Merge remote-tracking branch 'giteaofficial/main'

zjjhot · zjjhot · commit b4a44436e9f6 · 2023-12-13T10:14:18.000+08:00
* giteaofficial/main: [skip ci] Updated translations via Crowdin Fix possible nil pointer access (go-gitea#28428) Don't show unnecessary citation JS error on UI (go-gitea#28433) Do some missing checks (go-gitea#28423) Deprecate query string auth tokens (go-gitea#28390)
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -492,6 +492,11 @@ INTERNAL_TOKEN=
 ;; Cache successful token hashes. API tokens are stored in the DB as pbkdf2 hashes however, this means that there is a potentially significant hashing load when there are multiple API operations.
 ;; This cache will store the successfully hashed tokens in a LRU cache as a balance between performance and security.
 ;SUCCESSFUL_TOKENS_CACHE_SIZE = 20
+;;
+;; Reject API tokens sent in URL query string (Accept Header-based API tokens only). This avoids security vulnerabilities
+;; stemming from cached/logged plain-text API tokens.
+;; In future releases, this will become the default behavior
+;DISABLE_QUERY_AUTH_TOKEN = false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
diff --git a/modules/setting/security.go b/modules/setting/security.go
@@ -34,6 +34,7 @@ var (
 	PasswordHashAlgo                   string
 	PasswordCheckPwn                   bool
 	SuccessfulTokensCacheSize          int
+	DisableQueryAuthToken              bool
 	CSRFCookieName                     = "_csrf"
 	CSRFCookieHTTPOnly                 = true
 )
@@ -157,4 +158,11 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 			PasswordComplexity = append(PasswordComplexity, name)
 		}
 	}
+
+	// TODO: default value should be true in future releases
+	DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false)
+
+	if !DisableQueryAuthToken {
+		log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.")
+	}
 }
diff --git a/options/locale/locale_lv-LV.ini b/options/locale/locale_lv-LV.ini
@@ -80,6 +80,7 @@ milestones=Atskaites punkti
 
 ok=Labi
 cancel=Atcelt
+retry=Mēģināt vēlreiz
 rerun=Palaist atkārtoti
 rerun_all=Palaist atkārtoti visus darbus
 save=Saglabāt
@@ -95,6 +96,7 @@ disabled=Atspējots
 
 copy=Kopēt
 copy_url=Kopēt saiti
+copy_hash=Kopēt jaucējkodu
 copy_content=Kopēt saturu
 copy_branch=Kopēt atzara nosaukumu
 copy_success=Nokopēts!
@@ -129,6 +131,7 @@ show_timestamps=Rādīt laika zīmogus
 show_log_seconds=Rādīt sekundes
 show_full_screen=Atvērt pilnā logā
 
+confirm_delete_selected=Apstiprināt, lai izdzēstu visus atlasītos vienumus?
 
 name=Nosaukums
 value=Vērtība
diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
@@ -35,10 +35,12 @@
 //	     type: apiKey
 //	     name: token
 //	     in: query
+//	     description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.
 //	AccessToken:
 //	     type: apiKey
 //	     name: access_token
 //	     in: query
+//	     description: This authentication option is deprecated for removal in Gitea 1.23. Please use AuthorizationHeaderToken instead.
 //	AuthorizationHeaderToken:
 //	     type: apiKey
 //	     name: Authorization
@@ -788,6 +790,31 @@ func verifyAuthWithOptions(options *common.VerifyOptions) func(ctx *context.APIC
 	}
 }
 
+func individualPermsChecker(ctx *context.APIContext) {
+	// org permissions have been checked in context.OrgAssignment(), but individual permissions haven't been checked.
+	if ctx.ContextUser.IsIndividual() {
+		switch {
+		case ctx.ContextUser.Visibility == api.VisibleTypePrivate:
+			if ctx.Doer == nil || (ctx.ContextUser.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin) {
+				ctx.NotFound("Visit Project", nil)
+				return
+			}
+		case ctx.ContextUser.Visibility == api.VisibleTypeLimited:
+			if ctx.Doer == nil {
+				ctx.NotFound("Visit Project", nil)
+				return
+			}
+		}
+	}
+}
+
+// check for and warn against deprecated authentication options
+func checkDeprecatedAuthMethods(ctx *context.APIContext) {
+	if ctx.FormString("token") != "" || ctx.FormString("access_token") != "" {
+		ctx.Resp.Header().Set("Warning", "token and access_token API authentication is deprecated and will be removed in gitea 1.23. Please use AuthorizationHeaderToken instead. Existing queries will continue to work but without authorization.")
+	}
+}
+
 // Routes registers all v1 APIs routes to web application.
 func Routes() *web.Route {
 	m := web.NewRoute()
@@ -806,6 +833,8 @@ func Routes() *web.Route {
 	}
 	m.Use(context.APIContexter())
 
