There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this.
This is an extensive PR attempting to fix these issues.
1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping.
2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand.
3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future.
4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.)
5. The title generation in feeds is now properly escaped.
6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net>
Signed-off-by: Andrew Thornton <art27@cantab.net>
This change enables the usage of U2F without being forced to enroll an TOTP authenticator.
The `/user/auth/u2f` has been changed to hide the "use TOTP instead" bar if TOTP is not enrolled.
Fixes #5410
Fixes #17495
* Move GPG form before list and add cancel button
* Move SSH form before list and add cancel button
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
]* fix aria-hidden and tabindex
* use {{template "base/disable_form_autofill"}} instead of {{DisableFormAutofill}}
Co-authored-by: zeripath <art27@cantab.net>
Add ignore-dirty to /user/settings/account
Add autocomplete="off" to push_mirror_address form on /:owner/:repo/settings
Fix #16861
Signed-off-by: Andrew Thornton <art27@cantab.net>
`models` does far too much. In particular it handles all `UserSignin`.
It shouldn't be responsible for calling LDAP, SMTP or PAM for signing in.
Therefore we should move this code out of `models`.
This code has to depend on `models` - therefore it belongs in `services`.
There is a package in `services` called `auth` and clearly this functionality belongs in there.
Plan:
- [x] Change `auth.Auth` to `auth.Method` - as they represent methods of authentication.
- [x] Move `models.UserSignIn` into `auth`
- [x] Move `models.ExternalUserLogin`
- [x] Move most of the `LoginVia*` methods to `auth` or subpackages
- [x] Move Resynchronize functionality to `auth`
- Involved some restructuring of `models/ssh_key.go` to reduce the size of this massive file and simplify its files.
- [x] Move the rest of the LDAP functionality in to the ldap subpackage
- [x] Re-factor the login sources to express an interfaces `auth.Source`?
- I've done this through some smaller interfaces Authenticator and Synchronizable - which would allow us to extend things in future
- [x] Now LDAP is out of models - need to think about modules/auth/ldap and I think all of that functionality might just be moveable
- [x] Similarly a lot Oauth2 functionality need not be in models too and should be moved to services/auth/source/oauth2
- [x] modules/auth/oauth2/oauth2.go uses xorm... This is naughty - probably need to move this into models.
- [x] models/oauth2.go - mostly should be in modules/auth/oauth2 or services/auth/source/oauth2
- [x] More simplifications of login_source.go may need to be done
- Allow wiring in of notify registration - *this can now easily be done - but I think we should do it in another PR* - see #16178
- More refactors...?
- OpenID should probably become an auth Method but I think that can be left for another PR
- Methods should also probably be cleaned up - again another PR I think.
- SSPI still needs more refactors.* Rename auth.Auth auth.Method
* Restructure ssh_key.go
- move functions from models/user.go that relate to ssh_key to ssh_key
- split ssh_key.go to try create clearer function domains for allow for
future refactors here.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* fix: primary email cannot be activated
* Primary email should be activated together with user account when
'RegisterEmailConfirm' is enabled.
* To fix the existing error state. When 'RegisterEmailConfirm' is enabled, the
admin should have permission to modify the activations status of user email.
And the user should be allowed to send activation to primary email.
* Only judge whether email is primary from email_address table.
* Improve logging and refactor isEmailActive
Co-authored-by: zeripath <art27@cantab.net>
* Add option to provide signed token to verify key ownership
Currently we will only allow a key to be matched to a user if it matches
an activated email address. This PR provides a different mechanism - if
the user provides a signature for automatically generated token (based
on the timestamp, user creation time, user ID, username and primary
email.
* Ensure verified keys can act for all active emails for the user
* Add code to mark keys as verified
* Slight UI adjustments
* Slight UI adjustments 2
* Simplify signature verification slightly
* fix postgres test
* add api routes
* handle swapped primary-keys
* Verify the no-reply address for verified keys
* Only add email addresses that are activated to keys
* Fix committer shortcut properly
* Restructure gpg_keys.go
* Use common Verification Token code
Signed-off-by: Andrew Thornton <art27@cantab.net>
Now that #16069 is merged, some sites may wish to enforce that users are all public, limited or private, and/or disallow users from becoming private.
