From 8575050ebab2e038882f7adce786502ff9ea3495 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Fri, 24 Jun 2022 17:40:01 +0800 Subject: [PATCH 1/4] Update security information to add a public gpg key to make sending encrypted message possible (#20117) --- SECURITY.md | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 9846a94f7e835..7b43b32de5e3d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -3,8 +3,76 @@ The Gitea maintainers take security seriously. If you discover a security issue, please bring it to their attention right away! -### Reporting a Vulnerability +## Reporting a Vulnerability Please **DO NOT** file a public issue, instead send your report privately to `security@gitea.io`. +## Protecting Security Information + +Due to the sensitive nature of security information, you can use below GPG public key encrypt your mail body. + +The PGP key is valid until June 24, 2024. +Key ID: 6FCD2D5B +Key Type: RSA +Expires: 6/24/2024 +Key Size: 4096/4096 +Fingerprint: 3DE0 3D1E 144A 7F06 9359 99DC AAFD 2381 6FCD 2D5B +UserID: Gitea Security + +``` +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGK1Z/4BEADFMqXA9DeeChmSxUjF0Be5sq99ZUhgrZjcN/wOzz0wuCJZC0l8 +4uC+d6mfv7JpJYlzYzOK97/x5UguKHkYNZ6mm1G9KHaXmoIBDLKDzfPdJopVNv2r +OajijaE0uMCnMjadlg5pbhMLRQG8a9J32yyaz7ZEAw72Ab31fvvcA53NkuqO4j2w +k7dtFQzhbNOYV0VffQT90WDZdalYHB1JHyEQ+70U9OjVD5ggNYSzX98Eu3Hjn7V7 +kqFrcAxr5TE1elf0IXJcuBJtFzQSTUGlQldKOHtGTGgGjj9r/FFAE5ioBgVD05bV +rEEgIMM/GqYaG/nbNpWE6P3mEc2Mnn3pZaRJL0LuF26TLjnqEcMMDp5iIhLdFzXR +3tMdtKgQFu+Mtzs3ipwWARYgHyU09RJsI2HeBx7RmZO/Xqrec763Z7zdJ7SpCn0Z +q+pHZl24JYR0Kf3T/ZiOC0cGd2QJqpJtg5J6S/OqfX9NH6MsCczO8pUC1N/aHH2X +CTme2nF56izORqDWKoiICteL3GpYsCV9nyCidcCmoQsS+DKvE86YhIhVIVWGRY2F +lzpAjnN9/KLtQroutrm+Ft0mdjDiJUeFVl1cOHDhoyfCsQh62HumoyZoZvqzQd6e +AbN11nq6aViMe2Q3je1AbiBnRnQSHxt1Tc8X4IshO3MQK1Sk7oPI6LA5oQARAQAB +tCJHaXRlYSBTZWN1cml0eSA8c2VjdXJpdHlAZ2l0ZWEuaW8+iQJXBBMBCABBFiEE +PeA9HhRKfwaTWZncqv0jgW/NLVsFAmK1Z/4CGwMFCQPCZwAFCwkIBwICIgIGFQoJ +CAsCBBYCAwECHgcCF4AACgkQqv0jgW/NLVvnyxAAhxyNnWzw/rQO2qhzqicmZM94 +njSbOg+U2qMBvCdaqCQQeC+uaMmMzkDPanUUmLcyCkWqfCjPNjeSXAkE9npepVJI +4HtmgxZQ94OU/h3CLbft+9GVRzUkVI29TSYGdvNtV2/BkNGoFFnKWQr119um0o6A +bgha2Uy5uY8o3ZIoiKkiHRaEoWIjjeBxJxYAojsZY4YElUmsQ3ik2joG6rhFesTa +ofVt/bL8G2xzpOG26WGIxBbqf2qjV6OtZ0hu/vtTPHeIWMLq0Mz0V3PEDQWfkGPE +i2RYxxYDs2xzJhSQWqTNVLSq0m5xTJnbHhQPfdCX4C2jvFKgLdfmytQq49S7jiJb +Z03HVOZ/PsyBlQfH9xJi06R5yQCMEA8h8Z5r3/NXW09kQ6OFRe6xshoTcxZGRPTo +srhwr3uPbmCRh+YEl7qBLU6+BC5k8IRTZXqhrj/aPJu3MxgbgwV8u3vLoFSXM2lb +a61FgeCQ0O7lkgVswwF0RppCaH9Ul3ZDapet/vCRg4NVwm9zOI/8q/Vj0FKA1GDR +JhRu8+Ce8zlFL65D34t+PprAzSeTlbv9um3x/ZIjCco7EEKSBylt+AZj/VyA6+e5 +kjOQwRRc6dFJWBcorsSI2dG+H+QMF7ZabzmeCcz1v9HjLOPzYHoZAHhCmSppWTvX +AJy6+lhfW2OUTqQeYSi5Ag0EYrVn/gEQALrFLQjCR3GjuHSindz0rd3Fnx/t7Sen +T+p07yCSSoSlmnJHCQmwh4vfg1blyz0zZ4vkIhtpHsEgc+ZAG+WQXSsJ2iRz+eSN +GwoOQl4XC3n+QWkc1ws+btr48+6UqXIQU+F8TPQyx/PIgi2nZXJB7f5+mjCqsk46 +XvH4nTr4kJjuqMSR/++wvre2qNQRa/q/dTsK0OaN/mJsdX6Oi+aGNaQJUhIG7F+E +ZDMkn/O6xnwWNzy/+bpg43qH/Gk0eakOmz5NmQLRkV58SZLiJvuCUtkttf6CyhnX +03OcWaajv5W8qA39dBYQgDrrPbBWUnwfO3yMveqhwV4JjDoe8sPAyn1NwzakNYqP +RzsWyLrLS7R7J9s3FkZXhQw/QQcsaSMcGNQO047dm1P83N8JY5aEpiRo9zSWjoiw +qoExANj5lUTZPe8M50lI182FrcjAN7dClO3QI6pg7wy0erMxfFly3j8UQ91ysS9T +s+GsP9I3cmWWQcKYxWHtE8xTXnNCVPFZQj2nwhJzae8ypfOtulBRA3dUKWGKuDH/ +axFENhUsT397aOU3qkP/od4a64JyNIEo4CTTSPVeWd7njsGqli2U3A4xL2CcyYvt +D/MWcMBGEoLSNTswwKdom4FaJpn5KThnK/T0bQcmJblJhoCtppXisbexZnCpuS0x +Zdlm2T14KJ3LABEBAAGJAjwEGAEIACYWIQQ94D0eFEp/BpNZmdyq/SOBb80tWwUC +YrVn/gIbDAUJA8JnAAAKCRCq/SOBb80tWyTBD/9AGpW6QoDF7zYjHAozH9S5RGCA +Y7E82dG/0xmFUwPprAG0BKmmgU6TiipyVGmKIXGYYYU92pMnbvXkYQMoa+WJNncN +D3fY52UeXeffTf4cFpStlzi9xgYtOLhFamzYu/4xhkjOX+xhOSXscCiFRyT8cF3B +O6c5BHU+Zj0/rGPgOyPUbx7l7B9MubB/41nNX35k08e+8T3wtWDb4XF+15HnRfva +6fblO8wgU25Orv2Rm1jnKGa9DxJ8nE40IMrqDapENtDuL+zKJsvR0+ptWvEyL56U +GtJJG5un6mXiLKuRQT0DEv4MdZRHDgDstDnqcbEiazVEbUuvhZZob6lRY2A19m1+ +7zfnDxkhqCA1RCnv4fdvcPdCMMFHwLpdhjgW0aI/uwgwrvsEz5+JRlnLvdQHlPAg +q7l2fGcBSpz9U0ayyfRPjPntsNCtZl1UDxGLeciPkZhyG84zEWQbk/j52ZpRN+Ik +ALpRLa8RBFmFSmXDUmwQrmm1EmARyQXwweKU31hf8ZGbCp2lPuRYm1LuGiirXSVP +GysjRAJgW+VRpBKOzFQoUAUbReVWSaCwT8s17THzf71DdDb6CTj31jMLLYWwBpA/ +i73DgobDZMIGEZZC1EKqza8eh11xfyHFzGec03tbh+lIen+5IiRtWiEWkDS9ll0G +zgS/ZdziCvdAutqnGA== +=gZWO +-----END PGP PUBLIC KEY BLOCK----- + +``` + Security reports are greatly appreciated and we will publicly thank you for it, although we keep your name confidential if you request it. From afea63f4e5a4b7e3da03a7d5fc6590569976e7d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20L=C3=BCtzner?= Date: Fri, 24 Jun 2022 10:11:13 +0000 Subject: [PATCH 2/4] Replace pubkey with privkey in keys_ssh.tmpl (#20112) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If a user wants to verify an SSH public key from their account they have to sign the randomly generated token with their private key. Prior to this change the example command prompted to sign the token with their public key instead. Signed-off-by: Robert Lützner --- templates/user/settings/keys_ssh.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/user/settings/keys_ssh.tmpl b/templates/user/settings/keys_ssh.tmpl index 699905ebe2b2f..ba62ac3cf4f45 100644 --- a/templates/user/settings/keys_ssh.tmpl +++ b/templates/user/settings/keys_ssh.tmpl @@ -75,7 +75,7 @@

{{$.i18n.Tr "settings.ssh_token_help"}}

-

{{printf "echo -n '%s' | ssh-keygen -Y sign -n gitea -f /path_to_your_pubkey" $.TokenToSign}}

+

{{printf "echo -n '%s' | ssh-keygen -Y sign -n gitea -f /path_to_your_privkey" $.TokenToSign}}


From 4909493a9f75ad188f044b8577e7357f122fb445 Mon Sep 17 00:00:00 2001 From: zeripath Date: Fri, 24 Jun 2022 11:49:47 +0100 Subject: [PATCH 3/4] Allow manager logging to set SQL (#20064) This PR adds a new manager command to switch on SQL logging and to turn it off. ``` gitea manager logging log-sql gitea manager logging log-sql --off ``` Signed-off-by: Andrew Thornton --- cmd/manager_logging.go | 27 +++++++++++++++++++++++++++ models/db/engine.go | 9 +++++++++ models/db/log.go | 25 ++++++++++++++++--------- modules/private/manager.go | 19 +++++++++++++++++++ routers/private/internal.go | 1 + routers/private/manager.go | 7 +++++++ 6 files