MokoConsulting/MokoGitea-APP
1
0
Fork 0
Code Issues 158 Pull Requests 3 Releases 96 Wiki Activity

fix(security): cherry-pick upstream v1.26.2 security and bug fixes #225

New Issue
Open
opened 2026-05-26 21:21:06 +00:00 by jmiller · 0 comments
jmiller commented 2026-05-26 21:21:06 +00:00
Owner
Copy Link
Copy Source

Summary

Upstream Gitea v1.26.2 contains 12 security fixes and several high-impact bug fixes that need to be cherry-picked into MokoGitea. We are diverged from upstream so a full merge is not viable -- individual cherry-picks are required.

Security Fixes (Priority: Critical)

These address token theft, privilege escalation, and access control bypass:

  • 5038561235 fix(oauth): strengthen PKCE validation and refresh token replay protection (#37706)
  • 86cc3e8783 fix(oauth): bind token exchanges to the original client request (#37704)
  • 519b8d6d88 fix(security): enforce wiki git writes and LFS token access at request time (#37695)
  • 9c0ad8291b fix: Add missed token scope checking (#37735)
  • 2965b0c08a fix(web): enforce token scopes on raw, media, and attachment downloads (#37698)
  • a34eac5ef4 fix: Unify public-only token filtering in API queries and repo access checks (#37118)
  • 6d2b02dac1 fix(permissions): Fix reading permission (#37769)
  • 4ee74d7699 FIX: URL sanitization to handle schemeless credentials (#37440)
  • 78899832eb Fix attachment Content-Security-Policy (#37455)
  • b88bad2a01 Fix basic auth bug (#37503)
  • 5636219dbc chore(deps): bump go-git/go-git/v5 to 5.19.0 (security)
  • 57dd9f5bab fix(deps): update dependency mermaid to v11.15.0 [security]

Bug Fixes (Priority: High)

  • 1c2d5e9b03 fix(actions): make artifact signature payloads unambiguous (#37707)
  • 1d7b84922f fix(actions): wrong assumption that run id always >= job id (#37737)
  • b586d80f97 fix(actions): prevent panic when workflow contains null jobs (#37570)
  • 356a119f30 fix(actions): validate workflow param to prevent 500 error (#37546)
  • 677ab982bf fix(git): Fix smart http request scope bug (#37583)
  • dd78d87dcd fix: merge autodetect cannot close other PRs (#37512)
  • 74e515623b Fix allow maintainer edit permission check (#37479)
  • e2b211f291 Fix update branch protection order (#37508)
  • ab0d52b4c7 fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564)

Bug Fixes (Priority: Medium)

  • 5eaa0bc603 fix(packages): Add label for private and internal package and fix composer package source permission check (#37610)
  • edfba678ec fix!: add DEFAULT_TITLE_SOURCE setting for pull request title default behavior (#37465)
  • 5632abff9e Fix review submission from single-commit PR view (#37475)
  • a859221a62 fix(pull): handle empty pull request files view to allow reviews (#37783)
  • 631a9b5d16 fix: make clone URL respect public URL detection setting (#37615)
  • fb159eae8f fix: run as root check (#37622)

Already Cherry-Picked

  • 7b82ded82a fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692)
  • c4a1ff7d16 Fix scheduled action panic with null event payload (#37459)
  • b79529015e Do not unblock run-level-concurrency-blocked runs in the resolver (#37461)
  • 3004c45607 fix: Invalid UTF-8 commit messages in JSON API responses (#37542)

Approach

  1. Cherry-pick security fixes first into a single branch
  2. Resolve conflicts against MokoGitea namespace changes
  3. Test build + lint
  4. PR to dev, then RC to main

