Originally reported by jomo (https://jomo.tv). A malicious actor could
register with an email address containing a comment, for example
"attacker@evil (comment@broken)". This commit fixes this issue by only
operating on normalized email addresses.
Signed-off-by: famfo <famfo@famfo.xyz>
- CSRF has to be validated for any request that can change the state, in
practice this means any HTTP request where the method isn't
GET/HEAD/OPTIONS.
- The code only considered POST to be a state-changing request.
- Forgejo has several PUT/DELETE (that changes state) routes for which
no CSRF was being validated.
- Change the code to validate CSRF for all non-"safe" methods.
- The creation of new API tokens for users via the API is guarded behind
a extra check. This extra makes sure the user is authorized via the
reverse proxy method (if enabled) or via basic authorization.
- For, what seems to me, historical reasons the basic authorization also
handles logging in via the API token.
- This results in a API token (with `write:user` scope) or OAuth2 token
being able to create a new API token with escalated privileges.
- Add a new condition to this check to ensure the user logged in via
password.
- Change error to better indicate what went wrong.
- When cloning with credentials is used, don't set the credentials in
the URL and pass that to Git, instead use Git credential helper to pass
the credential. This avoids the credentials to be leaked through the
process list.
Do not allow credentials to be present in the URLs that are provided for
migrations and push mirrors. They have to be given via the dedicated
input fields. Give a error when this happens.
There's nothing wrong with trying have the backend "correct" this, but
would be a larger patch than necessary in the context of a security fix.
This can be done in public.
While `repo.OriginalURL` is supposed to be sanitized, with username and
passwords removed, it appears that is not always the case, and sometimes
we may encounter original URLs that aren't sanitized. While that is
possibly a historical artifact, we should still treat it with care.
As such, before displaying `repo.OriginalURL` as an info flash when
syncing a pull repository, sanitize the URL first, to be on the safe
side.
Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
On GitHub, `DELETE /repos/{owner}/{repo}/issues/{index}/labels/{id}` takes the label name, not id:
https://docs.github.com/en/rest/issues/labels?apiVersion=2022-11-28#remove-a-label-from-an-issue
This breaks workflows and actions that interact with labels and delete them.
It also makes the API quite difficult to use, always having to query the ID first before deleting a label from an issue, potentially with two API calls, because it could be a repo or org label.
For backwards compatibility, if no label with the given name is found, and the name converts to an int without error, it'll still be looked up by ID.
The API on GitHub also does not return 204, but 200, with the label it just removed from the issue as content. So this is returned when `application/vnd.github+json` is set in the `Accept` request header.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8831
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: BtbN <btbn@btbn.de>
Co-committed-by: BtbN <btbn@btbn.de>
The "refresh does not break interacting with open drop-downs" is flaky. It attempts to verify that a refresh of the "Actions" list page does not occur when the user is currently navigating the dropdowns on the page, as htmx would replace their dropdowns mid-action. It does this by clicking on the dropdowns, verifying the dropdown text is visible, simulating a refresh, and verifying that the dropdown text is still visible.
Example failure log:
```
1) [chromium] › tests/e2e/actions.test.e2e.ts:173:3 › workflow list dynamic refresh › refresh does not break interacting with open drop-downs
Error: Timed out 3000ms waiting for expect(locator).toBeVisible()
Locator: getByText('Waiting')
Expected: visible
Received: hidden
Call log:
- Expect "toBeVisible" with timeout 3000ms
- waiting for getByText('Waiting')
7 × locator resolved to <a class="item" href="?workflow=test-dispatch.yml&actor=0&status=5">↵⇆⇆⇆⇆⇆⇆⇆Waiting↵⇆⇆⇆⇆⇆⇆</a>
- unexpected value "hidden"
194 | await expect(page.getByText('Failure')).toBeVisible();
195 | await simulatePollingInterval(page);
> 196 | await expect(page.getByText('Waiting')).toBeVisible();
| ^
197 | await expect(page.getByText('Failure')).toBeVisible();
198 |
199 | // Actor dropdown
at /workspace/forgejo/forgejo/tests/e2e/actions.test.e2e.ts:196:45
```
The dropdown list stops refreshes if there are any `[aria-expanded=true]` elements on the page:
ab6ea6a743/templates/repo/actions/list.tmpl (L31-L33)
But fomantic doesn't set the `aria-expanded` attribute immediately on mouseup; it delays for up to 100ms:
f8a332c2e6/web_src/js/modules/fomantic/dropdown.js (L241-L246)
The easiest fix is to align the test's expectations with the underlying code, which is to verify that the `aria-expanded=true` element is present in the test before proceeding with the simulated refresh.
