Dockerfile: rename user to _gitea instead of git

hooks: Harden when we accept push options that change repo settings
It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
2024-04-18 21:18:33 -03:00 · 2024-04-18 11:53:30 +02:00 · 2024-04-18 09:39:47 +02:00 · 2024-04-17 10:19:07 +00:00 · 2024-04-15 15:25:12 +00:00 · 2024-04-15 16:17:16 +02:00
19 changed files with 282 additions and 29 deletions
--- a/.forgejo/workflows/publish-release.yml
+++ b/.forgejo/workflows/publish-release.yml
@ -57,7 +57,7 @@ jobs:
        uses: https://code.forgejo.org/actions/setup-go@v4
        if: secrets.ROLE == 'forgejo-experimental'
        with:
-          go-version: "1.21.9"
+          go-version: "1.21"
          check-latest: true
      - name: update the _release.experimental DNS record
        if: secrets.ROLE == 'forgejo-experimental'
--- a/.forgejo/workflows/testing.yml
+++ b/.forgejo/workflows/testing.yml
@ -16,7 +16,7 @@ jobs:
      - uses: https://code.forgejo.org/actions/checkout@v3
      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
-          go-version: "1.21.9"
+          go-version: "1.21"
          check-latest: true
      - run: make deps-backend deps-tools
      - run: make lint-backend
@ -30,7 +30,7 @@ jobs:
      - uses: https://code.forgejo.org/actions/checkout@v3
      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
-          go-version: "1.21.9"
+          go-version: "1.21"
          check-latest: true
      - run: make deps-backend deps-tools
      - run: make --always-make checks-backend # ensure the "go-licenses" make target runs
@ -49,7 +49,7 @@ jobs:
      - uses: https://code.forgejo.org/actions/checkout@v3
      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
-          go-version: "1.21.9"
+          go-version: "1.21"
      - run: |
          git config --add safe.directory '*'
          adduser --quiet --comment forgejo --disabled-password forgejo
@ -85,7 +85,7 @@ jobs:
      - uses: https://code.forgejo.org/actions/checkout@v3
      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
-          go-version: "1.21.9"
+          go-version: "1.21"
      - name: install dependencies
        run: |
          export DEBIAN_FRONTEND=noninteractive
@ -128,7 +128,7 @@ jobs:
      - uses: https://code.forgejo.org/actions/checkout@v3
      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
-          go-version: "1.21.9"
+          go-version: "1.21"
      - name: install dependencies
        run: |
          export DEBIAN_FRONTEND=noninteractive
@ -162,7 +162,7 @@ jobs:
      - uses: https://code.forgejo.org/actions/checkout@v3
      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
-          go-version: "1.21.9"
+          go-version: "1.21"
      - name: install dependencies
        run: |
          export DEBIAN_FRONTEND=noninteractive
--- a/2
+++ b/2
@ -89,7 +89,7 @@ endif
 VERSION = ${GITEA_VERSION}

 # SemVer
-FORGEJO_VERSION := 6.0.10+0-gitea-1.21.10
+FORGEJO_VERSION := 6.0.11+0-gitea-1.21.11

 LDFLAGS := $(LDFLAGS) -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(GITEA_VERSION)" -X "main.Tags=$(TAGS)" -X "code.gitea.io/gitea/routers/api/forgejo/v1.ForgejoVersion=$(FORGEJO_VERSION)" -X "main.ForgejoVersion=$(FORGEJO_VERSION)"