This PR adds functionality and settings to constrain a user's ability to change their visibility.
Co-authored-by: zeripath <art27@cantab.net>
You can limit or hide organisations. This pull make it also posible for users
- new strings to translte
- add checkbox to user profile form
- add checkbox to admin user.edit form
- filter explore page user search
- filter api admin and public user searches
- allow admins view "hidden" users
- add app option DEFAULT_USER_VISIBILITY
- rewrite many files to use Visibility field
- check for teams intersection
- fix context output
- right fake 404 if not visible
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: Andrew Thornton <art27@cantab.net>
* Create a session on ReverseProxy and ensure that ReverseProxy users cannot change username
ReverseProxy users should generate a session on reverse proxy username change.
Also prevent ReverseProxy users from changing their username.
Fix #2407
* add testcase
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Enforce tab indendation in templates
This adds editorconfig-checker [1] to lint the template files so they
conform the editorconfig files. I fixed all current identation issues
using the fix mode of eclint [2] and some manual corrections.
We can extend this linting to other files later, for now I'd like this
PR to focus on HTML template files only.
[1] https://github.com/editorconfig-checker/editorconfig-checker
[2] https://github.com/jedmao/eclint
* fix indendation
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Update JS dependencies
- Update all JS dependencies
- For octicons, rename trashcan to trash
- For svgo, migrate to v2 api, output seems to have slightly changed but icons look the same
- For stylelint, update config, fix custom property duplicates
- For monaco, drop legacy Edge support
- For eslint, enable new rules, fix new issues
- For less-loader, remove deprecated import syntax
* update svgo usage in generate-images and rebuild logo.svg with it
* Add redirect for user
* Add redirect for orgs
* Add user redirect test
* Appease linter
* Add comment to DeleteUserRedirect function
* Fix locale changes
* Fix GetUserByParams
* Fix orgAssignment
* Remove debug logging
* Add redirect prompt
* Dont Export DeleteUserRedirect & only use it within a session
* Unexport newUserRedirect
* cleanup
* Fix & Dedub API code
* Format Template
* Add Migration & rm dublicat
* Refactor: unexport newRepoRedirect() & rm dedub del exec
* if this fails we'll need to re-rename the user directory
Co-authored-by: 6543 <6543@obermui.de>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* refactor models.DeleteComment and delete related reactions too
* use deleteComment for UserDeleteWithCommentsMaxDays in DeleteUser
* nits
* Use time.Duration as other time settings have
* docs
* Resolve Fixme & fix potential deadlock
* Disabled by Default
* Update Config Value Description
* switch args
* Update models/issue_comment.go
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: zeripath <art27@cantab.net>
* Implement ghost comment mitigation
Adds a config option USER_DELETE_WITH_COMMENTS_MAX_DAYS to the [service] section. See https://codeberg.org/Codeberg/Discussion/issues/24 for the underlying issue.
* cleanup
* use setting module correctly
* add to docs
Co-authored-by: Moritz Marquardt <git@momar.de>
* Disable SSH key addition and deletion when externally managed
When a user has a login source which has SSH key management
key addition and deletion using the UI should be disabled.
Fix #13983
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Make only externally managed keys disabled
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
* Replace more icons with SVG
- Replace remaining icons on admin page with SVG
- Fix vertical menu background on arc-green
- Minor improvments to frontpage repo search
- More icon replacements here and there
* fix integration
* whitespace tweak
* add comment
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Direct avatar rendering
This adds new template helpers for avatar rendering which output image
elements with direct links to avatars which makes them cacheable by the
browsers.
This should be a major performance improvment for pages with many avatars.
