From dd1beee2ef907527d0b046f78bab70b2bd868c55 Mon Sep 17 00:00:00 2001 From: zeripath Date: Thu, 14 Nov 2019 22:39:48 +0000 Subject: [PATCH] Enforce Gitea environment for pushes (#8982) * Enforce Gitea environment for pushes * Update custom/conf/app.ini.sample Co-Authored-By: Antoine GIRARD --- cmd/hook.go | 25 +++++++++++++++--- custom/conf/app.ini.sample | 8 +++--- .../doc/advanced/config-cheat-sheet.en-us.md | 1 + modules/setting/setting.go | 26 ++++++++++--------- 4 files changed, 42 insertions(+), 18 deletions(-) diff --git a/cmd/hook.go b/cmd/hook.go index f07568dd8..9f547362d 100644 --- a/cmd/hook.go +++ b/cmd/hook.go @@ -16,6 +16,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/private" + "code.gitea.io/gitea/modules/setting" "github.com/urfave/cli" ) @@ -55,7 +56,13 @@ var ( func runHookPreReceive(c *cli.Context) error { if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { - return nil + if setting.OnlyAllowPushIfGiteaEnvironmentSet { + fail(`Rejecting changes as Gitea environment not set. +If you are pushing over SSH you must push with a key managed by +Gitea or set your environment appropriately.`, "") + } else { + return nil + } } setup("hooks/pre-receive.log") @@ -115,7 +122,13 @@ func runHookPreReceive(c *cli.Context) error { func runHookUpdate(c *cli.Context) error { if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { - return nil + if setting.OnlyAllowPushIfGiteaEnvironmentSet { + fail(`Rejecting changes as Gitea environment not set. +If you are pushing over SSH you must push with a key managed by +Gitea or set your environment appropriately.`, "") + } else { + return nil + } } setup("hooks/update.log") @@ -125,7 +138,13 @@ func runHookUpdate(c *cli.Context) error { func runHookPostReceive(c *cli.Context) error { if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { - return nil + if setting.OnlyAllowPushIfGiteaEnvironmentSet { + fail(`Rejecting changes as Gitea environment not set. +If you are pushing over SSH you must push with a key managed by +Gitea or set your environment appropriately.`, "") + } else { + return nil + } } setup("hooks/post-receive.log") diff --git a/custom/conf/app.ini.sample b/custom/conf/app.ini.sample index 5e26171d9..34c3ee9db 100644 --- a/custom/conf/app.ini.sample +++ b/custom/conf/app.ini.sample @@ -190,7 +190,7 @@ PROTOCOL = http DOMAIN = localhost ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ ; when STATIC_URL_PREFIX is empty it will follow APP_URL -STATIC_URL_PREFIX = +STATIC_URL_PREFIX = ; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. HTTP_ADDR = 0.0.0.0 HTTP_PORT = 3000 @@ -383,6 +383,8 @@ MIN_PASSWORD_LENGTH = 6 IMPORT_LOCAL_PATHS = false ; Set to true to prevent all users (including admin) from creating custom git hooks DISABLE_GIT_HOOKS = false +; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED +ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true ;Comma separated list of character classes required to pass minimum complexity. ;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used. ;Use "off" to disable checking. @@ -515,9 +517,9 @@ SKIP_TLS_VERIFY = false ; Number of history information in each page PAGING_NUM = 10 ; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy -PROXY_URL = +PROXY_URL = ; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. -PROXY_HOSTS = +PROXY_HOSTS = [mailer] ENABLED = false diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 68c33f710..ab353f9d5 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -244,6 +244,7 @@ relation to port exhaustion. authentication provided email. - `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom git hooks. +- `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to gitea repositories you should set the environment appropriately. - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server. - `INTERNAL_TOKEN`: **\**: Secret used to validate communication within Gitea binary. - `INTERNAL_TOKEN_URI`: ****: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index f3dd45d7b..c0b9b99e3 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -140,18 +140,19 @@ var ( } // Security settings - InstallLock bool - SecretKey string - LogInRememberDays int - CookieUserName string - CookieRememberName string - ReverseProxyAuthUser string - ReverseProxyAuthEmail string - MinPasswordLength int - ImportLocalPaths bool - DisableGitHooks bool - PasswordComplexity []string - PasswordHashAlgo string + InstallLock bool + SecretKey string + LogInRememberDays int + CookieUserName string + CookieRememberName string + ReverseProxyAuthUser string + ReverseProxyAuthEmail string + MinPasswordLength int + ImportLocalPaths bool + DisableGitHooks bool + OnlyAllowPushIfGiteaEnvironmentSet bool + PasswordComplexity []string + PasswordHashAlgo string // UI settings UI = struct { @@ -778,6 +779,7 @@ func NewContext() { MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6) ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) + OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true) PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2") CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)