--- a/go.mod
+++ b/go.mod
@ -72,7 +72,7 @@ require (
 	github.com/lib/pq v1.10.9
 	github.com/markbates/goth v1.78.0
 	github.com/mattn/go-isatty v0.0.20
-	github.com/mattn/go-sqlite3 v1.14.17
+	github.com/mattn/go-sqlite3 v1.14.22
 	github.com/meilisearch/meilisearch-go v0.25.1
 	github.com/mholt/archiver/v3 v3.5.1
 	github.com/microcosm-cc/bluemonday v1.0.26
--- a/go.sum
+++ b/go.sum
@ -714,8 +714,8 @@ github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
-github.com/mattn/go-sqlite3 v1.14.17 h1:mCRHCLDUBXgpKAqIKsaAaAsrAlbkeomtRFKXh2L6YIM=
-github.com/mattn/go-sqlite3 v1.14.17/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/meilisearch/meilisearch-go v0.25.1 h1:D5wY22sn5kkpRH3uYMGlwltdUEq5regIFmO7awHz3Vo=
--- a/models/fixtures/action_run.yml
+++ b/models/fixtures/action_run.yml
@ -17,3 +17,23 @@
  updated: 1683636626
  need_approval: 0
  approved_by: 0
+-
+  id: 891
+  title: "update actions"
+  repo_id: 1
+  owner_id: 1
+  workflow_id: "artifact.yaml"
+  index: 187
+  trigger_user_id: 1
+  ref: "refs/heads/branch2"
+  commit_sha: "985f0301dba5e7b34be866819cd15ad3d8f508ee"
+  event: "push"
+  is_fork_pull_request: 0
+  status: 1 # success
+  started: 1683636528
+  stopped: 1683636626
+  created: 1683636108
+  updated: 1683636626
+  need_approval: 0
+  approved_by: 0
+  event_payload: '{"head_commit":{"id":"5f22f7d0d95d614d25a5b68592adb345a4b5c7fd"}}'
--- a/models/fixtures/action_run_job.yml
+++ b/models/fixtures/action_run_job.yml
@ -12,3 +12,17 @@
  status: 1
  started: 1683636528
  stopped: 1683636626
+-
+  id: 292
+  run_id: 891
+  repo_id: 1
+  owner_id: 1
+  commit_sha: 985f0301dba5e7b34be866819cd15ad3d8f508ee
+  is_fork_pull_request: 0
+  name: job_2
+  attempt: 1
+  job_id: job_2
+  task_id: 47
+  status: 1
+  started: 1683636528
+  stopped: 1683636626
--- a/models/organization/org.go
+++ b/models/organization/org.go
@ -9,6 +9,7 @@ import (
 	"fmt"
 	"strings"

+	actions_model "code.gitea.io/gitea/models/actions"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/perm"
 	repo_model "code.gitea.io/gitea/models/repo"
@ -401,6 +402,8 @@ func DeleteOrganization(ctx context.Context, org *Organization) error {
 		&TeamUnit{OrgID: org.ID},
 		&TeamInvite{OrgID: org.ID},
 		&secret_model.Secret{OwnerID: org.ID},
+		&actions_model.ActionRunner{OwnerID: org.ID},
+		&actions_model.ActionRunnerToken{OwnerID: org.ID},
 	); err != nil {
 		return fmt.Errorf("DeleteBeans: %w", err)
 	}
--- a/modules/lfs/filesystem_client.go
+++ b/modules/lfs/filesystem_client.go
@ -44,7 +44,7 @@ func (c *FilesystemClient) Download(ctx context.Context, objects []Pointer, call
 		if err != nil {
 			return err
 		}
-
+		defer f.Close()
 		if err := callback(p, f, nil); err != nil {
 			return err
 		}
@ -75,7 +75,7 @@ func (c *FilesystemClient) Upload(ctx context.Context, objects []Pointer, callba
 			if err != nil {
 				return err
 			}
-
+			defer f.Close()
 			_, err = io.Copy(f, content)

 			return err
--- a/routers/api/actions/runner/runner.go
+++ b/routers/api/actions/runner/runner.go
@ -9,6 +9,8 @@ import (
 	"net/http"

 	actions_model "code.gitea.io/gitea/models/actions"
+	repo_model "code.gitea.io/gitea/models/repo"
+	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/actions"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/util"
@ -54,6 +56,18 @@ func (s *Service) Register(
 		return nil, errors.New("runner registration token has been invalidated, please use the latest one")
 	}

+	if runnerToken.OwnerID > 0 {
+		if _, err := user_model.GetUserByID(ctx, runnerToken.OwnerID); err != nil {
+			return nil, errors.New("owner of the token not found")
+		}
+	}
+
+	if runnerToken.RepoID > 0 {
+		if _, err := repo_model.GetRepositoryByID(ctx, runnerToken.RepoID); err != nil {
+			return nil, errors.New("repository of the token not found")
+		}
+	}
+
 	labels := req.Msg.Labels
 	// TODO: agent_labels should be removed from pb after Gitea 1.20 released.
 	// Old version runner's agent_labels slice is not empty and labels slice is empty.
--- a/routers/private/hook_pre_receive.go
+++ b/routers/private/hook_pre_receive.go
@ -101,6 +101,57 @@ func (ctx *preReceiveContext) AssertCreatePullRequest() bool {
 	return true
 }

