summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix paths after update of checkout actionFlorian Zschocke2022-11-011-10/+4
| | | | | | | | | | | | | | The Github 'checkout' action was updated from v1 to v3. But the behaviour changed between the two which broke this workflow. The old action would clone other repositories not into the workspace but parallel to the workspace. The new version does every clone/checkout relative to the workspace. That means that where previously the gitblit-docker repository would be cloned in parallel to the workspace which is gitblit/gitblit, it is now cloned into the gitblit/gitblit directory path. So remove all the references to `../gitblit-docker`. The files are in the current directory now.
* Merge pull request #1435 from flaix/fix-authority-npFlorian Zschocke2022-11-012-2/+7
|\ | | | | Fix crash in Gitblit Authority for deleted users
| * authority: Fix null pointer crash for deleted usersFlorian Zschocke2022-11-012-2/+7
|/ | | | | | | | | | | | When a user had a certificate, i.e. an entry in the Gitblit Authority database, but the user was deleted from the Gitblit database, then the Authority application crashes upon loading. This patch prevents the crash. The deleted user is no longer shown in the Authority. But the database entry still is kept. This should be improved to show deleted users and give the possibility to delete them from the Authority's database. This fixes #1359
* Merge pull request #1434 from flaix/update-guiceFlorian Zschocke2022-10-314-15/+99
|\ | | | | Update Guice version to 5.1.0
| * deps: Update Guice version to 5.1.0Florian Zschocke2022-10-314-15/+99
|/ | | | | | | | Update Guice to 5.1.0. This version is compatible with Java 17. The gitblit patch of the servlet extension was ported to Guice 5.1.0, too. The update of Guice requires an update of the Guava version, too. Thus Guava is updated to 27.0.1-jar.
* Merge pull request #1433 from flaix/np-fixFlorian Zschocke2022-10-311-0/+3
|\ | | | | Fix null pointer exception in FileSettings
| * fix: Fix null pointer exception in FileSettingsFlorian Zschocke2022-10-311-0/+3
|/ | | | | Fix a null pointer access in the `toString` method for a freshly created `FileSettings`.
* Merge pull request #1430 from flaix/update-actionsFlorian Zschocke2022-10-282-16/+19
|\ | | | | Update workflows due to deprecations in actions
| * ci: Replace set-output command with echo to GITHUB_OUTPUTFlorian Zschocke2022-10-271-2/+2
| | | | | | | | | | The `set-output` command was deprecated. The new way to set an output parameter for a step is to echo to the file stored in `$GITHUB_OUTPUT`
| * ci: Update action versions in nightly build workflowFlorian Zschocke2022-10-271-10/+11
| | | | | | | | | | | | | | | | | | Versions are updated for various actions that have a new version which uses NodeJS 16. One action has no updated version available yet: `e1himself/goss-installation-action` But an issue exists mentioning that it needs an update.
| * ci: Update action versions in push build workflowFlorian Zschocke2022-10-271-4/+6
|/ | | | | | | | | | | | | The workflow runs started issuing warnings because NodeJS 12 was deprecated. Actions need to get updated to newer versions that use NodeJS 16. This commit updates the `actions/checkout` and the `actions/setup-java` actions to the latest version in the workflow that builds on every push. The new setup-java action requires the distribution to be specified, since multiple JDK distributions are supported now. We chose Eclipse's Temurin here which is the successor to AdoptOpenJDK, which we use for development.
* ci: Build pull requests, tooFlorian Zschocke2022-10-271-1/+5
| | | | Build pull requests, just like we build on every push.
