g. Lettuce), but it looks like this type of configuration is beyond what would typically be done in a connection string. Since gitea doesn't have configuration options for manually specifying all this redis connection detail, I went ahead and just chose straightforward names for these new parameters.
2022-03-30 21:12:02 +02:00
Robert Kaussow 909804b717
Bump goldmark to v1.4.11 (#19201)
* Bump goldmark to v1.4.11

* add testcase

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: Andrew Thornton <art27@cantab.net>
2022-03-24 11:47:37 -04:00
techknowlogick ed1d95c55d
use go1.18 to build gitea (#19099)
* use go1.18 to build gitea& update min go version to 1.17

* bump in a few more places

* add a few simple tests for isipprivate

* update go.mod

* update URL to https://go.dev/dl/

* golangci-lint

* attempt golangci-lint workaround

* change version

* bump fumpt version

* skip strings.title test

* go mod tidy

* update tests as some aren't private??

* update tests
2022-03-16 00:08:31 -04:00
silverwind fe9626af29
Use `go run` for tool dependencies, require go 1.17 (#18874)
This ensures the tools only run in the versions we've tested and it also
does not polute PATH with those tools so they are truly isolated. This
syntax of `go run` requires go 1.17, so the minimum version is set
accordingly.

Fixes: https://github.com/go-gitea/gitea/issues/18867

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-03-15 22:50:26 -04:00
Gusted 6ab4a96855
Update golang.org/x/crypto (#19097)
* Update golang.org/x/crypto

- Update dependency to include fix for CVE.
- See https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ?utm_medium=email&utm_source=footer

* Fix deprecation notice

* Remove workaround

- Introduced in https://github.com/go-gitea/gitea/pull/17281
- Fixed in x/crypto:
- 5d542ad81a
- & 3147a52a75

* Update Kex Algorithms

- Use standardized name for curve22519-sha256. 9b076918e3
- Prefer SHA256 version over SHA1 version. e4b3678e5f
2022-03-16 02:59:53 +01:00
Lunny Xiao 2448c5ad8b
Upgrading binding package (#19034)
Fix #18855
2022-03-09 18:06:58 +00:00
techknowlogick 1546580f9e
bump go deps (#19021)
* update gitea.com/go-chi/binding

* update gitea.com/go-chi/cache

* update github.com/42wim/sshsig

* update github.com/PuerkitoBio/goquery

* update github.com/blevesearch/bleve/v2

* update github.com/caddyserver/certmagic

* update github.com/denisenkom/go-mssqldb

* update github.com/duo-labs/webauthn

* update github.com/dustin/go-humanize

* update github.com/editorconfig/editorconfig-core-go/v2

* update github.com/ethantkoenig/rupture

* update github.com/go-chi/chi/v5

* update github.com/go-git/go-git/v5

* update github.com/go-ldap/ldap/v3

* update github.com/go-redis/redis/v8

* update github.com/go-swagger/go-swagger

* update github.com/gogs/chardet

* update github.com/golang-jwt/jwt/v4

* update github.com/hashicorp/go-version

* update github.com/jaytaylor/html2text

* update github.com/klauspost/compress

* update github.com/lib/pq

* update github.com/markbates/goth

* update github.com/mattn/go-sqlite3

* update github.com/mholt/archiver/v3

* update github.com/microcosm-cc/bluemonday

* update github.com/minio/minio-go/v7

* update github.com/msteinert/pam

* update github.com/niklasfasching/go-org

* update github.com/olivere/elastic/v7

* update github.com/prometheus/client_golang

* update github.com/quasoft/websspi

* update github.com/stretchr/testify

* update github.com/unknwon/i18n

* update github.com/unrolled/render

* update github.com/xanzy/go-gitlab

* update github.com/yuin/goldmark

* update github.com/yuin/goldmark-highlighting

* update github.com/yuin/goldmark-meta

* post make vendor

Signed-off-by: Andrew Thornton <art27@cantab.net>

* add make vendor back into update_dependencies.sh

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update update_dependencies.sh

* Update contrib/update_dependencies.sh

Co-authored-by: zeripath <art27@cantab.net>

* update mvdan.cc/xurls/v2

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-03-08 19:15:30 +08:00
Gusted 3c7201682c
Update `go-enry` to v2.8.0 (#18993)
- It was reported in the Matrix channel that Chroma [has support](d402102976)
for the Fennel language, go-enry only added detection support for this
[in v2.7.2](0affa3ccca).

