zjjhot
diff --git a/‎Makefile‎
Lines changed: 1 addition & 1 deletion b/‎Makefile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎integrations/git_clone_wiki_test.go‎
Lines changed: 1 addition & 1 deletion b/‎integrations/git_clone_wiki_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎integrations/git_helper_for_declarative_test.go‎
Lines changed: 4 additions & 20 deletions b/‎integrations/git_helper_for_declarative_test.go‎
Lines changed: 4 additions & 20 deletions
diff --git a/‎integrations/git_test.go‎
Lines changed: 2 additions & 2 deletions b/‎integrations/git_test.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎models/auth/twofactor.go‎
Lines changed: 6 additions & 2 deletions b/‎models/auth/twofactor.go‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎models/migrations/v71.go‎
Lines changed: 1 addition & 1 deletion b/‎models/migrations/v71.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎models/migrations/v85.go‎
Lines changed: 1 addition & 1 deletion b/‎models/migrations/v85.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎models/token.go‎
Lines changed: 1 addition & 1 deletion b/‎models/token.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎models/user/user.go‎
Lines changed: 1 addition & 1 deletion b/‎models/user/user.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎modules/generate/generate.go‎
Lines changed: 1 addition & 1 deletion b/‎modules/generate/generate.go‎
Lines changed: 1 addition & 1 deletion
@@ -27,7 +27,7 @@ COMMA := ,
 XGO_VERSION := go-1.17.x
 MIN_GO_VERSION := 001016000
 MIN_NODE_VERSION := 012017000
-MIN_GOLANGCI_LINT_VERSION := 001043000
+MIN_GOLANGCI_LINT_VERSION := 001044000
 
 DOCKER_IMAGE ?= gitea/gitea
 DOCKER_TAG ?= latest
 
@@ -41,7 +41,7 @@ func TestRepoCloneWiki(t *testing.T) {
 		u, _ = url.Parse(r)
 		u.User = url.UserPassword("user2", userPassword)
 		t.Run("Clone", func(t *testing.T) {
-			assert.NoError(t, git.CloneWithArgs(context.Background(), u.String(), dstPath, allowLFSFilters(), git.CloneRepoOptions{}))
+			assert.NoError(t, git.CloneWithArgs(context.Background(), u.String(), dstPath, git.AllowLFSFiltersArgs(), git.CloneRepoOptions{}))
 			assertFileEqual(t, filepath.Join(dstPath, "Home.md"), []byte("# Home page\n\nThis is the home page!\n"))
 			assertFileExist(t, filepath.Join(dstPath, "Page-With-Image.md"))
 			assertFileExist(t, filepath.Join(dstPath, "Page-With-Spaced-Name.md"))
 
@@ -14,7 +14,6 @@ import (
 	"path"
 	"path/filepath"
 	"strconv"
-	"strings"
 	"testing"
 	"time"
 
@@ -60,21 +59,6 @@ func createSSHUrl(gitPath string, u *url.URL) *url.URL {
 	return &u2
 }
 
-func allowLFSFilters() []string {
-	// Now here we should explicitly allow lfs filters to run
-	filteredLFSGlobalArgs := make([]string, len(git.GlobalCommandArgs))
-	j := 0
-	for _, arg := range git.GlobalCommandArgs {
-		if strings.Contains(arg, "lfs") {
-			j--
-		} else {
-			filteredLFSGlobalArgs[j] = arg
-			j++
-		}
-	}
-	return filteredLFSGlobalArgs[:j]
-}
-
 func onGiteaRunTB(t testing.TB, callback func(testing.TB, *url.URL), prepare ...bool) {
 	if len(prepare) == 0 || prepare[0] {
 		defer prepareTestEnv(t, 1)()
@@ -115,7 +99,7 @@ func onGiteaRun(t *testing.T, callback func(*testing.T, *url.URL), prepare ...bo
 
