Test two scenarios:
1. Account linking is set to `auto` and tries to link against a user who
is enrolled into Webauthn should show 2FA screen.
2. User is already linked and logins via OAuth2 and is enrolled into
WebAuthn should show 2FA screen.
(cherry picked from commit aa4ae81fe0)
- Currently during external login (such as OAuth2), if the user is
enrolled into Webauthn and not enrolled into TOTP then no 2FA is being
done during external login and when account linking is set to `auto` then
also during automatic linking. This results in bypassing the 2FA of the
user.
- Create a new unified function that checks if the user is enrolled into
2FA and use this when necessary. Rename the old `HasTwoFactorByUID`
function to `HasTOTPByUID` which is a more appropiate naming.
(cherry picked from commit df5d656827)
Conflicts:
the original commit was trimmed down to be fit for backport
- A permission check is done when incoming SSH connections are handled (this is
run before git hooks). If this check is for write access and AGit flow
is supported, then this check is degraded to a read check. The
motivation behind this is that for AGit flow the user does not need
write permissions but only read permissions.
- The `if` condition cannot check if this is for AGit flow, as the Git
protocol has not run yet and thus has to delay this permission check.
This `if` condition failed to consider that this also might be run for
LFS which does not care about AGit flow and would not do a delayed
permission check, so ensure that this degradition only happens when the
`git-receive-pack` command is being run (which roughly equals to `git
push`).
- Clarify code comment.
- Added integration test.
(cherry picked from commit 60c1af244a)
Conflicts:
tests/integration/git_test.go
- t.Context() does not exist
- tests do not loop over Git object formats
**Backport:** #7715
- Replaces `github.com/go-testfixtures/testfixtures` with a homebrew solution that is fully compatible.
- The reason to replace this library is that it pulls in a lot of other libraries which is causing issues: (1) the test binary becomes bigger than necessary which really shows in incremental build times (this patch removes 27.6MiB of the integration test binary) (2) it pulls in libraries (mainly database drivers) that are not used and are not easy to upgrade in case of a security vulnerability, causing CI failures.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7730
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7720
In order to improve the security of the Forgejo infrastructure the next-digest repository was moved to a private instance.
## Testing
- After the merge, trigger a mirror to build a new v12.0-test release
- Verify in experimental that the workflows works as expected
- Verify v12.next.forgejo.org is upgraded with the latest commit
- Once the test completes
- Tag for backport to v11 & v7
- Manual backport to v7 because it conflicts
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7724
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7707
The default should be https://proxy.golang.org,direct otherwise
someone trying to build the container image from sources will run into
throttling limits imposed by code.forgejo.org (making more tha 10
request per second).
(cherry picked from commit d2f7fa27ba)
```
Conflicts:
Dockerfile
Dockerfile.rootless
trivial context conflict
```
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7710
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Lucas <sclu1034@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
There is no way to silence vulncheck when there is a non-relevant
security error (https://github.com/golang/go/issues/61211).
This is problematic when fixing such an error would require upgrading
a large amount of dependencies, for instance in the case of
https://github.com/ClickHouse/ch-go/security/advisories/GHSA-m454-3xv7-qj85
which is only ever relevant for testing and not production in the
context of Forgejo.
Now that renovate is used for stable branches, it can be used as an
alternative. It will propose relevant security updates by default and
it will also be possible to decline them if they do not matter.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7676
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Earl Warren <contact@earl-warren.org>
Co-committed-by: Earl Warren <contact@earl-warren.org>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) | require | minor | [`v0.16.0` -> `v0.27.0`](https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.16.0...refs/tags/v0.27.0) |
---
### Unexpected memory consumption during token parsing in golang.org/x/oauth2
[CVE-2025-22868](https://nvd.nist.gov/vuln/detail/CVE-2025-22868) / [GO-2025-3488](https://pkg.go.dev/vuln/GO-2025-3488)
<details>
<summary>More information</summary>
#### Details
An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
#### Severity
Unknown
#### References
- [https://go.dev/cl/652155](https://go.dev/cl/652155)
- [https://go.dev/issue/71490](https://go.dev/issue/71490)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2025-3488) and the [Go Vulnerability Database](https://github.com/golang/vulndb) ([CC-BY 4.0](https://github.com/golang/vulndb#license)).
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - "* 0-3 * * *" (UTC).
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDUuMSIsInVwZGF0ZWRJblZlciI6IjM5LjIwNS4xIiwidGFyZ2V0QnJhbmNoIjoidjcuMC9mb3JnZWpvIiwibGFiZWxzIjpbImRlcGVuZGVuY3ktdXBncmFkZSIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->
Co-authored-by: Earl Warren <contact@earl-warren.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7300
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/6299
- [Go 1.24](https://groups.google.com/g/golang-announce/c/vYMfuq_XO6w) is currently out for rc1.
