mirror of
1
Fork 0
Commit Graph

329 Commits

Author SHA1 Message Date
Earl Warren adce1cad5c
[v1.21/forgejo] fix(security): GO-2024-2947
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/4245
2024-06-26 12:11:22 +02:00
Earl Warren 6a2369c64c
chore(dependency): whitelist mholt/archiver/v3 CVE-2024-0406
It is not possible to tell vulncheck that Forgejo is not affected by
CVE-2024-0406. Use a mirror of the repository to do that.

Refs: https://github.com/mholt/archiver/issues/404
(cherry picked from commit 3bfec270ac)

Conflicts:
	go.sum
	trivial context conflict
2024-06-05 22:23:01 +02:00
Lunny Xiao c2f9eacd50
Upgrade go-sqlite to v1.14.22 ()
(cherry picked from commit fc4e08f804704613d3a99347ef25813b9d38a422)
2024-04-15 09:41:13 +02:00
Earl Warren eb01993282
[CHORE] Update golang.org/x/net
Per https://pkg.go.dev/vuln/GO-2024-2687
2024-04-04 07:06:30 +02:00
Earl Warren 510b2ff70e
Update Chroma to v2.13.0 () () (step 2)
go mod tidy was missing but compensated in Gitea by another commit merged
afterwards. It is skipped in Forgejo, reason why this is necessary.
2024-03-21 17:09:00 +01:00
Lunny Xiao 1952c3a0a5
Update Chroma to v2.13.0 () ()
Backport 

This adds new lexers and includes some fixes. See
https://github.com/alecthomas/chroma/releases/tag/v2.13.0 for the full
changelog.

Co-authored-by: JakobDev <jakobdev@gmx.de>
(cherry picked from commit 31ab839a6587ea93edfec4d0147282c689d3e312)
2024-03-21 09:38:01 +01:00
techknowlogick e7448699f6
bump protobuf module ()
(cherry picked from commit 06039bf0b7ec4dffe74ae323b8bbbbedec69d0c8)

Conflicts:
	go.mod
	go.sum
	trivial context conflict
2024-03-06 11:53:02 +08:00
6543 faafccbcc7
Update go dependencies and fix go-git () ()
Backport 

(cherry picked from commit c33886b710)

Conflicts:
	go.sum
	trivial conflict because of 120294c44e * [GITEA] Use maintained gziphandler
2024-01-31 16:46:41 +01:00
Lunny Xiao 8e8adab88c
Upgrade xorm to v1.3.7 to fix a resource leak problem caused by Iterate () ()
backport 

Mainly fix an error https://gitea.com/xorm/xorm/issues/2393

(cherry picked from commit e95006848e)
2024-01-31 14:18:26 +01:00
Chongyi Zheng 82ec85550e
Update github.com/cloudflare/circl () ()
Backport 

cloudflare/circl: https://github.com/advisories/GHSA-9763-4f94-gfch

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit d1db2b7251)
2024-01-16 14:40:56 +00:00
Giteabot 0a157ed950
Upgrade xorm to new version which supported update join for all supported databases () ()
Backport  by @lunny

Fix https://github.com/go-gitea/gitea/pull/28547#issuecomment-1867740842

Since https://gitea.com/xorm/xorm/pulls/2383 merged, xorm now supports
UPDATE JOIN.
To keep consistent from different databases, xorm use
`engine.Join().Update`, but the actural generated SQL are different
between different databases.

For MySQL, it's `UPDATE talbe1 JOIN table2 ON join_conditions SET xxx
Where xxx`.

For MSSQL, it's `UPDATE table1 SET xxx FROM TABLE1, TABLE2 WHERE
join_conditions`.

For SQLITE per https://www.sqlite.org/lang_update.html, sqlite support
`UPDATE table1 SET xxx FROM table2 WHERE join conditions` from
3.33.0(2020-8-14).

POSTGRES is the same as SQLITE.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
(cherry picked from commit 18da3f8483)
2024-01-16 14:16:55 +00:00
Gusted 120294c44e
[GITEA] Use maintained gziphandler
- https://github.com/NYTimes/gziphandler doesn't seems to be maintained
anymore and Forgejo already includes
https://github.com/klauspost/compress which provides a maintained and
faster gzip handler fork.
- Enables Jitter to prevent BREACH attacks, as this *seems* to be
possible in the context of Forgejo.