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2022-03-04 01:56:31 +01:00
Gusted 79c7219be8
Update go-org to v1.6.1 (#18932)
- v1.6.0 has a inconsistency with the proxy and github's tagged version,
updating to v1.6.1 should fix this issue.
- Resolves #18864
2022-02-27 16:56:44 +00:00
zeripath e039b76a6f
Update go-org to 1.6.0 (#18824)
Fix #14074

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-02-20 13:01:35 +00:00
Gusted f393bc82cb
Update gitea-vet (#18640)
* Update gitea-vet

- Update gitea-vet to include latest 2 changes
7c98703580...master

* Tidy up go.sum

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: zeripath <art27@cantab.net>
2022-02-06 21:45:00 +00:00
Gusted 9712f7d622
Future proof for 1.18 (#18644)
- Update json-iterator/go to handle 1.18's new memory model with slices.
- Don't panic while running gitea with go 1.18
2022-02-06 20:38:14 +00:00
zeripath b34923d919
Update Goldmark to Goldmark 1.4.4 (#18420)
* Update Goldmark to Goldmark 1.4.4
* nolint the deprecation

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-01-29 21:17:21 +08:00
zeripath 9a75c2741d
Only view milestones from current repo (#18414)
The endpoint /{username}/{reponame}/milestone/{id} is not currently restricted to
the repo. This PR restricts the milestones to those within the repo.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-01-26 20:01:35 +00:00
Aravinth Manivannan 3bb028cc46
Validate migration files (#18203)
JSON Schema validation for data used by Gitea during migrations

Discussion at https://forum.forgefriends.org/t/common-json-schema-for-repository-information/563

Co-authored-by: Loïc Dachary <loic@dachary.org>
2022-01-26 10:45:51 +01:00
6543 6ad7a5376a
Update github.com/duo-labs/webauthn (#18357) 2022-01-22 18:01:40 +01:00
Jelle Hulter bbd30787d3
Updated Chroma to v0.10.0 (#18270) 2022-01-20 17:59:15 +08:00
zeripath 68b59d8966
replace satori/go.uuid with gofrs/uuid (#18311)
Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-01-18 11:04:24 +00:00
Lunny Xiao 35c3553870
Support webauthn (#17957)
Migrate from U2F to Webauthn

Co-authored-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2022-01-14 16:03:31 +01:00
Lunny Xiao a1c12fb0b3
Don't store assets modified time into generated files (#18193) 2022-01-06 21:33:17 -05:00
6543 ec6cc38c6c
code.gitea.io/sdk/gitea v0.14.0 -> v0.15.1 (#18186) 2022-01-05 05:51:12 +01:00
Lunny Xiao e9c9a35a61
Upgrade certmagic from v0.14.1 to v0.15.2 (#18138) 2022-01-01 17:43:28 +08:00
Lunny Xiao 25a290e320
Upgrade bleve from v2.0.6 to v2.3.0 (#18132) 2022-01-01 16:26:27 +08:00
zeripath bcc13f3889
Reset Session ID on login (#18018)
* Reset Session ID on login

When logging in the SessionID should be reset and the session cleaned up.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* with new session.RegenerateID function

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update go-chi/session

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Ensure that session id is changed after oauth data is set and between account linking pages too

Signed-off-by: Andrew Thornton <art27@cantab.net>

* placate lint

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-12-20 22:12:26 +08:00
zeripath 25677cdc5b
Update chroma (#18033)
Update chroma to 0.9.4

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-12-20 02:49:38 +00:00
Wim 6fe756dc93
Add support for ssh commit signing (#17743)
* Add support for ssh commit signing

* Split out ssh verification to separate file

* Show ssh key fingerprint on commit page

* Update sshsig lib

* Make sure we verify against correct namespace

* Add ssh public key verification via ssh signatures

When adding a public ssh key also validate that this user actually
owns the key by signing a token with the private key.

* Remove some gpg references and make verify key optional

* Fix spaces indentation

* Update options/locale/locale_en-US.ini

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update templates/user/settings/keys_ssh.tmpl

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update options/locale/locale_en-US.ini

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update options/locale/locale_en-US.ini

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Update models/ssh_key_commit_verification.go

Co-authored-by: Gusted <williamzijl7@hotmail.com>

* Reword ssh/gpg_key_success message

* Change Badsignature to NoKeyFound

* Add sign/verify tests

* Fix upstream api changes to user_model User

* Match exact on SSH signature

* Fix code review remarks

Co-authored-by: Gusted <williamzijl7@hotmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-12-19 00:37:18 -05:00
zeripath 957c3fcb59
Update chi/middleware to chi/v5/middleware (#17888)
Fix #17880


Co-authored-by: Lauris BH <lauris@nix.lv>
2021-12-02 21:58:08 +01:00
zeripath c96be0cd98
Make SSL cipher suite configurable (#17440) 2021-11-20 01:12:43 -05:00
wxiaoguang a8fd76557b
Better builtin avatar generator (#17707)
This PR fixes the builtin avatar generator.