* Merge pull request #1429 from flaix/ssh-host-algsFlorian Zschocke2022-10-257-84/+333
|\ | | | | Add new SSH host key types
| * Skip SSH host key files that do not existFlorian Zschocke2022-10-251-0/+6
| | | | | | | | | | | | | | | | | | | | Since we now do not generate a DSA host key file anymore, but keep it in the list of potential keys so that existing keys still work, it can happen that the files for DSA (and Ed25519) are getting loaded but they do not exist. This results in an error in the log. So instead check if the file exists and only try to load files that exist. This prevents from errors (which are none) being spammed in the log.
| * Add SSH host keys with ECDSA and Ed25519Florian Zschocke2022-10-253-14/+249
| | | | | | | | | | | | | | | | | | Create new host keys, one with ECDSA and one with Ed25519 algorithms. For the Ed25519 currently the EdDSA library from i2p is used. This requires some quirks, compared to a modern BouncyCastle. But the SSHD library used cannot use BouncyCastle yet for Ed25519. No DSA key is generated anymore, but we still support existing ones.
| * format: Cleanup formatting and whitespacesFlorian Zschocke2022-10-251-23/+41
| |
| * Update BouncyCastle to version 1.69Florian Zschocke2022-10-256-53/+43
|/ | | | | | | | | | | The version 1.69 is chosen instead of 1.70, because the moxie build would not download the jars, trying to download `...1.7.jar` instead. Three class deprecations are fixed. `PEMWriter` and `X509Extension` are replaced with their drop-in replacements `JcaPEMWriter` and `Extension`. The `PasswordFinder` deprecation note says that "it is no longer used". It also was never used in Gitblit's code, so it is removed from the key par provider class.
* Merge pull request #1428 from urkle/fix-ptFlorian Zschocke2022-10-221-7/+7
|\ | | | | Correct is/is not usage in pt.py to not be used with the value is a literal
| * Correct is/is not usage in pt.py to not be used with the value is a literalEdward Rudd2022-10-101-7/+7
| | | | | | | | - new python 3 versions warn/errors about this usage
* | Merge pull request #1427 from flaix/ssh-upateFlorian Zschocke2022-10-169-28/+53
|\ \ | |/ |/| Update SSHD to version 1.7.0 and add support for EdDSA user keys
| * Update dependency MINA SSHD to version 1.7.0Florian Zschocke2022-10-095-9/+12
| |
| * upgrade to sshd 1.6.0, add eddsa dependency, upgrade jgit to 4.1.2ricardop2022-10-088-26/+48
|/ | | | | | | | | (cherry picked from commit d8fbdda2ab3fa48e92bdf37399d4b75c48409c5c@rpardini:master) # Conflicts: # .classpath # build.moxie # src/test/java/com/gitblit/tests/SshUnitTest.java
* Merge branch 'oddeirik-disable-client-certs' into masterFlorian Zschocke2022-08-143-7/+51
|\
| * Use existing setting but with new valuesFlorian Zschocke2022-08-143-11/+43
| | | | | | | | | | | | | | | | | | | | | | Instead of adding another setting and having to explain how the new one and the existing `requireClientCertificates` setting are interdependent, let's use the existing setting and add new values. It is changed from a boolean to a string, with the values `required`, `optional` and `disabled`. To keep backward compatibility with the old values, the `true` value is mapped to `required` and the `false` value is mapped to `optional`.
| * Merge branch 'disable-client-certs' of github.com:oddeirik/gitblit into ↵Florian Zschocke2022-08-142-3/+15
|/| | | | | | | oddeirik-disable-client-certs
| * Add setting to explicitly enable or disable optional client certificates.Odd Eirik Nes2016-10-172-3/+15
| |
* | Merge branch 'felazuris-fixpermdisplay' into masterFlorian Zschocke2022-08-072-4/+59
|\ \ | | | | | | | | | This pulls in the rebased branch from PR #1100.
| * | Rewrite fix without the additional ListFlorian Zschocke2022-08-071-17/+10
| | | | | | | | | | | | | | | | | | This also removes the additional Set. What changes is that the order of the repositories is kept, but the resulting list will have user and team permissions intertwined.