+	m.Use(checkDeprecatedAuthMethods)
+
 	// Get user from session if logged in.
 	m.Use(apiAuth(buildAuthGroup()))
 
@@ -888,7 +917,7 @@ func Routes() *web.Route {
 				}, reqSelfOrAdmin(), reqBasicOrRevProxyAuth())
 
 				m.Get("/activities/feeds", user.ListUserActivityFeeds)
-			}, context_service.UserAssignmentAPI())
+			}, context_service.UserAssignmentAPI(), individualPermsChecker)
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryUser))
 
 		// Users (requires user scope)
diff --git a/routers/web/web.go b/routers/web/web.go
@@ -796,6 +796,24 @@ func registerRoutes(m *web.Route) {
 		}
 	}
 
+	individualPermsChecker := func(ctx *context.Context) {
+		// org permissions have been checked in context.OrgAssignment(), but individual permissions haven't been checked.
+		if ctx.ContextUser.IsIndividual() {
+			switch {
+			case ctx.ContextUser.Visibility == structs.VisibleTypePrivate:
+				if ctx.Doer == nil || (ctx.ContextUser.ID != ctx.Doer.ID && !ctx.Doer.IsAdmin) {
+					ctx.NotFound("Visit Project", nil)
+					return
+				}
+			case ctx.ContextUser.Visibility == structs.VisibleTypeLimited:
+				if ctx.Doer == nil {
+					ctx.NotFound("Visit Project", nil)
+					return
+				}
+			}
+		}
+	}
+
 	// ***** START: Organization *****
 	m.Group("/org", func() {
 		m.Group("/{org}", func() {
@@ -976,11 +994,11 @@ func registerRoutes(m *web.Route) {
 					return
 				}
 			})
-		})
+		}, reqUnitAccess(unit.TypeProjects, perm.AccessModeRead, true), individualPermsChecker)
 
 		m.Group("", func() {
 			m.Get("/code", user.CodeSearch)
-		}, reqUnitAccess(unit.TypeCode, perm.AccessModeRead, false))
+		}, reqUnitAccess(unit.TypeCode, perm.AccessModeRead, false), individualPermsChecker)
 	}, ignSignIn, context_service.UserAssignmentWeb(), context.OrgAssignment()) // for "/{username}/-" (packages, projects, code)
 
 	m.Group("/{username}/{reponame}", func() {
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
@@ -14,6 +14,7 @@ import (
 	auth_model "code.gitea.io/gitea/models/auth"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
@@ -62,14 +63,19 @@ func (o *OAuth2) Name() string {
 // representing whether the token exists or not
 func parseToken(req *http.Request) (string, bool) {
 	_ = req.ParseForm()
-	// Check token.
-	if token := req.Form.Get("token"); token != "" {
-		return token, true
-	}
-	// Check access token.
-	if token := req.Form.Get("access_token"); token != "" {
-		return token, true
+	if !setting.DisableQueryAuthToken {
+		// Check token.
+		if token := req.Form.Get("token"); token != "" {
+			return token, true
+		}
+		// Check access token.
+		if token := req.Form.Get("access_token"); token != "" {
+			return token, true
+		}
+	} else if req.Form.Get("token") != "" || req.Form.Get("access_token") != "" {
+		log.Warn("API token sent in query string but DISABLE_QUERY_AUTH_TOKEN=true")
 	}
+
 	// check header token
 	if auHead := req.Header.Get("Authorization"); auHead != "" {
 		auths := strings.Fields(auHead)
diff --git a/services/packages/alpine/repository.go b/services/packages/alpine/repository.go
@@ -82,10 +82,7 @@ func BuildAllRepositoryFiles(ctx context.Context, ownerID int64) error {
 	}
 
