Exhaustively test each combination of deleting and updating a action
runner via the web route. Although updating an action runner was not
impacted, its good to have a test nonetheless.
(cherry picked from commit 4ace0e938e7c9efaa40cf17e9440b423ee572375)
The web route to update and delete variables of runners did not check if
the ID that was given belonged to the context it was requested in, this
made it possible to update and delete every existing runner variable of
a instance for any authenticated user.
The code has been reworked to always take into account the context of
the request (owner and repository ID).
(cherry picked from commit 5cb8fdfc8b9213cc368cd074aac93a1327ea20b0)
The commit has, in addition to the implementation of the API, a few
function refactor that are useful in backports.
---
close#27801
---------
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 62b073e6f31645e446c7e8d6b5a506f61b47924e)
Conflicts:
- modules/util/util.go
Trivial resolution, only picking the newly introduced function
- routers/api/v1/swagger/options.go
Trivial resolution. We don't have UserBadges, don't pick that part.
- templates/swagger/v1_json.tmpl
Regenerated.
(cherry picked from commit 16696a42f5)
The web route to delete action runners did not check if the ID that was
given belonged to the context it was requested in, this made it possible
to delete every existing runner of a instance by a authenticated user.
The code was reworked to ensure that the caller of the delete
runner function retrieved the runner by ID and then checks if it belongs
to the context it was requested in, although this is not an optimal
solution it is consistent with the context checking of other code for
runners.
(cherry picked from commit 567765be03d56d6c8c36bb783c330c8ca70b1aca)
Conflicts:
models/actions/runner.go
models/actions/runner_test.go
conflicting UUID bug fix and associated tests do not exist
- The doctor commands to check the validity of existing usernames and
email addresses depend on functionality that have configurable behavior
depending on the values of the `[service]` settings, so load them when
running the doctor command.
- Resolves#6664
- No unit test due to the architecture of doctor commands.
(cherry picked from commit 46e60ce966)
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.
(cherry picked from commit 3e1b03838e)
Conflicts:
go.mod
go.sum
trivial context conflict
The milestone can only be determined to be final when a pull request
is merged.
It is possible that a pull request is opened during the development of
v10 and merged after it is published.
It is also possible that it is permanently closed without being merged.
(cherry picked from commit 6f53f7d007)
- This unifies the security behavior of enrolling security keys with
enrolling TOTP as a 2FA method. When TOTP is enrolled, you cannot use
basic authorization (user:password) to make API request on behalf of the
user, this is now also the case when you enroll security keys.
- The usage of access tokens are the only method to make API requests on
behalf of the user when a 2FA method is enrolled for the user.
- Integration test added.
(cherry picked from commit e6bbecb02d)
- Add a `purpose` column, this allows the `forgejo_auth_token` table to
be used by other parts of Forgejo, while still enjoying the
no-compromise architecture.
- Remove the 'roll your own crypto' time limited code functions and
migrate them to the `forgejo_auth_token` table. This migration ensures
generated codes can only be used for their purpose and ensure they are
invalidated after their usage by deleting it from the database, this
also should help making auditing of the security code easier, as we're
no longer trying to stuff a lot of data into a HMAC construction.
-Helper functions are rewritten to ensure a safe-by-design approach to
these tokens.
- Add the `forgejo_auth_token` to dbconsistency doctor and add it to the
`deleteUser` function.
- TODO: Add cron job to delete expired authorization tokens.
- Unit and integration tests added.
(cherry picked from commit 1ce33aa38d)
v7: Removed migration - XORM can handle this case automatically without migration.
assert.Equal(t, `doesnotexist@example.com`, msgs[0].To) in tests
because v7 does not include the user name to the recipient.
- If the incoming mail feature is enabled, tokens are being sent with
outgoing mails. These tokens contains information about what type of
action is allow with such token (such as replying to a certain issue
ID), to verify these tokens the code uses the HMAC-SHA256 construction.
- The output of the HMAC is truncated to 80 bits, because this is
recommended by RFC2104, but RFC2104 actually doesn't recommend this. It
recommends, if truncation should need to take place, it should use
max(80, hash_len/2) of the leftmost bits. For HMAC-SHA256 this works out
to 128 bits instead of the currently used 80 bits.
- Update to token version 2 and disallow any usage of token version 1,
token version 2 are generated with 128 bits of HMAC output.
- Add test to verify the deprecation of token version 1 and a general
MAC check test.
(cherry picked from commit 9508aa7713)
- _Simply_ add `^$` to regexp that didn't had it yet, this avoids any
content being allowed that simply had the allowed content as a
substring.
- Fix file-preview regex to have `$` instead of `*`.
(cherry picked from commit 7067cc7da4)
v7: added fix for ref-issue, this is already fixed in forgejo branch but
not backported as it was part of a feature.
- Consider private/limited users in the `AccessibleRepositoryCondition`
query, previously this only considered private/limited organization.
This limits the ability for anomynous users to do code search on
private/limited user's repository
- Unit test added.
(cherry picked from commit b70196653f)
- The RSS and atom feed for branches exposes details about the code, it
therefore should be guarded by the requirement that the doer has access
to the code of that repository.
- Added integration testing.
(cherry picked from commit 3e3ef76808)
- If a repository is forked to a private or limited user/organization,
the fork should not be visible in the list of forks depending on the
doer requesting the list of forks.
- Added integration testing for web and API route.
(cherry picked from commit 061abe6004)
- Ensure that the specified push mirror ID belongs to the requested
repository, otherwise it is possible to modify the intervals of the push
mirrors that do not belong to the requested repository.
- Integration test added.
(cherry picked from commit 786dfc7fb8)
When the CI vars.ROLE is forgejo-coding, it is assumed to be the
repository where collaborative coding happens,
i.e. https://codeberg.org/forgejo/forgejo
When the CI vars.ROLE is forgejo-testing, it is assumed that only codebase
testing is to be run and no other tests such as release build
integration, label constraints, backporting etc.
(cherry picked from commit 068558accd)
Conflicts:
.forgejo/workflows/testing.yml
e2e was in .forgejo/workflows/e2e.yml
and some tests did not exist in v7.0
When the CI vars.ROLE is forgejo-coding, it is assumed to be the
repository where collaborative coding happens,
i.e. https://codeberg.org/forgejo/forgejo
When the CI vars.ROLE is forgejo-testing, it is assumed that only codebase
testing is to be run and no other tests such as release build
integration, label constraints, backporting etc.
(cherry picked from commit f82840f1ea)
Conflicts:
.forgejo/workflows/merge-requirements.yml
.forgejo/workflows/release-notes-assistant-milestones.yml
.forgejo/workflows/release-notes-assistant.yml
did not exist back in v7.0
