summaryrefslogtreecommitdiffstats
path: root/modules/setting
diff options
context:
space:
mode:
authorGiteabot <teabot@gitea.io>2023-06-30 03:53:00 -0400
committerGitHub <noreply@github.com>2023-06-30 07:53:00 +0000
commit24cf06592e258c1de251da29ad04b2c95316a408 (patch)
tree30f2f093d9509dae8a863c671ffc0837d730e200 /modules/setting
parent0b6f7fb60709a499fe4f5d69ff77ed8337e05b8e (diff)
downloadgitea-24cf06592e258c1de251da29ad04b2c95316a408.tar.gz
gitea-24cf06592e258c1de251da29ad04b2c95316a408.zip
Restrict `[actions].DEFAULT_ACTIONS_URL` to only `github` or `self` (#25581) (#25604)
Backport #25581 by @wolfogre Resolve #24789 ## :warning: BREAKING :warning: Before this, `DEFAULT_ACTIONS_URL` cound be set to any custom URLs like `https://gitea.com` or `http://your-git-server,https://gitea.com`, and the default value was `https://gitea.com`. But now, `DEFAULT_ACTIONS_URL` supports only `github`(`https://github.com`) or `self`(the root url of current Gitea instance), and the default value is `github`. If it has configured with a URL, an error log will be displayed and it will fallback to `github`. Actually, what we really want to do is always make it `https://github.com`, however, this may not be acceptable for some instances of internal use, so there's extra support for `self`, but no more, even `https://gitea.com`. Please note that `uses: https://xxx/yyy/zzz` always works and it does exactly what it is supposed to do. Although it's breaking, I belive it should be backported to `v1.20` due to some security issues. Follow-up on the runner side: - https://gitea.com/gitea/act_runner/pulls/262 - https://gitea.com/gitea/act/pulls/70 Co-authored-by: Jason Song <i@wolfogre.com>
Diffstat (limited to 'modules/setting')
-rw-r--r--modules/setting/actions.go43
-rw-r--r--modules/setting/actions_test.go84
2 files changed, 125 insertions, 2 deletions
diff --git a/modules/setting/actions.go b/modules/setting/actions.go
index 1c8075cd6c..a13330dcd1 100644
--- a/modules/setting/actions.go
+++ b/modules/setting/actions.go
@@ -5,6 +5,9 @@ package setting
import (
"fmt"
+ "strings"
+
+ "code.gitea.io/gitea/modules/log"
)
// Actions settings
@@ -13,13 +16,36 @@ var (
LogStorage *Storage // how the created logs should be stored
ArtifactStorage *Storage // how the created artifacts should be stored
Enabled bool
- DefaultActionsURL string `ini:"DEFAULT_ACTIONS_URL"`
+ DefaultActionsURL defaultActionsURL `ini:"DEFAULT_ACTIONS_URL"`
}{
Enabled: false,
- DefaultActionsURL: "https://gitea.com",
+ DefaultActionsURL: defaultActionsURLGitHub,
}
)
+type defaultActionsURL string
+
+func (url defaultActionsURL) URL() string {
+ switch url {
+ case defaultActionsURLGitHub:
+ return "https://github.com"
+ case defaultActionsURLSelf:
+ return strings.TrimSuffix(AppURL, "/")
+ default:
+ // This should never happen, but just in case, use GitHub as fallback
+ return "https://github.com"
+ }
+}
+
+const (
+ defaultActionsURLGitHub = "github" // https://github.com
+ defaultActionsURLSelf = "self" // the root URL of the self-hosted Gitea instance
+ // DefaultActionsURL only supports GitHub and the self-hosted Gitea.
+ // It's intentionally not supported more, so please be cautious before adding more like "gitea" or "gitlab".
+ // If you get some trouble with `uses: username/action_name@version` in your workflow,
+ // please consider to use `uses: https://the_url_you_want_to_use/username/action_name@version` instead.
+)
+
func loadActionsFrom(rootCfg ConfigProvider) error {
sec := rootCfg.Section("actions")
err := sec.MapTo(&Actions)
@@ -27,6 +53,19 @@ func loadActionsFrom(rootCfg ConfigProvider) error {
return fmt.Errorf("failed to map Actions settings: %v", err)
}
+ if urls := string(Actions.DefaultActionsURL); urls != defaultActionsURLGitHub && urls != defaultActionsURLSelf {
+ url := strings.Split(urls, ",")[0]
+ if strings.HasPrefix(url, "https://") || strings.HasPrefix(url, "http://") {
+ log.Error("[actions] DEFAULT_ACTIONS_URL does not support %q as custom URL any longer, fallback to %q",
+ urls,
+ defaultActionsURLGitHub,
+ )
+ Actions.DefaultActionsURL = defaultActionsURLGitHub
+ } else {
+ return fmt.Errorf("unsupported [actions] DEFAULT_ACTIONS_URL: %q", urls)
+ }
+ }
+
// don't support to read configuration from [actions]
Actions.LogStorage, err = getStorage(rootCfg, "actions_log", "", nil)
if err != nil {
diff --git a/modules/setting/actions_test.go b/modules/setting/actions_test.go
index a1cc8fe333..3645a3f5da 100644
--- a/modules/setting/actions_test.go
+++ b/modules/setting/actions_test.go
@@ -8,6 +8,7 @@ import (
"testing"
"github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
)
func Test_getStorageInheritNameSectionTypeForActions(t *testing.T) {
@@ -95,3 +96,86 @@ STORAGE_TYPE = minio
assert.EqualValues(t, "local", Actions.ArtifactStorage.Type)
assert.EqualValues(t, "actions_artifacts", filepath.Base(Actions.ArtifactStorage.Path))
}
+
+func Test_getDefaultActionsURLForActions(t *testing.T) {
+ oldActions := Actions
+ oldAppURL := AppURL
+ defer func() {
+ Actions = oldActions
+ AppURL = oldAppURL
+ }()
+
+ AppURL = "http://test_get_default_actions_url_for_actions:3000/"
+
+ tests := []struct {
+ name string
+ iniStr string
+ wantErr assert.ErrorAssertionFunc
+ wantURL string
+ }{
+ {
+ name: "default",
+ iniStr: `
+[actions]
+`,
+ wantErr: assert.NoError,
+ wantURL: "https://github.com",
+ },
+ {
+ name: "github",
+ iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = github
+`,
+ wantErr: assert.NoError,
+ wantURL: "https://github.com",
+ },
+ {
+ name: "self",
+ iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = self
+`,
+ wantErr: assert.NoError,
+ wantURL: "http://test_get_default_actions_url_for_actions:3000",
+ },
+ {
+ name: "custom url",
+ iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = https://gitea.com
+`,
+ wantErr: assert.NoError,
+ wantURL: "https://github.com",
+ },
+ {
+ name: "custom urls",
+ iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = https://gitea.com,https://github.com
+`,
+ wantErr: assert.NoError,
+ wantURL: "https://github.com",
+ },
+ {
+ name: "invalid",
+ iniStr: `
+[actions]
+DEFAULT_ACTIONS_URL = gitea
+`,
+ wantErr: assert.Error,
+ wantURL: "https://github.com",
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ cfg, err := NewConfigProviderFromData(tt.iniStr)
+ require.NoError(t, err)
+ if !tt.wantErr(t, loadActionsFrom(cfg)) {
+ return
+ }
+ assert.EqualValues(t, tt.wantURL, Actions.DefaultActionsURL.URL())
+ })
+ }
+}