1. The random background color makes some images very dirty. So now we only use white background for avatars.
2. We use left-right mirror avatars to satisfy #14799
3. Fix a small padding error in the algorithm
2021-11-20 01:10:41 +08:00
zeripath 9d855bd6a1
Simplify Gothic to use our session store instead of creating a different store (#17507)
* Simplify Gothic to use our session store instead of creating a different store

We have been using xormstore to provide a separate session store for our OAuth2 logins
however, this relies on using gorilla context and some doubling of our session storing.
We can however, simplify and simply use our own chi-based session store. Thus removing
a cookie and some of the weirdness with missing contexts.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>

* as per review

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Handle MaxTokenLength

Signed-off-by: Andrew Thornton <art27@cantab.net>

* oops

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2021-11-03 08:33:54 +08:00
Lunny Xiao 812a9daab9
Upgrade go-github to v39 (#17437) 2021-10-26 08:19:21 +01:00
zeripath c5a408df05
Upgrade Bluemonday to v1.0.16 (#17372)
Upgrade Bluemonday to latest version

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
2021-10-20 16:58:39 -04:00
6543 3728f1daa0
Add RSS/Atom feed support for user actions (#16002)
Return rss/atom feed for user based on rss url suffix or Content-Type header.
2021-10-16 16:21:16 +02:00
Lunny Xiao d47798ccc7
Upgrade chi to v5 (#17298) 2021-10-13 22:50:23 -04:00
Lunny Xiao ba1fdbcfdb
upgrade xorm to v1.2.5 (#17177) 2021-09-29 23:08:44 +03:00
Lunny Xiao e21a35698c
Upgrade xorm to v1.2.4 (#17059) (#17068)
Co-authored-by: zeripath <art27@cantab.net>
2021-09-16 13:53:28 -04:00
zeripath 8af7a21085
Update go-chi/session (fixes "race" in tests) (#17031)
Update to latest go-chi/session where the NewManager causes a new
Provider instantiation instead of reconfiguring an old one.
(https://gitea.com/go-chi/session/pulls/1)

The NewManager call is now concurrency safe and would allow live
reconfiguration in future but for now this PR simply fixes an
intermittent "data-race" detected in our tests.  (See
https://drone.gitea.io/go-gitea/gitea/43900/2/14)

Related #17027
Related #1441

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-09-13 09:40:55 +01:00
zeripath 1cd4a3b963
Update caddyserver/certmagic (#16789)
Fixes issue with windows users & letsencrypt

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-08-23 18:07:40 -04:00
wxiaoguang 2d1935acc7
Upgrade go.mod go version to 1.16 (#16764) 2021-08-21 20:04:17 +01:00
Lunny Xiao f7a302ca6f
Upgrade levelqueue 0.4.1 (#16696) 2021-08-15 22:52:26 +02:00
Lunny Xiao 7224cfc578
Upgrade xorm to v1.2.2 (#16663)
* Upgrade xorm to v1.2.2

* Change the Engine interface to match xorm v1.2.2
2021-08-13 01:11:42 +02:00
6543 89245ee309
Upgrade github.com/google/go-github v32.1.0 -> v37.0.0 (#16661)
* Upgrade github.com/google/go-github vv32.1.0 -> v37.0.0

* refactor: use GetX() func to reduce code
2021-08-10 11:49:43 +02:00
zeripath 35735bbef9
Upgrade to golang-jwt 3.2.2 (#16590)
* Upgrade to golang-jwt 3.2.2

Upgrade to the latest version of golang-jwt

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Forcibly replace the 3.2.1 version of golang-jwt/jwt and increase minimum Go version

Using go.mod we can forcibly replace the 3.2.1 version used by goth to 3.2.2.