Before this change, this test would fail as frequently as 10-out-of-10 in local runs, but usually more around 70% (albeit closer to 0% in a playwright ui). After this change, I've executed the test with zero failures in 100 back-to-back runs with `npx playwright test ./tests/e2e/actions.test.e2e.ts --project chromium --repeat-each 100`.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9059
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
The context menu of the comment box was not always available on a mobile-sized device, because it would escape its container, overlap other elements, and be unable to be clicked.
To address this, I've made the comment box constrained to the width of the diff box.
This allows Playwright to interact with the element without ambiguity of the click targets, avoiding any "intercepts pointer events".
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9052
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
In the helper method `accessibilityCheck`, accessibility checks are performed on the page including measurements of contrast between elements, and the theme is transitioned from the `light` to `dark` theme and back between two checks (with a hard-coded 100ms wait). Experimentally this is proven to result in false-positive failures of the accessibilityCheck.
I believe the cause of these failures are CSS transitions that are occurring either between the theme transition, or from operations that have occurred before the `accessibilityCheck` method is called. For example, one test `Markdown insert link` pops open the `Add a link` dialog box which has a CSS transition applied as the background is greyed out.
To fix this, I've wrapped both accessibility scans within `accessibilityCheck` in a `expect(...).toPass({ timeout: 1000 })` to allow Playwright to retry the assertions over the next second. 1 second exceeds the time that I've observed of any CSS transition in the project (max found was 0.3 seconds).
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9051
Reviewed-by: Antonin Delpeuch <wetneb@noreply.codeberg.org>
Reviewed-by: Beowulf <beowulf@beocode.eu>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
This test fails on unrelated changes (see for instance https://codeberg.org/forgejo/forgejo/actions/runs/98626/jobs/3 or #9047).
This defeats the purpose of such a test and hinders development for all Forgejo contributors, so I am proposing to disable it.
I have notified PR #7155 (which introduced it) about the need to fix it.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9049
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Antonin Delpeuch <antonin@delpeuch.eu>
Co-committed-by: Antonin Delpeuch <antonin@delpeuch.eu>
Print out a list of all unused msgids
Handle Go files that make calls to translation.
Handle `models/unit/unit.go`, which stores msgids in `$Unit.NameKey`
Handle .locale.Tr in templates
Handle simple dynamically constructed `Tr("msgid-prefix." + SomeFunctionCall())`.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8736
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Ellen Εμιλία Άννα Zscheile <fogti+devel@ytrizja.de>
Co-committed-by: Ellen Εμιλία Άννα Zscheile <fogti+devel@ytrizja.de>
Increase consistency of rendering the ghost user, by re-using
the same template.
Also add a tooltip to the shared template, to explain the ghost user.
Closes: #5630
- the run ID used to download artifacts is absolute (ID) instead of being
relative to the repository (Index) for compatibility with the url built
and returned as `artifact-url` by the the upload-artifact@v4 action.
- this is a breaking change because URLs to download artifacts
previous saved/bookmarked and not yet expired expired are no
longer working, they need to be looked up again by visiting the job
web page.
- add unit tests for getRunByID().
- RepoActionView.test.js verifies the download URL is built using the
run ID.
- lAdd integration tests to verify the RunID is set as expected in
the template used by RepoActionView.vue.
Refs https://code.forgejo.org/forgejo/runner/issues/187
- create tests/integration/actions_view_test.go
- extract TestActionsArtifactDeletion from actions_route_test.go
- extract tests misplaced in
- api_actions_artifact_test.go
- api_actions_artifact_v4_test.go
- add a tests for the /{owner}/{repo}/actions/runs/{run_index}/artifacts
because it is useful for debugging
So they can conveniently be run all together with:
`make 'test-sqlite#TestActions'`
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9035
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This PR fixes the duplicate HTML ID issue (#8778) that can occur when rendering an issue page. An issue page contains multiple renderings of Markdown elements (the issue description and issue comments). When there is more than one Markdown rendering that uses footnotes we have an ID collision because the footnote ID count starts anew for each rendering.