(cherry picked from commit cc2847241d)
(cherry picked from commit 99ba56a876)

Conflicts:
	go.sum
	https://codeberg.org/forgejo/forgejo/pulls/1581
(cherry picked from commit 711638193d)
(cherry picked from commit 9c12a37fde)
(cherry picked from commit 91191aaaed)
(cherry picked from commit 72be417f84)
(cherry picked from commit 98497c84da)
(cherry picked from commit fba042adb5)
(cherry picked from commit dd2414f226)

Conflicts:
	routers/web/web.go
	https://codeberg.org/forgejo/forgejo/issues/2016
2024-01-16 14:09:55 +00:00
Earl Warren 0b872a403d
Revert "[GITEA] Use maintained gziphandler"
This reverts commit dd2414f226.
2024-01-16 14:08:31 +00:00
Gusted 9515a0ea38
[GITEA] Update crypto dependency
- https://groups.google.com/g/golang-announce/c/qA3XtxvMUyg & https://terrapin-attack.com/

(cherry picked from commit b38e83c9ef)
2023-12-19 15:24:20 +01:00
Gusted dd2414f226
[GITEA] Use maintained gziphandler
- https://github.com/NYTimes/gziphandler doesn't seems to be maintained
anymore and Forgejo already includes
https://github.com/klauspost/compress which provides a maintained and
faster gzip handler fork.
- Enables Jitter to prevent BREACH attacks, as this *seems* to be
possible in the context of Forgejo.

(cherry picked from commit cc2847241d)
(cherry picked from commit 99ba56a876)

Conflicts:
	go.sum
	https://codeberg.org/forgejo/forgejo/pulls/1581
(cherry picked from commit 711638193d)
(cherry picked from commit 9c12a37fde)
(cherry picked from commit 91191aaaed)
(cherry picked from commit 72be417f84)
(cherry picked from commit 98497c84da)
(cherry picked from commit fba042adb5)
2023-11-13 14:06:31 +01:00
Gusted 7e15173c16
[GITEA] Use existing jsonschema library
- Use the 'existing' jsonschema library for the nodeinfo integration test.

(cherry picked from commit 73864840f2)
(cherry picked from commit da36df306b)

Conflicts:
	go.mod
	https://codeberg.org/forgejo/forgejo/pulls/1581
(cherry picked from commit 2b4ab46d8e)

Conflicts:
	go.mod
	https://codeberg.org/forgejo/forgejo/pulls/1617
(cherry picked from commit 8064130344)
(cherry picked from commit ca32f14bc2)
(cherry picked from commit 6a4abb928f)
(cherry picked from commit 0059a44ae8)
(cherry picked from commit 8dc8451fd0)
2023-11-13 14:06:31 +01:00
Gusted a7a74706ec
[GITEA] Remove SSH workaround
- Update github.com/gliderlabs/ssh to include 02f9d57300.
- Resolves https://codeberg.org/forgejo/forgejo/issues/1230

(cherry picked from commit 05a0fd8c9f)
(cherry picked from commit fcd68716a3)

Conflicts:
	go.mod
	https://codeberg.org/forgejo/forgejo/pulls/1581
(cherry picked from commit ff60267b91)
(cherry picked from commit cff3238a21)
(cherry picked from commit 93a3cc6bda)
(cherry picked from commit 213f1edbdc)
(cherry picked from commit c249b0b0aa)
(cherry picked from commit 43abe08aff)
2023-11-13 14:06:31 +01:00
Giteabot 2d2a5657ef
Upgrade xorm to 1.3.4 () ()
Backport  by @lng2020

Noticeable change: 
Remove the `OrderBy("1") `
[patch](https://github.com/go-gitea/gitea/pull/27673#issuecomment-1768570142)
for mssql since xorm has [fixed
it](0f085408af).