* fix avatars of other user's profile pages
* fix top border on user avatar name
* uncircle avatars
* remove old incomplete avatar selector
* use title attribute for name and add it back on blame
* minor refactor
* tweak comments
* fix url path join and adjust test to new result
* dedupe functions
* Add class to page content to unify top margin
Previously pages would individually set this margin but some didn't so
content would stick to the header without any space. Resolve this by
adding a new class that is added on all pages. The only place where we
remove this margin again is on the pages with menu or wrapper in the
header.
* fix admin notices
* fix team pages
* fix loading segment on gitgraph for arc-green
* fix last missing case
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Fix links to repositories in /user/setting/repos
somehow the links gained a spurious $ in the links.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* And fix #13359
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Remove obsolete change of email on profile page
The change email on the account profile page is out-of-date
and unnecessary.
Changing email should be done using the account page.
Fix #13336
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add ssh certificate support
* Add ssh certificate support to builtin ssh
* Write trusted-user-ca-keys.pem based on configuration
* Update app.example.ini
* Update templates/user/settings/keys_principal.tmpl
Co-authored-by: silverwind <me@silverwind.io>
* Remove unused locale string
* Update options/locale/locale_en-US.ini
Co-authored-by: silverwind <me@silverwind.io>
* Update options/locale/locale_en-US.ini
Co-authored-by: silverwind <me@silverwind.io>
* Update models/ssh_key.go
Co-authored-by: silverwind <me@silverwind.io>
* Add missing creation of SSH.Rootpath
* Update cheatsheet, example and locale strings
* Update models/ssh_key.go
Co-authored-by: zeripath <art27@cantab.net>
* Update models/ssh_key.go
Co-authored-by: zeripath <art27@cantab.net>
* Update models/ssh_key.go
Co-authored-by: zeripath <art27@cantab.net>
* Update models/ssh_key.go
Co-authored-by: zeripath <art27@cantab.net>
* Update models/ssh_key.go
* Optimizations based on feedback
* Validate CA keys for external sshd
* Add filename option and change default filename
Add a SSH_TRUSTED_USER_CA_KEYS_FILENAME option which default is
RUN_USER/.ssh/gitea-trusted-user-ca-keys.pem
Do not write a file when SSH_TRUSTED_USER_CA_KEYS is empty.
Add some more documentation.
* Remove unneeded principalkey functions
* Add blank line
* Apply suggestions from code review
Co-authored-by: zeripath <art27@cantab.net>
* Add SSH_AUTHORIZED_PRINCIPALS_ALLOW option
This adds a SSH_AUTHORIZED_PRINCIPALS_ALLOW which is default
email,username this means that users only can add the principals
that match their email or username.
To allow anything the admin need to set the option anything.
This allows for a safe default in gitea which protects against malicious
users using other user's prinicipals. (before that user could set it).
This commit also has some small other fixes from the last code review.
* Rewrite principal keys file on user deletion
* Use correct rewrite method
* Set correct AuthorizedPrincipalsBackup default setting
* Rewrite principalsfile when adding principals
* Add update authorized_principals option to admin dashboard
* Handle non-primary emails
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add the command actually to the dashboard template
* Update models/ssh_key.go
Co-authored-by: silverwind <me@silverwind.io>
* By default do not show principal options unless there are CA keys set or they are explicitly set
Signed-off-by: Andrew Thornton <art27@cantab.net>
* allow settings when enabled
* Fix typos in TrustedUserCAKeys path
* Allow every CASignatureAlgorithms algorithm
As this depends on the content of TrustedUserCAKeys we should allow all
signature algorithms as admins can choose the specific algorithm on their
signing CA
* Update models/ssh_key.go
Co-authored-by: Lauris BH <lauris@nix.lv>
* Fix linting issue
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: zeripath <art27@cantab.net>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: techknowlogick <matti@mdranta.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
`new-password` prevents annoying autocompletion in some cases, thought
it's not semantically correct to use that for example on all three
fields on the user account page, so some annoyances remain.