 	for _, pf := range pfs {
-		if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {
-			return err
-		}
-		if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {
+		if err := packages_service.DeletePackageFile(ctx, pf); err != nil {
 			return err
 		}
 	}
@@ -157,12 +154,11 @@ func buildPackagesIndex(ctx context.Context, ownerID int64, repoVersion *package
 		pf, err := packages_model.GetFileForVersionByName(ctx, repoVersion.ID, IndexFilename, fmt.Sprintf("%s|%s|%s", branch, repository, architecture))
 		if err != nil && !errors.Is(err, util.ErrNotExist) {
 			return err
+		} else if pf == nil {
+			return nil
 		}
 
-		if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {
-			return err
-		}
-		return packages_model.DeleteFileByID(ctx, pf.ID)
+		return packages_service.DeletePackageFile(ctx, pf)
 	}
 
 	// Cache data needed for all repository files
diff --git a/services/packages/container/cleanup.go b/services/packages/container/cleanup.go
@@ -11,6 +11,7 @@ import (
 	container_model "code.gitea.io/gitea/models/packages/container"
 	container_module "code.gitea.io/gitea/modules/packages/container"
 	"code.gitea.io/gitea/modules/util"
+	packages_service "code.gitea.io/gitea/services/packages"
 
 	digest "github.com/opencontainers/go-digest"
 )
@@ -47,10 +48,7 @@ func cleanupExpiredUploadedBlobs(ctx context.Context, olderThan time.Duration) e
 	}
 
 	for _, pf := range pfs {
-		if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {
-			return err
-		}
-		if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {
+		if err := packages_service.DeletePackageFile(ctx, pf); err != nil {
 			return err
 		}
 	}
diff --git a/services/packages/debian/repository.go b/services/packages/debian/repository.go
@@ -110,10 +110,7 @@ func BuildAllRepositoryFiles(ctx context.Context, ownerID int64) error {
 	}
 
 	for _, pf := range pfs {
-		if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {
-			return err
-		}
-		if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {
+		if err := packages_service.DeletePackageFile(ctx, pf); err != nil {
 			return err
 		}
 	}
@@ -181,12 +178,11 @@ func buildPackagesIndices(ctx context.Context, ownerID int64, repoVersion *packa
 			pf, err := packages_model.GetFileForVersionByName(ctx, repoVersion.ID, filename, key)
 			if err != nil && !errors.Is(err, util.ErrNotExist) {
 				return err
+			} else if pf == nil {
+				continue
 			}
 
-			if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {
-				return err
-			}
-			if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {
+			if err := packages_service.DeletePackageFile(ctx, pf); err != nil {
 				return err
 			}
 		}
@@ -286,12 +282,11 @@ func buildReleaseFiles(ctx context.Context, ownerID int64, repoVersion *packages
 			pf, err := packages_model.GetFileForVersionByName(ctx, repoVersion.ID, filename, distribution)
 			if err != nil && !errors.Is(err, util.ErrNotExist) {
 				return err
+			} else if pf == nil {
+				continue
 			}
 
-			if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {
-				return err
-			}
-			if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {
+			if err := packages_service.DeletePackageFile(ctx, pf); err != nil {
 				return err
 			}
 		}
diff --git a/services/packages/rpm/repository.go b/services/packages/rpm/repository.go
@@ -148,10 +148,7 @@ func BuildRepositoryFiles(ctx context.Context, ownerID int64) error {
 			return err
 		}
 		for _, pf := range pfs {
-			if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {
-				return err
-			}
-			if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {
+			if err := packages_service.DeletePackageFile(ctx, pf); err != nil {
 				return err
 			}
 		}
diff --git a/templates/swagger/v1_json.tmpl b/templates/swagger/v1_json.tmpl
diff --git a/tests/integration/project_test.go b/tests/integration/project_test.go
@@ -0,0 +1,23 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/tests"
+)
+
+func TestPrivateRepoProject(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+
+	// not logged in user
+	req := NewRequest(t, "GET", "/user31/-/projects")
+	MakeRequest(t, req, http.StatusNotFound)
+
+	sess := loginUser(t, "user1")
+	req = NewRequest(t, "GET", "/user31/-/projects")
+	sess.MakeRequest(t, req, http.StatusOK)
+}
diff --git a/web_src/js/features/citation.js b/web_src/js/features/citation.js
@@ -2,7 +2,7 @@ import $ from 'jquery';
 
 const {pageData} = window.config;
 