+func (ctx *preReceiveContext) canChangeSettings() bool {
+	if !ctx.loadPusherAndPermission() {
+		return false
+	}
+
+	perm, err := access_model.GetUserRepoPermission(ctx, ctx.Repo.Repository, ctx.user)
+	if err != nil {
+		return false
+	}
+	if !perm.IsOwner() && !perm.IsAdmin() {
+		return false
+	}
+
+	if ctx.Repo.Repository.IsFork {
+		return false
+	}
+
+	return true
+}
+
+func (ctx *preReceiveContext) assertChangeSettings() bool {
+	opts := web.GetForm(ctx).(*private.HookOptions)
+
+	if len(opts.GitPushOptions) == 0 {
+		return true
+	}
+
+	_, hasPrivateOpt := opts.GitPushOptions[private.GitPushOptionRepoPrivate]
+	_, hasTemplateOpt := opts.GitPushOptions[private.GitPushOptionRepoTemplate]
+
+	if !hasPrivateOpt && !hasTemplateOpt {
+		// If neither `repo.private` nor `repo.template` is present in
+		// the push options, we're good to go without further permission
+		// checking.
+		return true
+	}
+
+	// Either `repo.private` or `repo.template` is among the push options,
+	// do some permission checks.
+	if !ctx.canChangeSettings() {
+		if ctx.Written() {
+			return false
+		}
+		ctx.JSON(http.StatusForbidden, private.Response{
+			UserMsg: "Permission denied for changing repo settings.",
+		})
+		return false
+	}
+	return true
+}
+
 // HookPreReceive checks whether a individual commit is acceptable
 func HookPreReceive(ctx *gitea_context.PrivateContext) {
 	opts := web.GetForm(ctx).(*private.HookOptions)
@ -111,6 +162,10 @@ func HookPreReceive(ctx *gitea_context.PrivateContext) {
 		opts:           opts,
 	}

+	if !ourCtx.assertChangeSettings() {
+		return
+	}
+
 	// Iterate across the provided old commit IDs
 	for i := range opts.OldCommitIDs {
 		oldCommitID := opts.OldCommitIDs[i]
--- a/routers/web/repo/render.go
+++ b/routers/web/repo/render.go
@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/modules/charset"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/git"
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/typesniffer"
 	"code.gitea.io/gitea/modules/util"
@ -44,20 +45,17 @@ func RenderFile(ctx *context.Context) {
 	isTextFile := st.IsText()

 	rd := charset.ToUTF8WithFallbackReader(io.MultiReader(bytes.NewReader(buf), dataRc), charset.ConvertOpts{})
+	ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts")

 	if markupType := markup.Type(blob.Name()); markupType == "" {
 		if isTextFile {
-			_, err = io.Copy(ctx.Resp, rd)
-			if err != nil {
-				ctx.ServerError("Copy", err)
+			_, _ = io.Copy(ctx.Resp, rd)
+		} else {
+			http.Error(ctx.Resp, "Unsupported file type render", http.StatusInternalServerError)
 		}
 		return
 	}
-		ctx.Error(http.StatusInternalServerError, "Unsupported file type render")
-		return
-	}

-	ctx.Resp.Header().Add("Content-Security-Policy", "frame-src 'self'; sandbox allow-scripts")
 	err = markup.Render(&markup.RenderContext{
 		Ctx:          ctx,
 		RelativePath: ctx.Repo.TreePath,
@ -71,7 +69,8 @@ func RenderFile(ctx *context.Context) {
 		InStandalonePage: true,
 	}, rd, ctx.Resp)
 	if err != nil {
-		ctx.ServerError("Render", err)
+		log.Error("Failed to render file %q: %v", ctx.Repo.TreePath, err)
+		http.Error(ctx.Resp, "Failed to render file", http.StatusInternalServerError)
 		return
 	}
 }
--- a/services/actions/commit_status.go
+++ b/services/actions/commit_status.go
@ -15,6 +15,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	api "code.gitea.io/gitea/modules/structs"
 	webhook_module "code.gitea.io/gitea/modules/webhook"
+	files_service "code.gitea.io/gitea/services/repository/files"