Co-authored-by: Lauris BH <lauris@nix.lv>
* CSS tweaks to warning/error segments and misc fixes
- Adjust styling for warning/error in arc-green
- Change danger boxes from orange to red
- Fix code highlight text color in arc-green
- Fix warning message in arc-green
- Fix border in org member list in arc-green
- Fix disabled checkbox text in arc-green
* use same selector in gitea theme
* fix blame highlight
Co-authored-by: zeripath <art27@cantab.net>
The links now redirected to docs.github.com. `common SSH problems` link
is misredirected to `Authenticating to GitHub` page, so it has been
corrected to the proper `troubleshooting SSH` page.
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Don't automatically delete repository files if they are present
Prior to this PR Gitea would delete any repository files if they are
present during creation or migration. This can in certain circumstances
lead to data-loss and is slightly unpleasant.
This PR provides a mechanism for Gitea to adopt repositories on creation
and otherwise requires an explicit flag for deletion.
PushCreate is slightly different - the create will cause adoption if
that is allowed otherwise it will delete the data if that is allowed.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update swagger
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Fix tests and migrate overwrite
Signed-off-by: Andrew Thornton <art27@cantab.net>
* as per @lunny
Only offer to adopt or overwrite if the user can do that.
Allow the site administrator to adopt or overwrite in all
circumstances
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Use setting.Repository.DefaultBranch for the default branch
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Always set setting.Repository.DefaultBranch
Signed-off-by: Andrew Thornton <art27@cantab.net>
* update swagger
Signed-off-by: Andrew Thornton <art27@cantab.net>
* update templates
Signed-off-by: Andrew Thornton <art27@cantab.net>
* ensure repo closed
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Rewrite of adoption as per @6543 and @lunny
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Apply suggestions from code review
* update swagger
Signed-off-by: Andrew Thornton <art27@cantab.net>
* missing not
Signed-off-by: Andrew Thornton <art27@cantab.net>
* add modals and flash reporting
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Make the unadopted page searchable
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add API
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Fix swagger
Signed-off-by: Andrew Thornton <art27@cantab.net>
* fix swagger
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Handle empty and non-master branched repositories
Signed-off-by: Andrew Thornton <art27@cantab.net>
* placate lint
Signed-off-by: Andrew Thornton <art27@cantab.net>
* remove commented out code
Signed-off-by: Andrew Thornton <art27@cantab.net>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Add placeholder text for "Add SSH/GPG Key" forms
This commit add placeholder text for both Add SSH key and Add GPG key
forms.
* Localize placeholders
Changes requested by @zeripath
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Update Octicons to v10
Besides a few renames, these icons are no longer present in v10 that we've
used, so had to change:
file-symlink-directory -> file-submodule
internal-repo -> repo
repo-force-push -> repo-push
repo-template-private -> repo-template
Fixes: https://github.com/go-gitea/gitea/issues/11889
Ref: https://github.com/primer/octicons/releases/tag/v10.0.0
* add custom sliders svg for removed octicon-settings
* apply suggestion
* fix triangles and use play on admin dashboard
* add custom mirror svg
* add missing build files
* unify custom svgs
* move to octicon-repo-clone to gitea-mirror
* use octicon-x on conflicts
* tweak timeline icons
* tweak comment buttons
* update settings icon to octicons v1
* switch to octicon-mirror and octicon-tools
* replace two wiki buttons with octicons
* remove whitespace in svg sources
* Fix filepath basename on Windows for SVG bindata (#12241)
* move octicons to devDependencies
* move back to dependencies
* move svgo to devDependencies again
Co-authored-by: Cirno the Strongest <1447794+CirnoT@users.noreply.github.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Previously this used a USB icon which required a separate font file used
nowhere else so replace it with a octicon and fix the background color
on arc-green too.
* Add hide activity option
This closes https://github.com/go-gitea/gitea/issues/7927
* Adjust for linter
* Adjust for linter
* Add tests
* Remove info that admins can view the activity
* Adjust new tests for linter
* Rename v139.go to v140.go
* Rename v140.go to v141.go
* properly indent
* gofmt
Co-authored-by: Jonas Lochmann <git@inkompetenz.org>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
* Remove errant third } from account.tmpl
Fix #11128
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Remove errant third curly bracket from pull.tmpl
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update templates/user/settings/account.tmpl