0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-22 15:23:14 -05:00

Merge pull request '[gitea] week 2024-47-v9.0 cherry pick (gitea/main -> v9.0/forgejo)' (#5998) from earl-warren/wcp/2024-47-v9.0 into v9.0/forgejo

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5998
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
This commit is contained in:
Earl Warren 2024-11-18 18:30:46 +00:00
commit 6f825ab156
7 changed files with 56 additions and 35 deletions

View file

@ -250,6 +250,9 @@ func (a *Action) GetActDisplayNameTitle(ctx context.Context) string {
// GetRepoUserName returns the name of the action repository owner. // GetRepoUserName returns the name of the action repository owner.
func (a *Action) GetRepoUserName(ctx context.Context) string { func (a *Action) GetRepoUserName(ctx context.Context) string {
a.loadRepo(ctx) a.loadRepo(ctx)
if a.Repo == nil {
return "(non-existing-repo)"
}
return a.Repo.OwnerName return a.Repo.OwnerName
} }
@ -262,6 +265,9 @@ func (a *Action) ShortRepoUserName(ctx context.Context) string {
// GetRepoName returns the name of the action repository. // GetRepoName returns the name of the action repository.
func (a *Action) GetRepoName(ctx context.Context) string { func (a *Action) GetRepoName(ctx context.Context) string {
a.loadRepo(ctx) a.loadRepo(ctx)
if a.Repo == nil {
return "(non-existing-repo)"
}
return a.Repo.Name return a.Repo.Name
} }

View file

@ -39,7 +39,7 @@ const (
// SanitizerRules implements markup.Renderer // SanitizerRules implements markup.Renderer
func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule { func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule {
return []setting.MarkupSanitizerRule{ return []setting.MarkupSanitizerRule{
{Element: "div", AllowAttr: "class", Regexp: regexp.MustCompile(playerClassName)}, {Element: "div", AllowAttr: "class", Regexp: regexp.MustCompile("^" + playerClassName + "$")},
{Element: "div", AllowAttr: playerSrcAttr}, {Element: "div", AllowAttr: playerSrcAttr},
} }
} }

View file

@ -37,9 +37,9 @@ func (Renderer) Extensions() []string {
// SanitizerRules implements markup.Renderer // SanitizerRules implements markup.Renderer
func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule { func (Renderer) SanitizerRules() []setting.MarkupSanitizerRule {
return []setting.MarkupSanitizerRule{ return []setting.MarkupSanitizerRule{
{Element: "table", AllowAttr: "class", Regexp: regexp.MustCompile(`data-table`)}, {Element: "table", AllowAttr: "class", Regexp: regexp.MustCompile(`^data-table$`)},
{Element: "th", AllowAttr: "class", Regexp: regexp.MustCompile(`line-num`)}, {Element: "th", AllowAttr: "class", Regexp: regexp.MustCompile(`^line-num$`)},
{Element: "td", AllowAttr: "class", Regexp: regexp.MustCompile(`line-num`)}, {Element: "td", AllowAttr: "class", Regexp: regexp.MustCompile(`^line-num$`)},
} }
} }

4
release-notes/5998.md Normal file
View file

@ -0,0 +1,4 @@
fix(security): [commit](https://codeberg.org/forgejo/forgejo/commit/53c546951115d9e269a2778f90e43b0cb413eab6) Fix and refactor markdown rendering
fix: [commit](https://codeberg.org/forgejo/forgejo/commit/6ac04b8c7dcedb9c6d994bb2a8cd37580394d9dd) Fix oauth2 error handle not return immediately
fix: [commit](https://codeberg.org/forgejo/forgejo/commit/9f05c76b7b84f3cfafd4de22f5f18b87e4c79775) Fix nil panic if repo doesn't exist
fix: [commit](https://codeberg.org/forgejo/forgejo/commit/8cec637d08542535d1dc9689c22943cd3ffe1c45) Disable Oauth check if oauth disabled

View file

@ -1013,6 +1013,8 @@ func SignInOAuthCallback(ctx *context.Context) {
} }
if err, ok := err.(*go_oauth2.RetrieveError); ok { if err, ok := err.(*go_oauth2.RetrieveError); ok {
ctx.Flash.Error("OAuth2 RetrieveError: "+err.Error(), true) ctx.Flash.Error("OAuth2 RetrieveError: "+err.Error(), true)
ctx.Redirect(setting.AppSubURL + "/user/login")
return
} }
ctx.ServerError("UserSignIn", err) ctx.ServerError("UserSignIn", err)
return return