 	"github.com/nektos/act/pkg/jobparser"
 )
@ -114,18 +115,15 @@ func createCommitStatus(ctx context.Context, job *actions_model.ActionRunJob) er
 	}

 	creator := user_model.NewActionsUser()
-	if err := git_model.NewCommitStatus(ctx, git_model.NewCommitStatusOptions{
-		Repo:    repo,
-		SHA:     sha,
-		Creator: creator,
-		CommitStatus: &git_model.CommitStatus{
+	if err := files_service.CreateCommitStatus(ctx, repo, creator,
+		sha,
+		&git_model.CommitStatus{
 			SHA:         sha,
 			TargetURL:   fmt.Sprintf("%s/jobs/%d", run.Link(), index),
 			Description: description,
 			Context:     ctxname,
 			CreatorID:   creator.ID,
 			State:       state,
-		},
 		}); err != nil {
 		return fmt.Errorf("NewCommitStatus: %w", err)
 	}
--- a/services/actions/notifier_helper.go
+++ b/services/actions/notifier_helper.go
@ -452,7 +452,7 @@ func handleSchedules(
 			RepoID:        input.Repo.ID,
 			OwnerID:       input.Repo.OwnerID,
 			WorkflowID:    dwf.EntryName,
-			TriggerUserID: input.Doer.ID,
+			TriggerUserID: user_model.ActionsUserID,
 			Ref:           input.Repo.DefaultBranch,
 			CommitSHA:     commit.ID.String(),
 			Event:         webhook_module.HookEventType(api.HookScheduleCreated),
--- a/services/migrations/gitbucket.go
+++ b/services/migrations/gitbucket.go
@ -72,6 +72,11 @@ func (g *GitBucketDownloader) LogString() string {
 // NewGitBucketDownloader creates a GitBucket downloader
 func NewGitBucketDownloader(ctx context.Context, baseURL, userName, password, token, repoOwner, repoName string) *GitBucketDownloader {
 	githubDownloader := NewGithubDownloaderV3(ctx, baseURL, userName, password, token, repoOwner, repoName)
+	// Gitbucket 4.40 uses different internal hard-coded perPage values.
+	// Issues, PRs, and other major parts use 25.  Release page uses 10.
+	// Some API doesn't support paging yet.  Sounds difficult, but using
+	// minimum number among them worked out very well.
+	githubDownloader.maxPerPage = 10
 	githubDownloader.SkipReactions = true
 	githubDownloader.SkipReviews = true
 	return &GitBucketDownloader{
--- a/services/repository/delete.go
+++ b/services/repository/delete.go
@ -164,6 +164,7 @@ func DeleteRepositoryDirectly(ctx context.Context, doer *user_model.User, uid, r
 		&actions_model.ActionScheduleSpec{RepoID: repoID},
 		&actions_model.ActionSchedule{RepoID: repoID},
 		&actions_model.ActionArtifact{RepoID: repoID},
+		&actions_model.ActionRunnerToken{RepoID: repoID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %w", err)
 	}
--- a/services/user/delete.go
+++ b/services/user/delete.go
@ -95,6 +95,7 @@ func deleteUser(ctx context.Context, u *user_model.User, purge bool) (err error)
 		&actions_model.ActionRunner{OwnerID: u.ID},
 		&user_model.BlockedUser{BlockID: u.ID},
 		&user_model.BlockedUser{UserID: u.ID},
+		&actions_model.ActionRunnerToken{OwnerID: u.ID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %w", err)
 	}
--- a/tests/integration/actions_commit_status_test.go
+++ b/tests/integration/actions_commit_status_test.go
@ -0,0 +1,48 @@
+// Copyright 20124 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"net/url"
+	"testing"
+
+	actions_model "code.gitea.io/gitea/models/actions"
+	"code.gitea.io/gitea/models/db"
+	issues_model "code.gitea.io/gitea/models/issues"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/services/actions"
+	"code.gitea.io/gitea/services/automerge"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestActionsAutomerge(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
+		assert.True(t, setting.Actions.Enabled, "Actions should be enabled")
+
+		ctx := db.DefaultContext
+
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1})
+		pr := unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 2})
+		job := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionRunJob{ID: 292})
+
+		assert.False(t, pr.HasMerged, "PR should not be merged")
+		assert.Equal(t, issues_model.PullRequestStatusMergeable, pr.Status, "PR should be mergable")
+
+		scheduled, err := automerge.ScheduleAutoMerge(ctx, user, pr, repo_model.MergeStyleMerge, "Dummy")
+
+		assert.NoError(t, err, "PR should be scheduled for automerge")
+		assert.True(t, scheduled, "PR should be scheduled for automerge")