Further given golang-jwt/jwts stated policy of only supporting supported go versions
we should just raise our minimal version of go to 1.16 for 1.16 as by time of release
1.15 will be out of support.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update minimal go required

Signed-off-by: Andrew Thornton <art27@cantab.net>

* update config.yaml

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
2021-08-03 14:32:01 -04:00
Lunny Xiao 5b2e2d29ca
Upgrade levelqueue to v0.4.0 (#16560)
Fix #16546
2021-07-27 16:55:48 +01:00
6543 d717c692fa
bump github.com/markbates/goth from v1.67.1 to v1.68.0 (#16538) 2021-07-24 18:17:02 +01:00
techknowlogick 29a22ade82
switch to maintained lib (#16532)
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Andrew Thornton <art27@cantab.net>
2021-07-24 13:00:41 +02:00
6543 91162bbaea
Update bluemonday to v1.0.15 (#16379)
* update github.com/microcosm-cc/bluemonday

* add exec flag to contrib/update_dependencies.sh

* Fix TESTS
2021-07-09 03:30:31 +02:00
techknowlogick 7613f31c6b
Update vendor 20210707 (#16366)
* update gitea.com/go-chi/binding

* update github.com/blevesearch/bleve/v2

* update github.com/caddyserver/certmagic

* update github.com/go-git/go-git/v5

* update github.com/lafriks/xormstore

* update github.com/yuin/goldmark

* Revert "update gitea.com/go-chi/binding"

This reverts commit dea2f292b1.
2021-07-07 15:41:05 -04:00
Lunny Xiao 760af187ba
Upgrade xorm to v1.1.1 (#16339) 2021-07-04 15:10:46 +02:00
6543 fae07cbc8f
Update Vendor (#16325)
* Add Dependencie Update Script

* update gitea.com/lunny/levelqueue

* update github.com/PuerkitoBio/goquery

* update github.com/alecthomas/chroma

* update github.com/blevesearch/bleve/v2

* update github.com/caddyserver/certmagic

* update github.com/go-enry/go-enry/v2

* update github.com/go-redis/redis/v8

* update github.com/hashicorp/golang-lru

* update github.com/klauspost/compress

* update github.com/markbates/goth

* update github.com/mholt/archiver/v3

* update github.com/microcosm-cc/bluemonday

* update github.com/minio/minio-go/v7

* update github.com/olivere/elastic/v7

* update github.com/xanzy/go-gitlab

* update github.com/yuin/goldmark
2021-07-04 04:06:10 +02:00
zeripath 9979983283
Update Go-Git to take advantage of LargeObjectThreshold (#16316)
Following the merging of https://github.com/go-git/go-git/pull/330 we
can now add a setting to avoid go-git reading and caching large objects.

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-06-30 22:58:45 +02:00
zeripath f825f20d49
Upgrade Gliderlabs SSH to 0.3.3 and add FailedConnectionCallback (#16278)
* Upgrade Gliderlabs SSH to 0.3.3 and add FailedConnectionCallback

Following the merging of https://github.com/gliderlabs/ssh/pull/143 we
can now report connections to the ssh server that have failed before
public key exchange has completed using the standard fail2ban message.

This PR updates Gliderlabs SSH and adds a callback that will provide this
logging.

Signed-off-by: Andrew Thornton <art27@cantab.net>

* move the callback to its own function to make the logging appear little nicer

Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-06-28 13:05:27 -04:00
zeripath 23358bc55d
Use git log name-status in get last commit (#16059)
* Improve get last commit using git log --name-status

git log --name-status -c provides information about the diff between a
commit and its parents. Using this and adjusting the algorithm to use
the first change to a path allows for a much faster generation of commit
info.

There is a subtle change in the results generated but this will cause
the results to more closely match those from elsewhere.

Signed-off-by: Andrew Thornton <art27@cantab.net>

Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Lauris BH <lauris@nix.lv>
2021-06-21 01:00:46 +03:00
Mura Li 19dedc3fa5
Speed up git diff highlight generation (#16180)
Co-authored-by: Mura Li <typeless@users.noreply.github.com>
Co-authored-by: 6543 <6543@obermui.de>
2021-06-17 10:55:16 -04:00
6543 86e2789960
Vendor Update (#16121)
* update github.com/PuerkitoBio/goquery