changed, 79 insertions(+), 9 deletions(-) diff --git a/cmd/manager_logging.go b/cmd/manager_logging.go index 0043ea1e52ad4..761edf654c8ac 100644 --- a/cmd/manager_logging.go +++ b/cmd/manager_logging.go @@ -174,6 +174,18 @@ var ( Action: runAddSMTPLogger, }, }, + }, { + Name: "log-sql", + Usage: "Set LogSQL", + Flags: []cli.Flag{ + cli.BoolFlag{ + Name: "debug", + }, cli.BoolFlag{ + Name: "off", + Usage: "Switch off SQL logging", + }, + }, + Action: runSetLogSQL, }, }, } @@ -381,3 +393,18 @@ func runReleaseReopenLogging(c *cli.Context) error { fmt.Fprintln(os.Stdout, msg) return nil } + +func runSetLogSQL(c *cli.Context) error { + ctx, cancel := installSignals() + defer cancel() + setup("manager", c.Bool("debug")) + + statusCode, msg := private.SetLogSQL(ctx, !c.Bool("off")) + switch statusCode { + case http.StatusInternalServerError: + return fail("InternalServerError", msg) + } + + fmt.Fprintln(os.Stdout, msg) + return nil +} diff --git a/models/db/engine.go b/models/db/engine.go index 93cf5ad8bc06b..2c329300e3af2 100755 --- a/models/db/engine.go +++ b/models/db/engine.go @@ -287,3 +287,12 @@ func GetMaxID(beanOrTableName interface{}) (maxID int64, err error) { _, err = x.Select("MAX(id)").Table(beanOrTableName).Get(&maxID) return maxID, err } + +func SetLogSQL(ctx context.Context, on bool) { + e := GetEngine(ctx) + if x, ok := e.(*xorm.Engine); ok { + x.ShowSQL(on) + } else if sess, ok := e.(*xorm.Session); ok { + sess.Engine().ShowSQL(on) + } +} diff --git a/models/db/log.go b/models/db/log.go index f9febf440e2b2..4c497fdfd72c3 100644 --- a/models/db/log.go +++ b/models/db/log.go @@ -6,6 +6,7 @@ package db import ( "fmt" + "sync/atomic" "code.gitea.io/gitea/modules/log" @@ -14,15 +15,19 @@ import ( // XORMLogBridge a logger bridge from Logger to xorm type XORMLogBridge struct { - showSQL bool - logger log.Logger + showSQLint *int32 + logger log.Logger } // NewXORMLogger inits a log bridge for xorm func NewXORMLogger(showSQL bool) xormlog.Logger { + showSQLint := int32(0) + if showSQL { + showSQLint = 1 + } return &XORMLogBridge{ - showSQL: showSQL, - logger: log.GetLogger("xorm"), + showSQLint: &showSQLint, + logger: log.GetLogger("xorm"), } } @@ -94,14 +99,16 @@ func (l *XORMLogBridge) SetLevel(lvl xormlog.LogLevel) { // ShowSQL set if record SQL func (l *XORMLogBridge) ShowSQL(show ...bool) { - if len(show) > 0 { - l.showSQL = show[0] - } else { - l.showSQL = true + showSQL := int32(1) + if len(show) > 0 && !show[0] { + showSQL = 0 } + atomic.StoreInt32(l.showSQLint, showSQL) } // IsShowSQL if record SQL func (l *XORMLogBridge) IsShowSQL() bool { - return l.showSQL + showSQL := atomic.LoadInt32(l.showSQLint) + + return showSQL == 1 } diff --git a/modules/private/manager.go b/modules/private/manager.go index 8405bf2c83d88..ba51260ebbee9 100644 --- a/modules/private/manager.go +++ b/modules/private/manager.go @@ -10,6 +10,7 @@ import ( "io" "net/http" "net/url" + "strconv" "time" "code.gitea.io/gitea/modules/json" @@ -139,6 +140,24 @@ func ReleaseReopenLogging(ctx context.Context) (int, string) { return http.StatusOK, "Logging