+
+		actions.CreateCommitStatus(ctx, job)
+
+		pr = unittest.AssertExistsAndLoadBean(t, &issues_model.PullRequest{ID: 2})
+
+		assert.True(t, pr.HasMerged, "PR should be merged")
+	},
+	)
+}
--- a/tests/integration/git_push_test.go
+++ b/tests/integration/git_push_test.go
@ -0,0 +1,95 @@
+// Copyright 2024 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"net/url"
+	"testing"
+
+	"code.gitea.io/gitea/models/db"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	repo_module "code.gitea.io/gitea/modules/repository"
+	repo_service "code.gitea.io/gitea/services/repository"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestOptionsGitPush(t *testing.T) {
+	onGiteaRun(t, testOptionsGitPush)
+}
+
+func testOptionsGitPush(t *testing.T, u *url.URL) {
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
+	repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_service.CreateRepoOptions{
+		Name:          "repo-to-push",
+		Description:   "test git push",
+		AutoInit:      false,
+		DefaultBranch: "main",
+		IsPrivate:     false,
+	})
+	require.NoError(t, err)
+	require.NotEmpty(t, repo)
+
+	gitPath := t.TempDir()
+
+	doGitInitTestRepository(gitPath)(t)
+
+	u.Path = repo.FullName() + ".git"
+	u.User = url.UserPassword(user.LowerName, userPassword)
+	doGitAddRemote(gitPath, "origin", u)(t)
+
+	{
+		// owner sets private & template to true via push options
+		branchName := "branch1"
+		doGitCreateBranch(gitPath, branchName)(t)
+		doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
+		repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
+		require.NoError(t, err)
+		require.True(t, repo.IsPrivate)
+		require.True(t, repo.IsTemplate)
+	}
+
+	{
+		// owner sets private & template to false via push options
+		branchName := "branch2"
+		doGitCreateBranch(gitPath, branchName)(t)
+		doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=false", "-o", "repo.template=false")(t)
+		repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
+		require.NoError(t, err)
+		require.False(t, repo.IsPrivate)
+		require.False(t, repo.IsTemplate)
+	}
+
+	{
+		// create a collaborator with write access
+		collaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5})
+		u.User = url.UserPassword(collaborator.LowerName, userPassword)
+		doGitAddRemote(gitPath, "collaborator", u)(t)
+		repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
+		require.NoError(t, err)
+		repo_module.AddCollaborator(db.DefaultContext, repo, collaborator)
+	}
+
+	{
+		// collaborator with write access is allowed to push
+		branchName := "branch3"
+		doGitCreateBranch(gitPath, branchName)(t)
+		doGitPushTestRepository(gitPath, "collaborator", branchName)(t)
+	}
+
+	{
+		// collaborator with write access fails to change private & template via push options
+		branchName := "branch4"
+		doGitCreateBranch(gitPath, branchName)(t)
+		doGitPushTestRepositoryFail(gitPath, "collaborator", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t)
+		repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push")
+		require.NoError(t, err)
+		require.False(t, repo.IsPrivate)
+		require.False(t, repo.IsTemplate)
+	}
+
+	require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, user.ID, repo.ID))
+}
Author	SHA1	Message	Date
Nulo	a689f330ce	Dockerfile: rename user to _gitea instead of git	2024-04-18 21:18:33 -03:00
Gergely Nagy	cc80e66153	hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>	2024-04-18 11:53:30 +02:00
Lunny Xiao	b7cff17de1	Performance optimization for git push (#30104 ) (#30354 ) Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104 (cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea) Conflicts: it is implemented differently in Forgejo, just keep the test in tests/integration/git_push_test.go	2024-04-18 09:39:47 +02:00
Earl Warren	82d1eeb47e	Merge pull request '[gitea] v1.21.11-0 cherry-pick' (#3226 ) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3226 Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>	2024-04-17 10:19:07 +00:00
Earl Warren	5f64346931	Merge pull request 'fix(actions): call automerge service on successful commit state' (#3109 ) from viceice/forgejo:fix/actions/automerge into v1.21/forgejo Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3109 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>	2024-04-15 15:25:12 +00:00