-const initInputCitationValue = async ($citationCopyApa, $citationCopyBibtex) => {
+async function initInputCitationValue($citationCopyApa, $citationCopyBibtex) {
   const [{Cite, plugins}] = await Promise.all([
     import(/* webpackChunkName: "citation-js-core" */'@citation-js/core'),
     import(/* webpackChunkName: "citation-js-formats" */'@citation-js/plugin-software-formats'),
@@ -19,9 +19,9 @@ const initInputCitationValue = async ($citationCopyApa, $citationCopyBibtex) =>
   const bibtexOutput = citationFormatter.format('bibtex', {lang});
   $citationCopyBibtex.attr('data-text', bibtexOutput);
   $citationCopyApa.attr('data-text', apaOutput);
-};
+}
 
-export function initCitationFileCopyContent() {
+export async function initCitationFileCopyContent() {
   const defaultCitationFormat = 'apa'; // apa or bibtex
 
   if (!pageData.citationFileContent) return;
@@ -39,7 +39,14 @@ export function initCitationFileCopyContent() {
     $citationCopyBibtex.toggleClass('primary', isBibtex);
     $citationCopyApa.toggleClass('primary', !isBibtex);
   };
-  initInputCitationValue($citationCopyApa, $citationCopyBibtex).then(updateUi);
+
+  try {
+    await initInputCitationValue($citationCopyApa, $citationCopyBibtex);
+  } catch (e) {
+    console.error(`initCitationFileCopyContent error: ${e}`, e);
+    return;
+  }
+  updateUi();
 
   $citationCopyApa.on('click', () => {
     localStorage.setItem('citation-copy-format', 'apa');