- Using it to test unit tests and integration testing it failed horriblywith strange panics and errors, it is caused by ca63101df4 and Forgejo trying to access the wrong internal data structures that have been changed in Go 1.24.
- Use the new data structure for Go 1.24 and above.
Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7233
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7143
- The security patch of forgejo/forgejo#6843 fixed the issue where project boards loaded all issues without considering if the doer actually had permission to view that issue. Within that patch the call to `Issues` was modified to include this permission checking.
- The query being generated was not entirely correct. Issues in public repositories weren't considered correctly (partly the fault of not setting `AllPublic` unconditionally) in the cause an authenticated user loaded the project.
- This is now fixed by setting `AllPublic` unconditionally and subsequently fixing the `Issue` function to ensure that the combination of setting `AllPublic` and `User` generates the correct query, by combining the permission check and issues in public repositories as one `AND` query.
- Added unit testing.
- Added integration testing.
- ResolvesCodeberg/Community#1809
- Regression of https://codeberg.org/forgejo/forgejo/pulls/6843
(cherry picked from commit a2958f5a26)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7145
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-committed-by: Gusted <postmaster@gusted.xyz>
Exhaustively test each combination of deleting and updating a action
action variable via the web route.
(cherry picked from commit cd0334f85ac46db7b1b42770c9b4e809ea6f4254)
Exhaustively test each combination of deleting and updating a action
runner via the web route. Although updating an action runner was not
impacted, its good to have a test nonetheless.
(cherry picked from commit 4ace0e938e7c9efaa40cf17e9440b423ee572375)
The web route to update and delete variables of runners did not check if
the ID that was given belonged to the context it was requested in, this
made it possible to update and delete every existing runner variable of
a instance for any authenticated user.
The code has been reworked to always take into account the context of
the request (owner and repository ID).
(cherry picked from commit 5cb8fdfc8b9213cc368cd074aac93a1327ea20b0)
The commit has, in addition to the implementation of the API, a few
function refactor that are useful in backports.
---
close#27801
---------
Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 62b073e6f31645e446c7e8d6b5a506f61b47924e)
Conflicts:
- modules/util/util.go
Trivial resolution, only picking the newly introduced function
- routers/api/v1/swagger/options.go
Trivial resolution. We don't have UserBadges, don't pick that part.
- templates/swagger/v1_json.tmpl
Regenerated.
(cherry picked from commit 16696a42f5)
The web route to delete action runners did not check if the ID that was
given belonged to the context it was requested in, this made it possible
to delete every existing runner of a instance by a authenticated user.
The code was reworked to ensure that the caller of the delete
runner function retrieved the runner by ID and then checks if it belongs
to the context it was requested in, although this is not an optimal
solution it is consistent with the context checking of other code for
runners.
(cherry picked from commit 567765be03d56d6c8c36bb783c330c8ca70b1aca)
Conflicts:
models/actions/runner.go
models/actions/runner_test.go
conflicting UUID bug fix and associated tests do not exist
- Add integration and unit tests to ensure that private issues on
projects are not shown in any way, shape or form when the doer has no
access to it.
(cherry picked from commit 55dcc1d06cb12ddb750a0289fbb6e212f93957a8)
- Do an access check when loading issues for a project board, currently
this is not done and exposes the title, labels and existence of a
private issue that the viewer of the project board may not have access
to.
- The number of issues cannot be calculated in a efficient manner
and stored in the database because their number may vary depending on
the visibility of the repositories participating in the project. The
previous implementation used the pre-calculated numbers stored in each
project, which did not reflect that potential variation.
- The code is derived from https://github.com/go-gitea/gitea/pull/22865
(cherry picked from commit 2193afaeb9954a5778f5a47aafd0e6fbbf48d000)
- The doctor commands to check the validity of existing usernames and
email addresses depend on functionality that have configurable behavior
depending on the values of the `[service]` settings, so load them when
running the doctor command.
- Resolves#6664
- No unit test due to the architecture of doctor commands.
(cherry picked from commit 46e60ce966)
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.
(cherry picked from commit 3e1b03838e)
Conflicts:
go.mod
go.sum
trivial context conflict
The milestone can only be determined to be final when a pull request
is merged.
It is possible that a pull request is opened during the development of
v10 and merged after it is published.
It is also possible that it is permanently closed without being merged.
(cherry picked from commit 6f53f7d007)