| * | Add init test for getting repository permissionsFlorian Zschocke2022-08-071-0/+49
| | |
| * | fix user effective permission display if users is in multiple groups with ↵kaspars.kurms2022-08-071-0/+13
|/ / | | | | | | different permissions
* | Merge branch 'QuentinC-fix-tab-escape' into masterFlorian Zschocke2022-08-022-4/+40
|\ \ | | | | | | | | | | | | The contribution branch was rebased to current master. This should close #1065 as merged.
| * | Add more tests for tab expansionFlorian Zschocke2022-08-021-3/+21
| | | | | | | | | | | | These show more clearly what the code is supposed to do.
| * | Fix: if statement without curly bracesQuentin2022-08-021-1/+2
| | |
| * | Tab to space conversion testingQuentin2022-08-021-3/+13
| | |
| * | Changed tab to space conversionQuentin2022-08-021-1/+8
|/ / | | | | | | | | Tabs are not always 4 spaces large. It completes the line to the 4th character.
* | Create SECURITY.mdFlorian Zschocke2022-06-201-0/+12
| | | | | | This closes #1418
* | doc: Merge release 1.9.3 info into releases.moxieFlorian Zschocke2022-04-091-4/+43
| |
* | ci: Add debug logging to nightly buildFlorian Zschocke2022-04-091-1/+3
| | | | | | | | | | For some reason the secret gate doesn't work and the main Gitblit repo also attempts to deploy the nightly to Docker which must fail.
* | pages: Fix link for GitExtension, which moved to GithubFlorian Zschocke2022-04-0913-13/+13
| |
* | doc: Fix download link for fedclient ad api tarFlorian Zschocke2022-04-092-2/+2
| | | | | | | | | | | | It was still pointing to Google Code. This closes #1408
* | doc: Fix links for dependencies that moved from Google CodeFlorian Zschocke2022-04-092-6/+6
| |
* | Merge branch '1410-vulnerability-userdb' into masterFlorian Zschocke2022-03-143-6/+382
|\ \ | | | | | | | | | | | | Merge fix branch from 1.9 mainenance line into master branch.
| * | fix: Fix StoredUserConfig not escaping control charactersFlorian Zschocke2022-03-132-3/+191
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The `StoredUserConfig` only escaped the escape character, i.e. backslash. But it does not escape control characters like tab or newline. This introduces a vulnerability where an attacker can create new entries in their user account and create new accounts. In addition, other characters are also not properly handled. Field values with a comment character need to be quoted. This only happens for the `#` character and only when the value starts with it. Also the quote is note escaped in values. This change completely rewrites the `escape` method of `StoredUserConfig`. It takes care of properly escaping characters that need escaping for the git configuration file format. This fixes #1410
| * | fix: Fix StoredUserConfig handling null subsectionsFlorian Zschocke2022-03-132-2/+65
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Te `StoredUserConfig` did not handle sections without a subsection. When the subsection did not exist, i.e. was `null`, then the subsection name would be set to the string "null". This is not how the config file format works. It should create a `[SECTIONNAME]` entry instead. This fix handles a `null` subsection correctly, by handling it as a section without a subsection.
| * | test: Add exploit test for config user serviceFlorian Zschocke2022-03-121-1/+126
| | | | | | | | | | | | | | | Add unit tests for exploiting the email address or display name in the config user service by using newlines in the values.
| * | Reset build identifiers for next point release cycleFlorian Zschocke2022-03-122-2/+20
| | |
* | | ide: Adjust IDE project files to javax.mail 1.5.6Florian Zschocke2022-02-063-6/+20
| | |
* | | Update javax.mail to 1.5.6paladox2022-02-061-1/+1
| | |
* | | Merge branch 'pr-1219' into masterFlorian Zschocke2022-02-066-31/+36
|\ \ \ | | | | | | | | | | | | This merges rebased and enhanced pull request #1219
| * | | ci: Remove Java 7 buildFlorian Zschocke2022-02-062-22/+24
| | | |