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
2023-10-27 14:17:27 +02:00
Giteabot 977f5db28e
Chroma v2.10.0 () ()
Backport  by @bt90

Bump the chroma version to v2.10.0:
https://github.com/alecthomas/chroma/releases/tag/v2.10.0

This release includes a better Java lexer
https://github.com/alecthomas/chroma/pull/873

Co-authored-by: bt90 <btom1990@googlemail.com>
2023-10-27 13:25:25 +02:00
Giteabot 89d3766d22
Upgrade xorm () ()
Backport  by @lng2020

Related to https://gitea.com/xorm/xorm/pulls/2341

Co-authored-by: Nanguan Lin <70063547+lng2020@users.noreply.github.com>
2023-10-19 10:56:39 +00:00
Chongyi Zheng 9f228704a3
Upgrade go dependencies () ()
Backport 

Upgrade all dependencies in `go.mod`

`golang.org/x/net` v0.17.0 also fixes
[CVE-2023-39325](https://github.com/advisories/GHSA-4374-p667-p6c8)

Co-authored-by: delvh <dev.lh@web.de>
2023-10-13 17:23:17 +00:00
Giteabot 8e1ef5787f
bump go-deps () ()
Backport  by @techknowlogick

---------

Co-authored-by: techknowlogick <techknowlogick@gitea.com>
Co-authored-by: silverwind <me@silverwind.io>
2023-10-08 00:07:09 +00:00
Giteabot e4cf9d22a7
bump bleve () ()
Backport  by @techknowlogick

Co-authored-by: techknowlogick <techknowlogick@gitea.com>
Co-authored-by: yp05327 <576951401@qq.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2023-09-27 07:47:30 +00:00
Giteabot 2181b3713e
Update go-enry to 2.8.5 () () 2023-09-23 16:05:59 -04:00
silverwind 539ecc24a3
Update chroma to v2.9.1 () 2023-09-09 14:37:38 +00:00
wxiaoguang fc039167d2
Use Go 1.21 and update dependencies ()
To make sure Gitea's next release's lifecycle could have active Golang
support.

And min/max are builtin now.
2023-09-03 10:34:57 +00:00
wxiaoguang 1432d4eab9
Update go dependencies () 2023-08-16 12:02:40 +00:00
Lunny Xiao cad22512b8
Upgrade x/net to 0.13.0 () 2023-08-03 08:29:57 +00:00
Lunny Xiao c7f6e9fc2f
Update xorm version ()
Test new xorm version compatible with Gitea

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
2023-07-25 20:27:44 +00:00
Chongyi Zheng f2138d6968
Replace gogs/cron with go-co-op/gocron ()
Replace `github.com/gogs/cron` with `github.com/go-co-op/gocron` as the
former package is not maintained for many years.

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-07-24 04:13:41 +00:00
wxiaoguang d0dbe52e76
Refactor to use urfave/cli/v2 ()
Replace 

And there are many new tests to cover the CLI behavior

There were some concerns about the "option order in hook scripts"
(https://github.com/go-gitea/gitea/pull/10912#issuecomment-1137543314),
it's not a problem now. Because the hook script uses `/gitea hook
--config=/app.ini pre-receive` format. The "config" is a global option,
it can appear anywhere.

----

## ⚠️ BREAKING ⚠️

This PR does it best to avoid breaking anything. The major changes are:

* `gitea` itself won't accept web's options: `--install-port` / `--pid`
/ `--port` / `--quiet` / `--verbose` .... They are `web` sub-command's
options.
    * Use `./gitea web --pid ....` instead
* `./gitea` can still run the `web` sub-command as shorthand, with
default options
* The sub-command's options must follow the sub-command
* Before: `./gitea --sub-opt subcmd` might equal to `./gitea subcmd
--sub-opt` (well, might not ...)
    * After: only `./gitea subcmd --sub-opt` could be used
    * The global options like `--config` are not affected
2023-07-21 17:28:19 +08:00
harryzcy ec227d6682
Remove nfnt/resize and oliamb/cutter ()
The package `github.com/nfnt/resize` is deprecated and archived by the
author. `github.com/oliamb/cutter` is not maintained since 2018. We
could use `golang.org/x/image/draw` instead.
2023-07-20 19:52:42 +08:00
harryzcy 0f9f6567bb
Bump github.com/golang-jwt/jwt to v5 ()
Bumping `github.com/golang-jwt/jwt` from v4 to v5.