 func doGitClone(dstLocalPath string, u *url.URL) func(*testing.T) {
 	return func(t *testing.T) {
-		assert.NoError(t, git.CloneWithArgs(context.Background(), u.String(), dstLocalPath, allowLFSFilters(), git.CloneRepoOptions{}))
+		assert.NoError(t, git.CloneWithArgs(context.Background(), u.String(), dstLocalPath, git.AllowLFSFiltersArgs(), git.CloneRepoOptions{}))
 		exist, err := util.IsExist(filepath.Join(dstLocalPath, "README.md"))
 		assert.NoError(t, err)
 		assert.True(t, exist)
@@ -124,7 +108,7 @@ func doGitClone(dstLocalPath string, u *url.URL) func(*testing.T) {
 
 func doPartialGitClone(dstLocalPath string, u *url.URL) func(*testing.T) {
 	return func(t *testing.T) {
-		assert.NoError(t, git.CloneWithArgs(context.Background(), u.String(), dstLocalPath, allowLFSFilters(), git.CloneRepoOptions{
+		assert.NoError(t, git.CloneWithArgs(context.Background(), u.String(), dstLocalPath, git.AllowLFSFiltersArgs(), git.CloneRepoOptions{
 			Filter: "blob:none",
 		}))
 		exist, err := util.IsExist(filepath.Join(dstLocalPath, "README.md"))
@@ -197,7 +181,7 @@ func doGitCreateBranch(dstPath, branch string) func(*testing.T) {
 
 func doGitCheckoutBranch(dstPath string, args ...string) func(*testing.T) {
 	return func(t *testing.T) {
-		_, err := git.NewCommandNoGlobals(append(append(allowLFSFilters(), "checkout"), args...)...).RunInDir(dstPath)
+		_, err := git.NewCommandNoGlobals(append(append(git.AllowLFSFiltersArgs(), "checkout"), args...)...).RunInDir(dstPath)
 		assert.NoError(t, err)
 	}
 }
@@ -211,7 +195,7 @@ func doGitMerge(dstPath string, args ...string) func(*testing.T) {
 
 func doGitPull(dstPath string, args ...string) func(*testing.T) {
 	return func(t *testing.T) {
-		_, err := git.NewCommandNoGlobals(append(append(allowLFSFilters(), "pull"), args...)...).RunInDir(dstPath)
+		_, err := git.NewCommandNoGlobals(append(append(git.AllowLFSFiltersArgs(), "pull"), args...)...).RunInDir(dstPath)
 		assert.NoError(t, err)
 	}
 }
@@ -167,7 +167,7 @@ func lfsCommitAndPushTest(t *testing.T, dstPath string) (littleLFS, bigLFS strin
 		err = git.AddChanges(dstPath, false, ".gitattributes")
 		assert.NoError(t, err)
 
-		err = git.CommitChangesWithArgs(dstPath, allowLFSFilters(), git.CommitChangesOptions{
+		err = git.CommitChangesWithArgs(dstPath, git.AllowLFSFiltersArgs(), git.CommitChangesOptions{
 			Committer: &git.Signature{
 				Email: "user2@example.com",
 				Name:  "User Two",
@@ -346,7 +346,7 @@ func generateCommitWithNewData(size int, repoPath, email, fullName, prefix strin
 
 	// Commit
 	// Now here we should explicitly allow lfs filters to run
-	globalArgs := allowLFSFilters()
+	globalArgs := git.AllowLFSFiltersArgs()
 	err = git.AddChangesWithArgs(repoPath, globalArgs, false, filepath.Base(tmpFile.Name()))
 	if err != nil {
 		return "", err
 
@@ -8,6 +8,7 @@ import (
 	"crypto/md5"
 	"crypto/sha256"
 	"crypto/subtle"
+	"encoding/base32"
 	"encoding/base64"
 	"fmt"
 
@@ -58,11 +59,14 @@ func init() {
 
 // GenerateScratchToken recreates the scratch token the user is using.
 func (t *TwoFactor) GenerateScratchToken() (string, error) {
-	token, err := util.RandomString(8)
+	tokenBytes, err := util.CryptoRandomBytes(6)
 	if err != nil {
 		return "", err
 	}
-	t.ScratchSalt, _ = util.RandomString(10)
+	// these chars are specially chosen, avoid ambiguous chars like `0`, `O`, `1`, `I`.
+	const base32Chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"
+	token := base32.NewEncoding(base32Chars).WithPadding(base32.NoPadding).EncodeToString(tokenBytes)
+	t.ScratchSalt, _ = util.CryptoRandomString(10)
 	t.ScratchHash = HashToken(token, t.ScratchSalt)
 	return token, nil
 }
 
