Merge branch 'master' of https://github.com/go-gitea/gitea into maste…

…r-fix
go-gitea · Aug 28, 2020 · 8688513 · 8688513
2 parents 0627cab + d5b6931
commit 8688513
Show file tree

Hide file tree

Showing 207 changed files with 10,005 additions and 7,071 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -13,13 +13,13 @@ workspace:
 steps:
   - name: deps-frontend
     pull: always
-    image: node:12
+    image: node:14
     commands:
       - make node_modules
 
   - name: lint-frontend
     pull: always
-    image: node:12
+    image: node:14
     commands:
       - make lint-frontend
     depends_on: [deps-frontend]
@@ -36,7 +36,7 @@ steps:
 
   - name: checks-frontend
     pull: always
-    image: node:12
+    image: node:14
     commands:
       - make checks-frontend
     depends_on: [deps-frontend]
@@ -50,7 +50,7 @@ steps:
 
   - name: build-frontend
     pull: always
-    image: node:10 # this step is kept at the lowest version of node that we support
+    image: node:14
     commands:
       - make frontend
     depends_on: [lint-frontend]
@@ -447,23 +447,13 @@ steps:
     commands:
       - git fetch --tags --force
 
-  - name: static-windows
-    pull: always
-    image: techknowlogick/xgo:go-1.14.x
-    commands:
-      - apt update && apt -y install curl
-      - curl -sL https://deb.nodesource.com/setup_12.x | bash - && apt -y install nodejs
-      - export PATH=$PATH:$GOPATH/bin
-      - make frontend generate release-windows
-    environment:
-      GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
-      TAGS: bindata sqlite sqlite_unlock_notify
-
   - name: static
     pull: always
     image: techknowlogick/xgo:go-1.15.x
     commands:
-      - make release-linux release-darwin release-copy release-compress release-sources release-docs release-check
+      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt -y install nodejs
+      - export PATH=$PATH:$GOPATH/bin
+      - make release
     environment:
       GOPROXY: https://goproxy.cn # proxy.golang.org is blocked in China, this proxy is not
       TAGS: bindata sqlite sqlite_unlock_notify
@@ -558,8 +548,7 @@ steps:
     pull: always
     image: techknowlogick/xgo:go-1.15.x
     commands:
-      - apt update && apt -y install curl
-      - curl -sL https://deb.nodesource.com/setup_12.x | bash - && apt -y install nodejs
+      - curl -sL https://deb.nodesource.com/setup_14.x | bash - && apt -y install nodejs
       - export PATH=$PATH:$GOPATH/bin
       - make release
     environment:

diff --git a/.editorconfig b/.editorconfig
@@ -1,28 +1,22 @@
 root = true
 
 [*]
+indent_style = space
+indent_size = 2
+tab_width = 2
+end_of_line = lf
 charset = utf-8
-insert_final_newline = true
 trim_trailing_whitespace = true
-end_of_line = lf
-
-[*.md]
-trim_trailing_whitespace = false
+insert_final_newline = true
 
 [*.{go,tmpl,html}]
 indent_style = tab
-indent_size = 4
-
-[*.{less,css}]
-indent_style = space
-indent_size = 4
-
-[*.{js,json,yml}]
-indent_style = space
-indent_size = 2
 
 [Makefile]
 indent_style = tab
 
 [*.svg]
 insert_final_newline = false
+
+[*.md]
+trim_trailing_whitespace = false
diff --git a/.stylelintrc b/.stylelintrc
@@ -6,7 +6,7 @@ rules:
   color-hex-length: null
   comment-empty-line-before: null
   declaration-empty-line-before: null
-  indentation: 4
+  indentation: 2
   no-descending-specificity: null
   number-leading-zero: never
   rule-empty-line-before: null

diff --git a/Makefile b/Makefile
@@ -42,8 +42,10 @@ ifeq ($(HAS_GO), GO)
 endif
 
 ifeq ($(OS), Windows_NT)
+	GOFLAGS := -v -buildmode=exe
 	EXECUTABLE ?= gitea.exe
 else
+	GOFLAGS := -v
 	EXECUTABLE ?= gitea
 endif
 