* update github.com/alecthomas/chroma

* update github.com/blevesearch/bleve/v2

* update github.com/caddyserver/certmagic

* update github.com/go-enry/go-enry/v2

* update github.com/go-git/go-billy/v5

* update github.com/go-git/go-git/v5

* update github.com/go-redis/redis/v8

* update github.com/go-testfixtures/testfixtures/v3

* update github.com/jaytaylor/html2text

* update github.com/json-iterator/go

* update github.com/klauspost/compress

* update github.com/markbates/goth

* update github.com/mattn/go-isatty

* update github.com/mholt/archiver/v3

* update github.com/microcosm-cc/bluemonday

* update github.com/minio/minio-go/v7

* update github.com/prometheus/client_golang

* update github.com/unrolled/render

* update github.com/xanzy/go-gitlab

* update github.com/yuin/goldmark

* update github.com/yuin/goldmark-highlighting

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-06-10 16:44:25 +02:00
Lunny Xiao f6be429781
Upgrade xorm to v1.1.0 (#15869) 2021-05-14 20:17:06 +01:00
Lunny Xiao b61092bcb0
Upgrade unrolled/render to v1.1.1 (#15845) 2021-05-12 18:47:05 +01:00
silverwind c3802dcc0f
Use binary version of revive linter (#15739)
Use the common `go get` method to install and run the revive linter,
removing the useless build/lint.go and related vendor libraries.
2021-05-09 13:08:02 +02:00
6543 792b4dba2c
[Vendor] Update directly used dependencys (#15593)
* update github.com/blevesearch/bleve v2.0.2 -> v2.0.3

* github.com/denisenkom/go-mssqldb v0.9.0 -> v0.10.0

* github.com/editorconfig/editorconfig-core-go v2.4.1 -> v2.4.2

* github.com/go-chi/cors v1.1.1 -> v1.2.0

* github.com/go-git/go-billy v5.0.0 -> v5.1.0

* github.com/go-git/go-git v5.2.0 -> v5.3.0

* github.com/go-ldap/ldap v3.2.4 -> v3.3.0

* github.com/go-redis/redis v8.6.0 -> v8.8.2

* github.com/go-sql-driver/mysql v1.5.0 -> v1.6.0

* github.com/go-swagger/go-swagger v0.26.1 -> v0.27.0

* github.com/lib/pq v1.9.0 -> v1.10.1

* github.com/mattn/go-sqlite3 v1.14.6 -> v1.14.7

* github.com/go-testfixtures/testfixtures v3.5.0 -> v3.6.0

* github.com/issue9/identicon v1.0.1 -> v1.2.0

* github.com/klauspost/compress v1.11.8 -> v1.12.1

* github.com/mgechev/revive v1.0.3 -> v1.0.6

* github.com/microcosm-cc/bluemonday v1.0.7 -> v1.0.8

* github.com/niklasfasching/go-org v1.4.0 -> v1.5.0

* github.com/olivere/elastic v7.0.22 -> v7.0.24

* github.com/pelletier/go-toml v1.8.1 -> v1.9.0

* github.com/prometheus/client_golang v1.9.0 -> v1.10.0

* github.com/xanzy/go-gitlab v0.44.0 -> v0.48.0

* github.com/yuin/goldmark v1.3.3 -> v1.3.5

* github.com/6543/go-version v1.2.4 -> v1.3.1

* do github.com/lib/pq v1.10.0 -> v1.10.1 again ...
2021-04-22 20:08:53 -04:00
6543 8ea1d32bea
[Vendor] update certmagic (#15590)
* update github.com/caddyserver/certmagic v0.12.0 -> v0.13.0

* migrate
2021-04-22 22:42:33 +02:00
Nathan Smith 445e47b692
Bump unrolled/render to v1.1.0 (#15581)
v1.1.0 has improved buffer pooling
2021-04-22 10:54:27 +01:00
zeripath b9ed3cbc26
Upgrade to bluemonday 1.0.7 (#15379)
* Upgrade to bluemonday 1.0.7

Fix #15349

Signed-off-by: Andrew Thornton <art27@cantab.net>

* resolve unit test

Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2021-04-09 19:13:06 -04:00
zeripath 04196b7658
Update to bluemonday-1.0.6 (#15294)
Signed-off-by: Andrew Thornton <art27@cantab.net>
2021-04-05 17:38:31 -04:00
techknowlogick 70d84f9b73
update golang libraries (#15258) 2021-04-03 11:02:27 +08:00
6543 5f038cd7fe
[Vendor] update gitea-sdk v0.14.0 (#15103)
* upgraded code.gitea.io/sdk/gitea v0.13.2 => v0.14.0

* rm workaround
2021-03-22 18:03:18 +01:00
6543 24f7bd5899
Use i18n.Reset to reload locales (#15073) 2021-03-21 16:11:36 +01:00