Restarted" } +// SetLogSQL sets database logging +func SetLogSQL(ctx context.Context, on bool) (int, string) { + reqURL := setting.LocalURL + "api/internal/manager/set-log-sql?on=" + strconv.FormatBool(on) + + req := newInternalRequest(ctx, reqURL, "POST") + resp, err := req.Response() + if err != nil { + return http.StatusInternalServerError, fmt.Sprintf("Unable to contact gitea: %v", err.Error()) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return resp.StatusCode, decodeJSONError(resp).Err + } + + return http.StatusOK, "Log SQL setting set" +} + // LoggerOptions represents the options for the add logger call type LoggerOptions struct { Group string diff --git a/routers/private/internal.go b/routers/private/internal.go index 6ba87d67bf542..061c7f3c822af 100644 --- a/routers/private/internal.go +++ b/routers/private/internal.go @@ -68,6 +68,7 @@ func Routes() *web.Route { r.Post("/manager/pause-logging", PauseLogging) r.Post("/manager/resume-logging", ResumeLogging) r.Post("/manager/release-and-reopen-logging", ReleaseReopenLogging) + r.Post("/manager/set-log-sql", SetLogSQL) r.Post("/manager/add-logger", bind(private.LoggerOptions{}), AddLogger) r.Post("/manager/remove-logger/{group}/{name}", RemoveLogger) r.Get("/manager/processes", Processes) diff --git a/routers/private/manager.go b/routers/private/manager.go index a3b9a16f79a3f..e7f08ac455462 100644 --- a/routers/private/manager.go +++ b/routers/private/manager.go @@ -8,6 +8,7 @@ import ( "fmt" "net/http" + "code.gitea.io/gitea/models/db" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/graceful" "code.gitea.io/gitea/modules/json" @@ -67,6 +68,12 @@ func ReleaseReopenLogging(ctx *context.PrivateContext) { ctx.PlainText(http.StatusOK, "success") } +// SetLogSQL re-sets database SQL logging +func SetLogSQL(ctx *context.PrivateContext) { + db.SetLogSQL(ctx, ctx.FormBool("on")) + ctx.PlainText(http.StatusOK, "success") +} + // RemoveLogger removes a logger func RemoveLogger(ctx *context.PrivateContext) { group := ctx.Params("group") From 48ef12b27cde7757f33ec54df7bb40094b301e49 Mon Sep 17 00:00:00 2001 From: silverwind Date: Fri, 24 Jun 2022 14:09:53 +0200 Subject: [PATCH 4/4] Move eslintrc/stylelintrc to non-deprecated extensions (#20110) --- .eslintrc => .eslintrc.yaml | 0 .gitattributes | 2 -- .stylelintrc => .stylelintrc.yaml | 0 3 files changed, 2 deletions(-) rename .eslintrc => .eslintrc.yaml (100%) rename .stylelintrc => .stylelintrc.yaml (100%) diff --git a/.eslintrc b/.eslintrc.yaml similarity index 100% rename from .eslintrc rename to .eslintrc.yaml diff --git a/.gitattributes b/.gitattributes index 12c45dbc6a078..bb2783b0ad139 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,7 +1,5 @@ * text=auto eol=lf *.tmpl linguist-language=Handlebars -/.eslintrc linguist-language=YAML -/.stylelintrc linguist-language=YAML /public/vendor/** -text -eol linguist-vendored /vendor/** -text -eol linguist-vendored /web_src/fomantic/build/** linguist-generated diff --git a/.stylelintrc b/.stylelintrc.yaml similarity index 100% rename from .stylelintrc rename to .stylelintrc.yaml