`github.com/golang-jwt/jwt` v5 is bringing some breaking changes:

- standard `Valid()` method on claims is removed. It's replaced by
`ClaimsValidator` interface implementing `Validator()` method instead,
which is called after standard validation. Gitea doesn't seem to be
using this logic.
- `jwt.Token` has a field `Valid`, so it's checked in `ParseToken`
function in `services/auth/source/oauth2/token.go`

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-07-19 09:57:10 +00:00
KN4CK3R 8af96f585f
Disallow dangerous url schemes ()
Regression: https://github.com/go-gitea/gitea/pull/24805
Closes: 

- Disallow `javascript`, `vbscript` and `data` (data uri images still
work) url schemes even if all other schemes are allowed
- Fixed older `cbthunderlink` tests

---------

Co-authored-by: delvh <dev.lh@web.de>
2023-07-18 15:18:37 +00:00
harryzcy c5e187c389
Upgrade go dependencies () 2023-07-14 11:00:31 +08:00
Lunny Xiao 71446eee99
Fix wrong warn messages in migration steps ()
The recent change on xorm for `Sync` is it will not warn when database
have columns which is not listed on struct. So we just need this warn
logs when `Sync` the whole database but not in the migrations Sync.

This PR will remove almost unnecessary warning logs on migrations.

Now below logs in CI will disappear.
```log
2023/06/23 17:51:32 models/db/engine.go:191:InitEngineWithMigration() [W] Table gtestschema.project has column creator_id but struct has not related field
2023/06/23 17:51:32 models/db/engine.go:191:InitEngineWithMigration() [W] Table gtestschema.project has column is_closed but struct has not related field
2023/06/23 17:51:32 models/db/engine.go:191:InitEngineWithMigration() [W] Table gtestschema.project has column board_type but struct has not related field
2023/06/23 17:51:32 models/db/engine.go:191:InitEngineWithMigration() [W] Table gtestschema.project has column type but struct has not related field
2023/06/23 17:51:32 models/db/engine.go:191:InitEngineWithMigration() [W] Table gtestschema.project has column closed_date_unix but struct has not related field
2023/06/23 17:51:32 models/db/engine.go:191:InitEngineWithMigration() [W] Table gtestschema.project has column created_unix but struct has not related field
2023/06/23 17:51:32 models/db/engine.go:191:InitEngineWithMigration() [W] Table gtestschema.project has column updated_unix but struct has not related field
2023/06/23 17:51:32 models/db/engine.go:191:InitEngineWithMigration() [W] Table gtestschema.project has column card_type but struct has not related field
```
2023-06-24 08:20:08 +00:00
sillyguodong 8228751c55
Support changing labels of Actions runner without re-registration ()
close 

related:
- Protocol: https://gitea.com/gitea/actions-proto-def/pulls/9
- Runner side: https://gitea.com/gitea/act_runner/pulls/201

changes:
- Add column of `labels` to table `action_runner`, and combine the value
of `agent_labels` and `custom_labels` column to `labels` column.
- Store `labels` when registering `act_runner`.
- Update `labels` when `act_runner` starting and calling `Declare`.
- Users cannot modify the `custom labels` in edit page any more.

other changes:
- Store `version` when registering `act_runner`.
- If runner is latest version, parse version from `Declare`. But older
version runner still parse version from request header.
2023-06-13 22:28:31 +08:00
Yevhen Pavlov 5fa4415bbb
Update github.com/google/go-github to v53 ()
The new `go-github` version
[53](https://github.com/google/go-github/releases/tag/v53.0.0) has been
released.
2023-06-09 19:42:51 +00:00
6543 4c81dae297
Update github.com/google/go-github to v52 ()
based on https://github.com/google/go-github/pull/2743

because of
https://github.com/go-gitea/gitea/pull/23946#discussion_r1160317554

---------

Co-authored-by: silverwind <me@silverwind.io>
2023-05-31 00:31:51 +00:00
Yarden Shoham f5ce2ed292
Allow all URL schemes in Markdown links by default ()
- Closes 
- Closes 

## ⚠️ BREAKING ⚠️
This changes the default behavior to now create links for any URL scheme
when the user uses the markdown form for links (`[label](URL)`), this
doesn't affect the rendering of inline links. To opt-out set the
`markdown.CUSTOM_URL_SCHEMES` setting to a list of allowed schemes, all
other schemes (except `http` and `https`) won't be allowed.

# Before

![image](https://github.com/go-gitea/gitea/assets/20454870/35fa18ce-7dda-4995-b5b3-3f360f38296d)

# After

![image](https://github.com/go-gitea/gitea/assets/20454870/0922216b-0b35-4b77-9919-21a5c21dd5d0)

---------

Signed-off-by: Yarden Shoham <git@yardenshoham.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-19 17:17:07 +02:00
KN4CK3R 05209f0d1d
Add RPM registry ()
Fixes 

This PR adds a RPM package registry. You can follow [this
tutorial](https://opensource.com/article/18/9/how-build-rpm-packages) to
build a *.rpm package for testing.