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,7 @@ var (`
`34`	`34`	`PasswordHashAlgo string`
`35`	`35`	`PasswordCheckPwn bool`
`36`	`36`	`SuccessfulTokensCacheSize int`
	`37`	`+ DisableQueryAuthToken bool`
`37`	`38`	`CSRFCookieName = "_csrf"`
`38`	`39`	`CSRFCookieHTTPOnly = true`
`39`	`40`	`)`
`@@ -157,4 +158,11 @@ func loadSecurityFrom(rootCfg ConfigProvider) {`
`157`	`158`	`PasswordComplexity = append(PasswordComplexity, name)`
`158`	`159`	`}`
`159`	`160`	`}`
	`161`	`+`
	`162`	`+ // TODO: default value should be true in future releases`
	`163`	`+ DisableQueryAuthToken = sec.Key("DISABLE_QUERY_AUTH_TOKEN").MustBool(false)`
	`164`	`+`
	`165`	`+ if !DisableQueryAuthToken {`
	`166`	`+ log.Warn("Enabling Query API Auth tokens is not recommended. DISABLE_QUERY_AUTH_TOKEN will default to true in gitea 1.23 and will be removed in gitea 1.24.")`
	`167`	`+ }`
`160`	`168`	`}`
Original file line number	Diff line number	Diff line change
`@@ -82,10 +82,7 @@ func BuildAllRepositoryFiles(ctx context.Context, ownerID int64) error {`
`82`	`82`	`}`
`83`	`83`
`84`	`84`	`for _, pf := range pfs {`
`85`		`- if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {`
`86`		`- return err`
`87`		`- }`
`88`		`- if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {`
	`85`	`+ if err := packages_service.DeletePackageFile(ctx, pf); err != nil {`
`89`	`86`	`return err`
`90`	`87`	`}`
`91`	`88`	`}`
`@@ -157,12 +154,11 @@ func buildPackagesIndex(ctx context.Context, ownerID int64, repoVersion *package`
`157`	`154`	`pf, err := packages_model.GetFileForVersionByName(ctx, repoVersion.ID, IndexFilename, fmt.Sprintf("%s\|%s\|%s", branch, repository, architecture))`
`158`	`155`	`if err != nil && !errors.Is(err, util.ErrNotExist) {`
`159`	`156`	`return err`
	`157`	`+ } else if pf == nil {`
	`158`	`+ return nil`
`160`	`159`	`}`
`161`	`160`
`162`		`- if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {`
`163`		`- return err`
`164`		`- }`
`165`		`- return packages_model.DeleteFileByID(ctx, pf.ID)`
	`161`	`+ return packages_service.DeletePackageFile(ctx, pf)`
`166`	`162`	`}`
`167`	`163`
`168`	`164`	`// Cache data needed for all repository files`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ import (`
`11`	`11`	`container_model "code.gitea.io/gitea/models/packages/container"`
`12`	`12`	`container_module "code.gitea.io/gitea/modules/packages/container"`
`13`	`13`	`"code.gitea.io/gitea/modules/util"`
	`14`	`+ packages_service "code.gitea.io/gitea/services/packages"`
`14`	`15`
`15`	`16`	`digest "github.com/opencontainers/go-digest"`
`16`	`17`	`)`
`@@ -47,10 +48,7 @@ func cleanupExpiredUploadedBlobs(ctx context.Context, olderThan time.Duration) e`
`47`	`48`	`}`
`48`	`49`
`49`	`50`	`for _, pf := range pfs {`
`50`		`- if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {`
`51`		`- return err`
`52`		`- }`
`53`		`- if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {`
	`51`	`+ if err := packages_service.DeletePackageFile(ctx, pf); err != nil {`
`54`	`52`	`return err`
`55`	`53`	`}`
`56`	`54`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,10 +110,7 @@ func BuildAllRepositoryFiles(ctx context.Context, ownerID int64) error {`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`for _, pf := range pfs {`
`113`		`- if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {`
`114`		`- return err`
`115`		`- }`
`116`		`- if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {`
	`113`	`+ if err := packages_service.DeletePackageFile(ctx, pf); err != nil {`
`117`	`114`	`return err`
`118`	`115`	`}`
`119`	`116`	`}`
`@@ -181,12 +178,11 @@ func buildPackagesIndices(ctx context.Context, ownerID int64, repoVersion *packa`
`181`	`178`	`pf, err := packages_model.GetFileForVersionByName(ctx, repoVersion.ID, filename, key)`
`182`	`179`	`if err != nil && !errors.Is(err, util.ErrNotExist) {`
`183`	`180`	`return err`
	`181`	`+ } else if pf == nil {`
	`182`	`+ continue`
`184`	`183`	`}`
`185`	`184`
`186`		`- if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {`
`187`		`- return err`
`188`		`- }`
`189`		`- if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {`
	`185`	`+ if err := packages_service.DeletePackageFile(ctx, pf); err != nil {`
`190`	`186`	`return err`
`191`	`187`	`}`
`192`	`188`	`}`
`@@ -286,12 +282,11 @@ func buildReleaseFiles(ctx context.Context, ownerID int64, repoVersion *packages`
`286`	`282`	`pf, err := packages_model.GetFileForVersionByName(ctx, repoVersion.ID, filename, distribution)`
`287`	`283`	`if err != nil && !errors.Is(err, util.ErrNotExist) {`
`288`	`284`	`return err`
	`285`	`+ } else if pf == nil {`
	`286`	`+ continue`
`289`	`287`	`}`
`290`	`288`
`291`		`- if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {`
`292`		`- return err`
`293`		`- }`
`294`		`- if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {`
	`289`	`+ if err := packages_service.DeletePackageFile(ctx, pf); err != nil {`
`295`	`290`	`return err`
`296`	`291`	`}`
`297`	`292`	`}`
Original file line number	Diff line number	Diff line change
`@@ -148,10 +148,7 @@ func BuildRepositoryFiles(ctx context.Context, ownerID int64) error {`
`148`	`148`	`return err`
`149`	`149`	`}`
`150`	`150`	`for _, pf := range pfs {`
`151`		`- if err := packages_model.DeleteAllProperties(ctx, packages_model.PropertyTypeFile, pf.ID); err != nil {`
`152`		`- return err`
`153`		`- }`
`154`		`- if err := packages_model.DeleteFileByID(ctx, pf.ID); err != nil {`
	`151`	`+ if err := packages_service.DeletePackageFile(ctx, pf); err != nil {`
`155`	`152`	`return err`
`156`	`153`	`}`
`157`	`154`	`}`