@@ -53,7 +53,7 @@ func addScratchHash(x *xorm.Engine) error {
 
 		for _, tfa := range tfas {
 			// generate salt
-			salt, err := util.RandomString(10)
+			salt, err := util.CryptoRandomString(10)
 			if err != nil {
 				return err
 			}
 
@@ -65,7 +65,7 @@ func hashAppToken(x *xorm.Engine) error {
 
 		for _, token := range tokens {
 			// generate salt
-			salt, err := util.RandomString(10)
+			salt, err := util.CryptoRandomString(10)
 			if err != nil {
 				return err
 			}
 
@@ -62,7 +62,7 @@ func init() {
 
 // NewAccessToken creates new access token.
 func NewAccessToken(t *AccessToken) error {
-	salt, err := util.RandomString(10)
+	salt, err := util.CryptoRandomString(10)
 	if err != nil {
 		return err
 	}
 
@@ -533,7 +533,7 @@ const SaltByteLength = 16
 
 // GetUserSalt returns a random user salt token.
 func GetUserSalt() (string, error) {
-	rBytes, err := util.RandomBytes(SaltByteLength)
+	rBytes, err := util.CryptoRandomBytes(SaltByteLength)
 	if err != nil {
 		return "", err
 	}
 
@@ -60,7 +60,7 @@ func NewJwtSecretBase64() (string, error) {
 
 // NewSecretKey generate a new value intended to be used by SECRET_KEY.
 func NewSecretKey() (string, error) {
-	secretKey, err := util.RandomString(64)
+	secretKey, err := util.CryptoRandomString(64)
 	if err != nil {
 		return "", err
 	}
Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ func addScratchHash(x *xorm.Engine) error {`
`53`	`53`
`54`	`54`	`for _, tfa := range tfas {`
`55`	`55`	`// generate salt`
`56`		`- salt, err := util.RandomString(10)`
	`56`	`+ salt, err := util.CryptoRandomString(10)`
`57`	`57`	`if err != nil {`
`58`	`58`	`return err`
`59`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ func hashAppToken(x *xorm.Engine) error {`
`65`	`65`
`66`	`66`	`for _, token := range tokens {`
`67`	`67`	`// generate salt`
`68`		`- salt, err := util.RandomString(10)`
	`68`	`+ salt, err := util.CryptoRandomString(10)`
`69`	`69`	`if err != nil {`
`70`	`70`	`return err`
`71`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ func init() {`
`62`	`62`
`63`	`63`	`// NewAccessToken creates new access token.`
`64`	`64`	`func NewAccessToken(t *AccessToken) error {`
`65`		`- salt, err := util.RandomString(10)`
	`65`	`+ salt, err := util.CryptoRandomString(10)`
`66`	`66`	`if err != nil {`
`67`	`67`	`return err`
`68`	`68`	`}`
Original file line number	Diff line number	Diff line change
`@@ -533,7 +533,7 @@ const SaltByteLength = 16`
`533`	`533`
`534`	`534`	`// GetUserSalt returns a random user salt token.`
`535`	`535`	`func GetUserSalt() (string, error) {`
`536`		`- rBytes, err := util.RandomBytes(SaltByteLength)`
	`536`	`+ rBytes, err := util.CryptoRandomBytes(SaltByteLength)`
`537`	`537`	`if err != nil {`
`538`	`538`	`return "", err`
`539`	`539`	`}`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ func NewJwtSecretBase64() (string, error) {`
`60`	`60`
`61`	`61`	`// NewSecretKey generate a new value intended to be used by SECRET_KEY.`
`62`	`62`	`func NewSecretKey() (string, error) {`
`63`		`- secretKey, err := util.RandomString(64)`
	`63`	`+ secretKey, err := util.CryptoRandomString(64)`
`64`	`64`	`if err != nil {`
`65`	`65`	`return "", err`
`66`	`66`	`}`