@@ -55,7 +57,6 @@ endif
 
 GOFMT ?= gofmt -s
 
-GOFLAGS := -v
 EXTRA_GOFLAGS ?=
 
 MAKE_VERSION := $(shell $(MAKE) -v | head -n 1)
@@ -556,7 +557,7 @@ release-windows: | $(DIST_DIRS)
 		GO111MODULE=off $(GO) get -u src.techknowlogick.com/xgo; \
 	fi
 	@echo "Warning: windows version is built using golang 1.14"
-	CGO_CFLAGS="$(CGO_CFLAGS)" GO111MODULE=off xgo -go go-1.14.x -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
+	CGO_CFLAGS="$(CGO_CFLAGS)" GO111MODULE=off xgo -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
 ifeq ($(CI),drone)
 	cp /build/* $(DIST)/binaries
 endif
@@ -680,7 +681,7 @@ pr\#%: clean-all
 golangci-lint:
 	@hash golangci-lint > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
 		export BINARY="golangci-lint"; \
-		curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.24.0; \
+		curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(GOPATH)/bin v1.30.0; \
 	fi
 	golangci-lint run --timeout 5m
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,10 @@
+# Reporting security issues
+
+The Gitea maintainers take security seriously.  
+If you discover a security issue, please bring it to their attention right away!
+
+### Reporting a Vulnerability
+
+Please **DO NOT** file a public issue, instead send your report privately to `security@gitea.io`.
+
+Security reports are greatly appreciated and we will publicly thank you for it, although we keep your name confidential if you request it.
diff --git a/cmd/doctor.go b/cmd/doctor.go
@@ -127,6 +127,12 @@ var checklist = []check{
 		isDefault: false,
 		f:         runDoctorUserStarNum,
 	},
+	{
+		title:     "Enable push options",
+		name:      "enable-push-options",
+		isDefault: false,
+		f:         runDoctorEnablePushOptions,
+	},
 	// more checks please append here
 }
 
@@ -605,3 +611,28 @@ func runDoctorCheckDBConsistency(ctx *cli.Context) ([]string, error) {
 
 	return results, nil
 }
+
+func runDoctorEnablePushOptions(ctx *cli.Context) ([]string, error) {
+	numRepos := 0
+	_, err := iterateRepositories(func(repo *models.Repository) ([]string, error) {
+		numRepos++
+		r, err := git.OpenRepository(repo.RepoPath())
+		if err != nil {
+			return nil, err
+		}
+		defer r.Close()
+
+		if ctx.Bool("fix") {
+			_, err := git.NewCommand("config", "receive.advertisePushOptions", "true").RunInDir(r.Path)
+			return nil, err
+		}
+
+		return nil, nil
+	})
+
+	var prefix string
+	if !ctx.Bool("fix") {
+		prefix = "DRY RUN: "
+	}
+	return []string{fmt.Sprintf("%sEnabled push options for %d repositories.", prefix, numRepos)}, err
+}
diff --git a/cmd/hook.go b/cmd/hook.go
@@ -178,6 +178,7 @@ Gitea or set your environment appropriately.`, "")
 		GitAlternativeObjectDirectories: os.Getenv(private.GitAlternativeObjectDirectories),
 		GitObjectDirectory:              os.Getenv(private.GitObjectDirectory),
 		GitQuarantinePath:               os.Getenv(private.GitQuarantinePath),
+		GitPushOptions:                  pushOptions(),
 		ProtectedBranchID:               prID,
 		IsDeployKey:                     isDeployKey,
 	}
@@ -326,6 +327,7 @@ Gitea or set your environment appropriately.`, "")
 		GitAlternativeObjectDirectories: os.Getenv(private.GitAlternativeObjectDirectories),
 		GitObjectDirectory:              os.Getenv(private.GitObjectDirectory),
 		GitQuarantinePath:               os.Getenv(private.GitQuarantinePath),
+		GitPushOptions:                  pushOptions(),
 	}
 	oldCommitIDs := make([]string, hookBatchSize)
 	newCommitIDs := make([]string, hookBatchSize)
@@ -438,3 +440,17 @@ func hookPrintResults(results []private.HookPostReceiveBranchResult) {
 		os.Stderr.Sync()
 	}
 }
+
+func pushOptions() map[string]string {
+	opts := make(map[string]string)
+	if pushCount, err := strconv.Atoi(os.Getenv(private.GitPushOptionCount)); err == nil {
+		for idx := 0; idx < pushCount; idx++ {
+			opt := os.Getenv(fmt.Sprintf("GIT_PUSH_OPTION_%d", idx))
+			kv := strings.SplitN(opt, "=", 2)
+			if len(kv) == 2 {
+				opts[kv[0]] = kv[1]
+			}
+		}
+	}
+	return opts
+}
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
@@ -497,9 +497,9 @@ DISABLE_GIT_HOOKS = false
 ; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED
 ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
 ;Comma separated list of character classes required to pass minimum complexity.
-;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used.
-;Use "off" to disable checking.
-PASSWORD_COMPLEXITY = lower,upper,digit,spec
+;If left empty or no valid values are specified, the default is off (no checking)
+;Classes include "lower,upper,digit,spec"
+PASSWORD_COMPLEXITY = off
 ; Password Hash algorithm, either "pbkdf2", "argon2", "scrypt" or "bcrypt"
 PASSWORD_HASH_ALGO = pbkdf2
 ; Set false to allow JavaScript to read CSRF cookie
@@ -971,8 +971,8 @@ ACCESS_TOKEN_EXPIRATION_TIME=3600
 REFRESH_TOKEN_EXPIRATION_TIME=730
 ; Check if refresh token got already used
 INVALIDATE_REFRESH_TOKENS=false
-; OAuth2 authentication secret for access and refresh tokens, change this to a unique string.
-JWT_SECRET=Bk0yK7Y9g_p56v86KaHqjSbxvNvu3SbKoOdOt2ZcXvU
+; OAuth2 authentication secret for access and refresh tokens, change this yourself to a unique string. CLI generate option is helpful in this case. https://docs.gitea.io/en-us/command-line/#generate
+JWT_SECRET=
 ; Maximum length of oauth2 token/cookie stored on server
 MAX_TOKEN_LENGTH=32767
 
