* Enforce Gitea environment for pushes * Update custom/conf/app.ini.sample Co-Authored-By: Antoine GIRARD <sapk@users.noreply.github.com>tags/v1.11.0-rc1
@@ -16,6 +16,7 @@ import ( | |||
"code.gitea.io/gitea/models" | |||
"code.gitea.io/gitea/modules/git" | |||
"code.gitea.io/gitea/modules/private" | |||
"code.gitea.io/gitea/modules/setting" | |||
"github.com/urfave/cli" | |||
) | |||
@@ -55,7 +56,13 @@ var ( | |||
func runHookPreReceive(c *cli.Context) error { | |||
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { | |||
return nil | |||
if setting.OnlyAllowPushIfGiteaEnvironmentSet { | |||
fail(`Rejecting changes as Gitea environment not set. | |||
If you are pushing over SSH you must push with a key managed by | |||
Gitea or set your environment appropriately.`, "") | |||
} else { | |||
return nil | |||
} | |||
} | |||
setup("hooks/pre-receive.log") | |||
@@ -115,7 +122,13 @@ func runHookPreReceive(c *cli.Context) error { | |||
func runHookUpdate(c *cli.Context) error { | |||
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { | |||
return nil | |||
if setting.OnlyAllowPushIfGiteaEnvironmentSet { | |||
fail(`Rejecting changes as Gitea environment not set. | |||
If you are pushing over SSH you must push with a key managed by | |||
Gitea or set your environment appropriately.`, "") | |||
} else { | |||
return nil | |||
} | |||
} | |||
setup("hooks/update.log") | |||
@@ -125,7 +138,13 @@ func runHookUpdate(c *cli.Context) error { | |||
func runHookPostReceive(c *cli.Context) error { | |||
if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { | |||
return nil | |||
if setting.OnlyAllowPushIfGiteaEnvironmentSet { | |||
fail(`Rejecting changes as Gitea environment not set. | |||
If you are pushing over SSH you must push with a key managed by | |||
Gitea or set your environment appropriately.`, "") | |||
} else { | |||
return nil | |||
} | |||
} | |||
setup("hooks/post-receive.log") |
@@ -190,7 +190,7 @@ PROTOCOL = http | |||
DOMAIN = localhost | |||
ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/ | |||
; when STATIC_URL_PREFIX is empty it will follow APP_URL | |||
STATIC_URL_PREFIX = | |||
STATIC_URL_PREFIX = | |||
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket. | |||
HTTP_ADDR = 0.0.0.0 | |||
HTTP_PORT = 3000 | |||
@@ -383,6 +383,8 @@ MIN_PASSWORD_LENGTH = 6 | |||
IMPORT_LOCAL_PATHS = false | |||
; Set to true to prevent all users (including admin) from creating custom git hooks | |||
DISABLE_GIT_HOOKS = false | |||
; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED | |||
ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true | |||
;Comma separated list of character classes required to pass minimum complexity. | |||
;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used. | |||
;Use "off" to disable checking. | |||
@@ -515,9 +517,9 @@ SKIP_TLS_VERIFY = false | |||
; Number of history information in each page | |||
PAGING_NUM = 10 | |||
; Proxy server URL, support http://, https//, socks://, blank will follow environment http_proxy/https_proxy | |||
PROXY_URL = | |||
PROXY_URL = | |||
; Comma separated list of host names requiring proxy. Glob patterns (*) are accepted; use ** to match all hosts. | |||
PROXY_HOSTS = | |||
PROXY_HOSTS = | |||
[mailer] | |||
ENABLED = false |
@@ -244,6 +244,7 @@ relation to port exhaustion. | |||
authentication provided email. | |||
- `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom | |||
git hooks. | |||
- `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to gitea repositories you should set the environment appropriately. | |||
- `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server. | |||
- `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary. | |||
- `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`) |
@@ -140,18 +140,19 @@ var ( | |||
} | |||
// Security settings | |||
InstallLock bool | |||
SecretKey string | |||
LogInRememberDays int | |||
CookieUserName string | |||
CookieRememberName string | |||
ReverseProxyAuthUser string | |||
ReverseProxyAuthEmail string | |||
MinPasswordLength int | |||
ImportLocalPaths bool | |||
DisableGitHooks bool | |||
PasswordComplexity []string | |||
PasswordHashAlgo string | |||
InstallLock bool | |||
SecretKey string | |||
LogInRememberDays int | |||
CookieUserName string | |||
CookieRememberName string | |||
ReverseProxyAuthUser string | |||
ReverseProxyAuthEmail string | |||
MinPasswordLength int | |||
ImportLocalPaths bool | |||
DisableGitHooks bool | |||
OnlyAllowPushIfGiteaEnvironmentSet bool | |||
PasswordComplexity []string | |||
PasswordHashAlgo string | |||
// UI settings | |||
UI = struct { | |||
@@ -778,6 +779,7 @@ func NewContext() { | |||
MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6) | |||
ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) | |||
DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) | |||
OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true) | |||
PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2") | |||
CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true) | |||