zeripath [Tue, 16 Nov 2021 18:18:25 +0000 (18:18 +0000)]
Multiple Escaping Improvements (#17551)
There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this.
This is an extensive PR attempting to fix these issues.
1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping.
2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand.
3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future.
4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.)
5. The title generation in feeds is now properly escaped.
6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net>
wxiaoguang [Tue, 16 Nov 2021 02:21:13 +0000 (10:21 +0800)]
Fix database deadlock when update issue labels (#17649)
This fix updates issue labels one by one, and won't cause database deadlock.
In future, we can use a batch API to update all changed labels by one request.
Gusted [Mon, 15 Nov 2021 06:02:53 +0000 (06:02 +0000)]
Remove unnecassary calls to `filepath.Join` (#17608)
- Partialy resolvess #17596
- Resolves `badCall` errors from go-critic `badCall: suspicious Join on
1 argument`
- When only 1 argument is passed into `filepath.Join`, it won't do
anything special other than `filepath.Clean(...)` will be applied over
it.
zeripath [Sat, 13 Nov 2021 11:28:50 +0000 (11:28 +0000)]
Correctly handle failed migrations (#17575)
* Correctly handle failed migrations
There is a bug in handling failed migrations whereby the migration task gets decoupled
from the migration repository. This leads to a failure of the task to get deleted with
the repository and also leads to the migration failed page resulting in a ISE.
This PR removes the zeroing out of the task id from the migration but also makes
the migration handler tolerate missing tasks much nicer.
Gusted [Thu, 11 Nov 2021 06:29:30 +0000 (07:29 +0100)]
Refactor commentTags functionality (#17558)
* feat: Allow multiple tags on comments
- Allow for multiples tags(Currently Poster + {Owner, Writer}).
- Utilize the Poster tag within the commentTag function and remove the
checking from templates.
- Use bitwise on CommentTags to enable specific tags.
- Don't show poster tag(view_content.tmpl) on the initial issue comment.
* Change parameters naming
* Change function name
* refactor variable wording
* Merge 'master' branch into 'tags-comments' branch
Gusted [Thu, 11 Nov 2021 05:28:45 +0000 (06:28 +0100)]
Remove `golint` as linter (#17609)
- Partialy resolvess #17596
- In the newer versions of `golangci-lint`, golint is deprecated and
replaced by the `revive` linter. Thus removing the `golint` linter is a
good idea, as we're already using the `revive` linter which covers all
the current `golint` cases.
Kamil Domański [Mon, 8 Nov 2021 22:47:19 +0000 (23:47 +0100)]
Allow U2F 2FA without TOTP (#11573)
This change enables the usage of U2F without being forced to enroll an TOTP authenticator.
The `/user/auth/u2f` has been changed to hide the "use TOTP instead" bar if TOTP is not enrolled.
Gusted [Mon, 8 Nov 2021 15:45:37 +0000 (16:45 +0100)]
Only allow returned deleted branche to be on repo (#17570)
- This will only allow `GetDeletedBranchByID` to return deletedBranch
which are on the repo, and thus don't return a deletedBranch from
another repo.
- This just should prevent possible bugs in the futher when a code is
passing the wrong ID into this function.
zeripath [Wed, 3 Nov 2021 00:33:54 +0000 (00:33 +0000)]
Simplify Gothic to use our session store instead of creating a different store (#17507)
* Simplify Gothic to use our session store instead of creating a different store
We have been using xormstore to provide a separate session store for our OAuth2 logins
however, this relies on using gorilla context and some doubling of our session storing.
We can however, simplify and simply use our own chi-based session store. Thus removing
a cookie and some of the weirdness with missing contexts.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* as per review
Signed-off-by: Andrew Thornton <art27@cantab.net>
* as per review
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Handle MaxTokenLength
Signed-off-by: Andrew Thornton <art27@cantab.net>
* oops
zeripath [Tue, 2 Nov 2021 03:14:24 +0000 (03:14 +0000)]
Make Repo Code Indexer an Unique Queue (#17515)
The functioning of the code indexer queue really only makes sense as an unique queue
and doing this allows use to simplify the indexer data to simply delete the data if
the repo is no longer in the db.
The call to html.EscapeString in routers/web/repo/blame.go:renderBlame is extraneous
as the commit message is now rendered by the template. The template will correctly
escape strings - therefore we are currently double escaping.
zeripath [Fri, 29 Oct 2021 08:23:10 +0000 (09:23 +0100)]
Run Migrate in Install rather than just SyncTables (#17475)
* Run Migrate in Install rather than just SyncTables
The underlying problem in #17328 appears to be that users are re-running the install
page during upgrades. The function that tests and creates the db did not intend for
this and thus instead the migration scripts being run - a simple sync tables occurs.
This then causes a weird partially migrated DB which causes, in this release cycle,
the duplicate column in task table error. It is likely the cause of some weird
partial migration errors in other cycles too.
This PR simply ensures that the migration scripts are also run at this point too.
* BUGFIXES
* Prevent panic in serv.go with Deploy Keys (#17434) (#17435)
* Fix CSV render error (#17406) (#17431)
* Read expected buffer size (#17409) (#17430)
* Ensure that restricted users can access repos for which they are members (#17460) (#17464)
* Make commit-statuses popup show correctly (#17447) (#17466)
* TESTING
* Add integration tests for private.NoServCommand and private.ServCommand (#17456) (#17463)
zeripath [Thu, 28 Oct 2021 02:54:40 +0000 (03:54 +0100)]
Ensure that restricted users can access repos for which they are members (#17460)
There is a small bug in the way that repo access is checked in
repoAssignment: Accessibility is checked by checking if the user has a
marked access to the repository instead of checking if the user has any
team granted access.
This PR changes this permissions check to use HasAccess() which does the
correct test. There is also a fix in the release api ListReleases where
it should return draft releases if the user is a member of a team with
write access to the releases.
David Jimenez [Wed, 27 Oct 2021 04:33:22 +0000 (05:33 +0100)]
Show client-side error if wiki page is empty (#17415)
* fix: show client-side error if wiki page is empty
Implement a JS, client-side validation workaround for a bug in the upstream
editor library SimpleMDE which breaks HTML5 client-side validation when
a wiki page is submitted.
This allows native, client-side errors to appear if
the text editor contents are empty.
See upstream bugfix report: https://github.com/sparksuite/simplemde-markdown-editor/issues/324
Signed-off-by: David Jimenez <dvejmz@sgfault.com> Co-authored-by: Lauris BH <lauris@nix.lv>