Michael Kriese	4889a3a171	fix(actions): call automerge service on successful commit state - Backport of https://github.com/go-gitea/gitea/pull/30225	2024-04-15 16:17:16 +02:00
Lunny Xiao	8dcc7d9e8c	Fix possible renderer security problem(#30136 ) (#30315 ) Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> (cherry picked from commit 65d96725bb6cb0d0616c17844aca6c753aa5c851)	2024-04-15 11:36:01 +02:00
Earl Warren	8f5d5d49bc	Merge pull request '[SEMVER] 6.0.11+0-gitea-1.21.11' (#3225 ) from earl-warren/forgejo:wip-semver into v1.21/forgejo Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3225	2024-04-15 08:39:30 +00:00
Lunny Xiao	e702e79625	Change the default maxPerPage for gitbucket (#30392 ) (#30471 ) Backport #30392 This patch improves the migration from gitbucket to gitea. The gitbucket uses it's own internal perPage value (= 25) for paging and ignore per_page arguments in the requested URL. This cause gitea to migrate only 25 issues and 25 PRs from gitbucket repository. This may not happens on old gitbucket. But recent gitbucket 4.40 or 4.38.4 has this problem. This patch change to use this internally hardcoded perPage of gitbucket as gitea's maxPerPage numer when migrating from gitbucket. There are several perPage values in gitbucket like 25 for Isseus/PRs and 10 for Releases. Some of those API doesn't support paging yet. It sounds difficult to implement, but using the minimum number among them worked out very well. So, I use 10 in this patch. Brief descriptions of problems and this patch are also available in https://github.com/go-gitea/gitea/issues/30316. In addition, I'm not sure what kind of test cases are possible to write here. It's a test for migration, so it requires testing gitbucket server and gitea server, I guess. Please let me know if it is possible to write such test cases here. Thanks! Co-authored-by: Kazushi (Jam) Marukawa <jam@pobox.com> (cherry picked from commit b6379d2f167551560c870d2d705269c9ba6fc3bc)	2024-04-15 09:52:00 +02:00
Lunny Xiao	c2f9eacd50	Upgrade go-sqlite to v1.14.22 (#30462 ) (cherry picked from commit fc4e08f804704613d3a99347ef25813b9d38a422)	2024-04-15 09:41:13 +02:00
Zettat123	cb8ec2287f	Check the token's owner and repository when registering a runner (#30406 ) (#30412 ) Backport #30406 Fix #30378 (cherry picked from commit 55990ebf9240fced8c58491521fc21bf4a4d8f23) Conflicts: services/user/delete.go trivial context conflict because of `[MODERATION] User blocking`	2024-04-15 09:35:37 +02:00
Giteabot	fd47240545	Close file in the Upload func (#30262 ) (#30269 ) Co-authored-by: guangwu <guoguangwu@magic-shield.com> (cherry picked from commit 4588c7b705629ffed3108d09d665937c14d39716)	2024-04-15 09:17:54 +02:00
Earl Warren	127d9f743a	[SEMVER] 6.0.11+0-gitea-1.21.11	2024-04-15 09:14:39 +02:00
Earl Warren	2ee30d2651	Merge pull request '[v1.21/forgejo] fix(actions): the trigger user of a schedule is the action user' (#3215 ) from bp-v1.21/forgejo-c3e2c25 into v1.21/forgejo Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3215 Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>	2024-04-14 18:34:24 +00:00
Earl Warren	387aea4434	fix(actions): the trigger user of a schedule is the action user The user that caused the notification to re-evaluates the schedules is not the one that will trigger the workflows. They are background tasks that are authored by the action user (id -2). Such a mis-assignment is problematic when the user that caused the notification is deleted. Fixes: https://codeberg.org/forgejo/forgejo/issues/3211 (cherry picked from commit c3e2c2535918b2fa46e40eea5618005e7e05ac0f)	2024-04-14 17:36:42 +00:00
Earl Warren	69007f1444	Merge pull request 'Revert "[CI] pin go v1.21.9 version"' (#3050 ) from earl-warren/forgejo:wip-v1.21-no-pin into v1.21/forgejo Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/3050 Reviewed-by: Gusted <gusted@noreply.codeberg.org>	2024-04-05 09:35:55 +00:00
Earl Warren	c369619805	Revert "[CI] pin go v1.21.9 version" The golang action now knows about the latest Go version. This reverts commit `d73ee02324`.	2024-04-05 06:24:55 +02:00