This PR adds a `Metas["scope"]` entry to the `RenderContext` and sets it to "comment-{index}" when rendering Markdown for a comment. `Metas["scope"]` gets used as suffix during ID generation.
Fixes#8778.
## Additional Notes
- ID collision also happens if there are multiple header elements with the same ID. It does not seem to impact users because there are no links referencing headers. However, to err on the safe side, this PR also adds scope to the header IDs.
- `Metas["scope"]` might be useful for other Markdown renderings beside comments, e.g. multiple Markdown renderings are possible on Wiki pages.
- We apply `Metas["scope"]` as suffix instead of prefix because there are several places in the code that expect `user-content-` to be the ID's prefix.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Tests
- I added test coverage for Go changes...
- [X] in their respective `*_test.go` for unit tests.
- [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I added test coverage for JavaScript changes...
- [ ] in `web_src/js/*.test.js` if it can be unit tested.
- [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [ ] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] I do not want this change to show in the release notes.
- [X] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8880
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: psii <psii@posteo.de>
Co-committed-by: psii <psii@posteo.de>
* refactored to untangle comment headers of different styles of comments from each other
* fixed misalignments
* improved consistency
* fixed missing avatar rounding
* made reactions aligned with content
* fixed text in the "Outdated" label overflowing into the toggle icon
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8138
Reviewed-by: Beowulf <beowulf@beocode.eu>
For pull request templates, Forgejo currently does not look in the `docs` directory, but [GitHub does](https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/creating-a-pull-request-template-for-your-repository#adding-a-pull-request-template). By making Forgejo also look there, it becomes possible to have the same repository work on both sites, without the need for vendor-specific paths.
There was duplication in the list of accepted file paths. On the one hand it’s nice for greppability that they are all spelled out, but it does mean adding 6 variants, I thought it would be more maintainable to deduplicate the Cartesian product. I added one fully spelled out path in the comment to still maintain some greppability.
Resolvesforgejo/forgejo#8284
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8863
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Ruud van Asseldonk <dev@veniogames.com>
Co-committed-by: Ruud van Asseldonk <dev@veniogames.com>
- run all unit tests and integration tests in sequence in the same job
- upload the coverage data as an artifact to the run
- only run via dispatch because it is very long
- arguments are used to select which unit or integration tests to focus on
Refs https://go.dev/blog/integration-test-coverage
### Testing
- Run this workflow via workflow_dispatch (see https://codeberg.org/forgejo-integration/forgejo/actions/runs/11889)
- Download the coverage information (see https://codeberg.org/forgejo-integration/forgejo/actions/runs/11889/artifacts/coverage)
- Download the coverage information from an end-to-end cascade test (see https://code.forgejo.org/forgejo/end-to-end/actions/runs/3961)
- Unzip them in a the `coverage/data` sub-directory at the root of the Forgejo source tree
```sh
$ ls coverage/data
actions coverage-actions.zip coverage-federation.zip coverage-tests.zip coverage-upgrade.zip federation tests upgrade
```
- Display the coverage percentage
```
$ make coverage-show-percentage
...
forgejo.org/services/wiki/wiki_path.go:96: WebPathToGitPath 81.8%
forgejo.org/services/wiki/wiki_path.go:113: GitPathToWebPath 90.0%
forgejo.org/services/wiki/wiki_path.go:129: WebPathToUserTitle 71.4%
forgejo.org/services/wiki/wiki_path.go:140: WebPathToURLPath 100.0%
forgejo.org/services/wiki/wiki_path.go:144: WebPathFromRequest 100.0%
forgejo.org/services/wiki/wiki_path.go:151: UserTitleToWebPath 80.0%
forgejo.org/services/wiki/wiki_path.go:163: ToWikiPageMetaData 100.0%
forgejo.org/tests/integration/api_repo_file_helpers.go:18: createFileInBranch 100.0%
...
total: (statements) 63.9%
```
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9004
Reviewed-by: jerger <jerger@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This is a noop refactor. It is on the path of each integration tests and this is why it needs no additional testing.
It makes it possible to run the migration tests using `go test` (which runs from the root) instead of building a test binary with `go test -c` that runs in the target directory, which is what the current tests are doing. This will be put to use to extract coverage in a unified way.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/8999
Reviewed-by: jerger <jerger@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