This functionality is similar to the Debian registry () and
therefore shares some methods. I marked this PR as blocked because it
should be merged after .


![grafik](https://user-images.githubusercontent.com/1666336/223806549-d8784fd9-9d79-46a2-9ae2-f038594f636a.png)
2023-05-05 20:33:37 +00:00
techknowlogick a1cd455c85
Bump golang deps () 2023-05-05 17:17:19 +08:00
KN4CK3R bf999e4069
Add Debian package registry ()
Co-authored-by: @awkwardbunny

This PR adds a Debian package registry.
You can follow [this
tutorial](https://www.baeldung.com/linux/create-debian-package) to build
a *.deb package for testing.
Source packages are not supported at the moment and I did not find
documentation of the architecture "all" and how these packages should be
treated.


![grafik](https://user-images.githubusercontent.com/1666336/218126879-eb80a866-775c-4c8e-8529-5797203a64e6.png)

Part of .

Revised copy of .

---------

Co-authored-by: Brian Hong <brian@hongs.me>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: Giteabot <teabot@gitea.io>
2023-05-02 12:31:35 -04:00
Yarden Shoham c0ddec8a2a
Revert "Add Debian package registry" ()
Reverts 
2023-04-28 18:06:41 -04:00
KN4CK3R bf77e2163b
Add Debian package registry ()
Co-authored-by: @awkwardbunny

This PR adds a Debian package registry. You can follow [this
tutorial](https://www.baeldung.com/linux/create-debian-package) to build
a *.deb package for testing. Source packages are not supported at the
moment and I did not find documentation of the architecture "all" and
how these packages should be treated.

---------

Co-authored-by: Brian Hong <brian@hongs.me>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
2023-04-28 17:51:36 -04:00
Zettat123 cc8874864c
Upgrade act () 2023-04-24 12:46:54 +08:00
Jason Song ac384c4e1d
Support upload `outputs` and use `needs` context on Actions ()
See [Defining outputs for
jobs](https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs)
and [Example usage of the needs
context](https://docs.github.com/en/actions/learn-github-actions/contexts#example-usage-of-the-needs-context).

Related to:
- [actions-proto-def
](https://gitea.com/gitea/actions-proto-def/pulls/5)
- [act_runner ](https://gitea.com/gitea/act_runner/pulls/133)

<details>
<summary>Tests & screenshots</summary>

Test workflow file:
```yaml
name: outputs
on: push

jobs:
  job1:
    runs-on: ubuntu-latest
    outputs:
      output1: ${{ steps.step1.outputs.output1 }}
      output2: ${{ steps.step2.outputs.output2 }}
    steps:
      - name: step1
        id: step1
        run: |
          date -Is > output1
          cat output1
          echo "output1=$(cat output1)" >> $GITHUB_OUTPUT
      - name: step2
        id: step2
        run: |
          cat /proc/sys/kernel/random/uuid > output2
          cat output2
          echo "output2=$(cat output2)" >> $GITHUB_OUTPUT
  job2:
    needs: job1
    runs-on: ubuntu-latest
    steps:
      - run: echo ${{ needs.job1.outputs.output1 }}
      - run: echo ${{ needs.job1.outputs.output2 }}
      - run: echo ${{ needs.job1.result }}
```

<img width="397" alt="image"
src="https://user-images.githubusercontent.com/9418365/233313322-903e7ebf-49a7-48e2-8c17-95a4581b3284.png">
<img width="385" alt="image"
src="https://user-images.githubusercontent.com/9418365/233313442-30909135-1711-4b78-a5c6-133fcc79f47c.png">



</details>

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2023-04-22 16:12:41 -04:00
JakobDev 65fe0fb22c
Allow `webp` images as avatars ()
Users can now upload `webp` images.
Browsers supporting webp images then display this as the avatar of this
user (every major browser except IE).

---------

Co-authored-by: silverwind <me@silverwind.io>
2023-04-21 13:15:49 -04:00
techknowlogick 985f76dc4b
Update redis library to support redis v7 () 2023-04-13 18:41:04 -04:00
harryzcy 1ee45305e0
Update github.com/google/go-github to v51 ()
`github.com/google/go-github` has new major version releases frequently.
It is required to update all import path, in additional to `go.mod`
2023-04-08 19:27:30 +08:00