@@ -985,7 +985,7 @@ NAMES = English,简体中文,繁體中文（香港）,繁體中文（台灣）,D
 ; Two Factor authentication with security keys
 ; https://developers.yubico.com/U2F/App_ID.html
 ;APP_ID = http://localhost:3000/
-; Comma seperated list of trusted facets
+; Comma separated list of trusted facets
 ;TRUSTED_FACETS = http://localhost:3000/
 
 ; Extension mapping to highlight class

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -323,7 +323,7 @@ set name for unique queues. Individual queues will default to
 - `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
 - `PASSWORD_HASH_ALGO`: **pbkdf2**: The hash algorithm to use \[pbkdf2, argon2, scrypt, bcrypt\].
 - `CSRF_COOKIE_HTTP_ONLY`: **true**: Set false to allow JavaScript to read CSRF cookie.
-- `PASSWORD_COMPLEXITY`: **lower,upper,digit,spec**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, the default values will be used. Possible values are: 
+- `PASSWORD_COMPLEXITY`: **off**: Comma separated list of character classes required to pass minimum complexity. If left empty or no valid values are specified, checking is disabled (off):
     - lower - use one or more lower latin characters
     - upper - use one or more upper latin characters
     - digit - use one or more digits

diff --git a/docs/content/doc/usage/push-options.en-us.md b/docs/content/doc/usage/push-options.en-us.md
@@ -0,0 +1,31 @@
+---
+date: "2020-07-06T16:00:00+02:00"
+title: "Usage: Push Options"
+slug: "push-options"
+weight: 15
+toc: true
+draft: false
+menu:
+  sidebar:
+    parent: "usage"
+    name: "Push Options"
+    weight: 15
+    identifier: "push-options"
+---
+
+# Push Options
+
+In Gitea `1.13`, support for some [push options](https://git-scm.com/docs/git-push#Documentation/git-push.txt--oltoptiongt)
+were added.
+
+
+## Supported Options
+
+- `repo.private` (true|false) - Change the repository's visibility.  
+This is particularly useful when combined with push-to-create.
+- `repo.template` (true|false) - Change whether the repository is a template.
+
+Example of changing a repository's visibility to public:  
+```shell
+git push -o repo.private=false -u origin master
+```
diff --git a/go.mod b/go.mod
@@ -11,10 +11,10 @@ require (
 	gitea.com/macaron/captcha v0.0.0-20190822015246-daa973478bae
 	gitea.com/macaron/cors v0.0.0-20190826180238-95aec09ea8b4
 	gitea.com/macaron/csrf v0.0.0-20190822024205-3dc5a4474439
-	gitea.com/macaron/gzip v0.0.0-20191118041502-506895b47aae
+	gitea.com/macaron/gzip v0.0.0-20200827120000-efa5e8477cf5
 	gitea.com/macaron/i18n v0.0.0-20190822004228-474e714e2223
 	gitea.com/macaron/inject v0.0.0-20190805023432-d4c86e31027a
-	gitea.com/macaron/macaron v1.4.0
+	gitea.com/macaron/macaron v1.5.0
 	gitea.com/macaron/session v0.0.0-20191207215012-613cebf0674d
 	gitea.com/macaron/toolbox v0.0.0-20190822013122-05ff0fc766b7
 	github.com/BurntSushi/toml v0.3.1
@@ -61,7 +61,7 @@ require (
 	github.com/jmhodges/levigo v1.0.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20170619183022-cd60e84ee657
 	github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4
-	github.com/klauspost/compress v1.10.2
+	github.com/klauspost/compress v1.10.11
 	github.com/lafriks/xormstore v1.3.2
 	github.com/lib/pq v1.7.0
 	github.com/lunny/dingtalk_webhook v0.0.0-20171025031554-e3534c89ef96
@@ -104,7 +104,7 @@ require (
 	github.com/yuin/goldmark v1.2.1
 	github.com/yuin/goldmark-highlighting v0.0.0-20200307114337-60d527fdb691
 	github.com/yuin/goldmark-meta v0.0.0-20191126180153-f0638e958b60
-	golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de
+	golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a
 	golang.org/x/net v0.0.0-20200707034311-ab3426394381
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
 	golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae
@@ -115,7 +115,7 @@ require (
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20150924051756-4e86f4367175 // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
-	gopkg.in/ini.v1 v1.57.0
+	gopkg.in/ini.v1 v1.60.2
 	gopkg.in/ldap.v3 v3.0.2
 	gopkg.in/yaml.v2 v2.3.0
 	mvdan.cc/xurls/v2 v2.1.0