Opened by Claude Code on behalf of @jmiller

## Summary Upstream Gitea v1.26.2 contains 12 security fixes and several high-impact bug fixes that need to be cherry-picked into MokoGitea. We are diverged from upstream so a full merge is not viable -- individual cherry-picks are required. ## Security Fixes (Priority: Critical) These address token theft, privilege escalation, and access control bypass: - [ ] `5038561235` fix(oauth): strengthen PKCE validation and refresh token replay protection (#37706) - [ ] `86cc3e8783` fix(oauth): bind token exchanges to the original client request (#37704) - [ ] `519b8d6d88` fix(security): enforce wiki git writes and LFS token access at request time (#37695) - [ ] `9c0ad8291b` fix: Add missed token scope checking (#37735) - [ ] `2965b0c08a` fix(web): enforce token scopes on raw, media, and attachment downloads (#37698) - [ ] `a34eac5ef4` fix: Unify public-only token filtering in API queries and repo access checks (#37118) - [ ] `6d2b02dac1` fix(permissions): Fix reading permission (#37769) - [ ] `4ee74d7699` FIX: URL sanitization to handle schemeless credentials (#37440) - [ ] `78899832eb` Fix attachment Content-Security-Policy (#37455) - [ ] `b88bad2a01` Fix basic auth bug (#37503) - [ ] `5636219dbc` chore(deps): bump go-git/go-git/v5 to 5.19.0 (security) - [ ] `57dd9f5bab` fix(deps): update dependency mermaid to v11.15.0 [security] ## Bug Fixes (Priority: High) - [ ] `1c2d5e9b03` fix(actions): make artifact signature payloads unambiguous (#37707) - [ ] `1d7b84922f` fix(actions): wrong assumption that run id always >= job id (#37737) - [ ] `b586d80f97` fix(actions): prevent panic when workflow contains null jobs (#37570) - [ ] `356a119f30` fix(actions): validate workflow param to prevent 500 error (#37546) - [ ] `677ab982bf` fix(git): Fix smart http request scope bug (#37583) - [ ] `dd78d87dcd` fix: merge autodetect cannot close other PRs (#37512) - [ ] `74e515623b` Fix allow maintainer edit permission check (#37479) - [ ] `e2b211f291` Fix update branch protection order (#37508) - [ ] `ab0d52b4c7` fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564) ## Bug Fixes (Priority: Medium) - [ ] `5eaa0bc603` fix(packages): Add label for private and internal package and fix composer package source permission check (#37610) - [ ] `edfba678ec` fix!: add DEFAULT_TITLE_SOURCE setting for pull request title default behavior (#37465) - [ ] `5632abff9e` Fix review submission from single-commit PR view (#37475) - [ ] `a859221a62` fix(pull): handle empty pull request files view to allow reviews (#37783) - [ ] `631a9b5d16` fix: make clone URL respect public URL detection setting (#37615) - [ ] `fb159eae8f` fix: run as root check (#37622) ## Already Cherry-Picked - [x] `7b82ded82a` fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692) - [x] `c4a1ff7d16` Fix scheduled action panic with null event payload (#37459) - [x] `b79529015e` Do not unblock run-level-concurrency-blocked runs in the resolver (#37461) - [x] `3004c45607` fix: Invalid UTF-8 commit messages in JSON API responses (#37542) ## Approach 1. Cherry-pick security fixes first into a single branch 2. Resolve conflicts against MokoGitea namespace changes 3. Test build + lint 4. PR to dev, then RC to main --- *Opened by Claude Code on behalf of @jmiller*
jmiller added the ci-cd label 2026-05-26 21:21:06 +00:00
Sign in to join this conversation.
Labels
Clear labels
breaking-change
Breaking API or behavior change
 ci-cd
CI/CD pipeline changes
 config
Configuration changes
 dependencies
Dependency updates
 deploy-failure
Deployment failed
 docker
Docker/container changes
 documentation
Documentation changes
 good first issue
Good for newcomers
 health-check
Repo health check result
 help wanted
Extra attention needed
 mokostandards
Related to MokoStandards framework
 push-failure
Git push operation failed
 security
Security vulnerability or hardening
 size/l
200-500 lines changed
 size/m
50-200 lines changed
 size/s
10-50 lines changed
 size/xl
500+ lines changed
 size/xs
< 10 lines changed
 standards-drift
Deviates from MokoStandards
 standards-update
MokoStandards compliance update
 sync-failure
Sync or mirror failed
 tech-debt
Technical debt and TODO/FIXME items
 upstream
upstream
Inherited from upstream Gitea
 work-in-progress
Draft or incomplete work
No labels ci-cd
Priority High
Type Bug
Status
Priority
Type
Milestone
No items
No Milestone
Assignees
Clear assignees
jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-APP#225
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?