View file

@ -327,6 +327,13 @@ func registerRoutes(m *web.Route) {
} }
} }
oauth2Enabled := func(ctx *context.Context) {
if !setting.OAuth2.Enabled {
ctx.Error(http.StatusForbidden)
return
}
}
reqMilestonesDashboardPageEnabled := func(ctx *context.Context) { reqMilestonesDashboardPageEnabled := func(ctx *context.Context) {
if !setting.Service.ShowMilestonesDashboardPage { if !setting.Service.ShowMilestonesDashboardPage {
ctx.Error(http.StatusForbidden) ctx.Error(http.StatusForbidden)
@ -516,16 +523,18 @@ func registerRoutes(m *web.Route) {
m.Any("/user/events", routing.MarkLongPolling, events.Events) m.Any("/user/events", routing.MarkLongPolling, events.Events)
m.Group("/login/oauth", func() { m.Group("/login/oauth", func() {
m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth) m.Group("", func() {
m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth) m.Get("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
// TODO manage redirection m.Post("/grant", web.Bind(forms.GrantApplicationForm{}), auth.GrantApplicationOAuth)
m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth) // TODO manage redirection
}, ignSignInAndCsrf, reqSignIn) m.Post("/authorize", web.Bind(forms.AuthorizationForm{}), auth.AuthorizeOAuth)
}, ignSignInAndCsrf, reqSignIn)
m.Methods("GET, OPTIONS", "/login/oauth/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth) m.Methods("GET, OPTIONS", "/userinfo", optionsCorsHandler(), ignSignInAndCsrf, auth.InfoOAuth)
m.Methods("POST, OPTIONS", "/login/oauth/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth) m.Methods("POST, OPTIONS", "/access_token", optionsCorsHandler(), web.Bind(forms.AccessTokenForm{}), ignSignInAndCsrf, auth.AccessTokenOAuth)
m.Methods("GET, OPTIONS", "/login/oauth/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys) m.Methods("GET, OPTIONS", "/keys", optionsCorsHandler(), ignSignInAndCsrf, auth.OIDCKeys)
m.Methods("POST, OPTIONS", "/login/oauth/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth) m.Methods("POST, OPTIONS", "/introspect", optionsCorsHandler(), web.Bind(forms.IntrospectTokenForm{}), ignSignInAndCsrf, auth.IntrospectOAuth)
}, oauth2Enabled)
m.Group("/user/settings", func() { m.Group("/user/settings", func() {
m.Get("", user_setting.Profile) m.Get("", user_setting.Profile)
@ -567,17 +576,24 @@ func registerRoutes(m *web.Route) {
}, openIDSignInEnabled) }, openIDSignInEnabled)
m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink) m.Post("/account_link", linkAccountEnabled, security.DeleteAccountLink)
}) })
m.Group("/applications/oauth2", func() {
m.Get("/{id}", user_setting.OAuth2ApplicationShow) m.Group("/applications", func() {
m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit) // oauth2 applications
m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret) m.Group("/oauth2", func() {
m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost) m.Get("/{id}", user_setting.OAuth2ApplicationShow)
m.Post("/{id}/delete", user_setting.DeleteOAuth2Application) m.Post("/{id}", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsEdit)
m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant) m.Post("/{id}/regenerate_secret", user_setting.OAuthApplicationsRegenerateSecret)
m.Post("", web.Bind(forms.EditOAuth2ApplicationForm{}), user_setting.OAuthApplicationsPost)
m.Post("/{id}/delete", user_setting.DeleteOAuth2Application)
m.Post("/{id}/revoke/{grantId}", user_setting.RevokeOAuth2Grant)
}, oauth2Enabled)
// access token applications
m.Combo("").Get(user_setting.Applications).
Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
m.Post("/delete", user_setting.DeleteApplication)
}) })
m.Combo("/applications").Get(user_setting.Applications).
Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
m.Post("/applications/delete", user_setting.DeleteApplication)
m.Combo("/keys").Get(user_setting.Keys). m.Combo("/keys").Get(user_setting.Keys).
Post(web.Bind(forms.AddKeyForm{}), user_setting.KeysPost) Post(web.Bind(forms.AddKeyForm{}), user_setting.KeysPost)
m.Post("/keys/delete", user_setting.DeleteKey) m.Post("/keys/delete", user_setting.DeleteKey)
@ -755,12 +771,7 @@ func registerRoutes(m *web.Route) {
m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret) m.Post("/regenerate_secret", admin.ApplicationsRegenerateSecret)
m.Post("/delete", admin.DeleteApplication) m.Post("/delete", admin.DeleteApplication)
}) })
}, func(ctx *context.Context) { }, oauth2Enabled)
if !setting.OAuth2.Enabled {
ctx.Error(http.StatusForbidden)
return
}
})
m.Group("/actions", func() { m.Group("/actions", func() {
m.Get("", admin.RedirectToDefaultSetting) m.Get("", admin.RedirectToDefaultSetting)
@ -883,12 +894,7 @@ func registerRoutes(m *web.Route) {
m.Post("/regenerate_secret", org.OAuthApplicationsRegenerateSecret) m.Post("/regenerate_secret", org.OAuthApplicationsRegenerateSecret)
m.Post("/delete", org.DeleteOAuth2Application) m.Post("/delete", org.DeleteOAuth2Application)
}) })
}, func(ctx *context.Context) { }, oauth2Enabled)
if !setting.OAuth2.Enabled {
ctx.Error(http.StatusForbidden)
return
}
})
m.Group("/hooks", func() { m.Group("/hooks", func() {
m.Get("", org.Webhooks) m.Get("", org.Webhooks)

View file

@ -68,6 +68,9 @@ func grantAdditionalScopes(grantScopes string) string {
// CheckOAuthAccessToken returns uid of user from oauth token // CheckOAuthAccessToken returns uid of user from oauth token
// + non default openid scopes requested // + non default openid scopes requested
func CheckOAuthAccessToken(ctx context.Context, accessToken string) (int64, string) { func CheckOAuthAccessToken(ctx context.Context, accessToken string) (int64, string) {
if !setting.OAuth2.Enabled {
return 0, ""
}
// JWT tokens require a "." // JWT tokens require a "."
if !strings.Contains(accessToken, ".") { if !strings.Contains(accessToken, ".") {
return 0, "" return 0, ""