fix: cherry-pick upstream security fixes from v1.26.3 and v1.26.4 #712

Merged

jmiller merged 17 commits from fix/upstream-security-v1.26.3 into main 2026-06-28 08:45:15 +00:00

Conversation 0 Commits 17 Files Changed 54

+1376 -271

jmiller commented 2026-06-28 07:24:44 +00:00

Owner

Copy Link

Copy Source

Summary\n\nCherry-picks 13 security commits from upstream Gitea v1.26.3 and v1.26.4 releases.\n\n### v1.26.3 Security (11 commits)\n- LFS: reject unknown SSH sub-verbs to prevent auth bypass (#38015)\n- Bound CODEOWNERS regex match time — ReDoS prevention (#38025)\n- Actions: require merged PR to bypass fork PR approval gate (#38041)\n- LFS: require Code-unit access for cross-repo object reuse (#38050)\n- hostmatcher: block reserved IP ranges — SSRF prevention (#38059)\n- Bound debian ParseControlFile — DoS prevention (#38055)\n- Various security fixes: feed token scope, migration SSRF, notification redaction (#38147)\n- OIDC: ignore stale external login links to organizations (#38141)\n- Various security fixes: 2FA timing, branch delete auth, org labels visibility, merge upstream auth (#38151)\n- Allow git clone of private repos with anonymous code access (#38146)\n- hostmatcher: patch incorrect private IP list (#38173)\n\n### v1.26.4 Security (2 commits)\n- Auth: do not auto-reactivate disabled users on OAuth2 callback (#38183)\n- Fix: walk git log context error handling — fixes v1.26.3 regression (#38185)\n\n## Test plan\n- [ ] Verify git push/pull operations work correctly\n- [ ] Verify OAuth2 login flows still function\n- [ ] Verify LFS operations\n- [ ] Verify Actions workflow approval gates\n\nhttps://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

## Summary\n\nCherry-picks 13 security commits from upstream Gitea v1.26.3 and v1.26.4 releases.\n\n### v1.26.3 Security (11 commits)\n- LFS: reject unknown SSH sub-verbs to prevent auth bypass (#38015)\n- Bound CODEOWNERS regex match time — ReDoS prevention (#38025)\n- Actions: require merged PR to bypass fork PR approval gate (#38041)\n- LFS: require Code-unit access for cross-repo object reuse (#38050)\n- hostmatcher: block reserved IP ranges — SSRF prevention (#38059)\n- Bound debian ParseControlFile — DoS prevention (#38055)\n- Various security fixes: feed token scope, migration SSRF, notification redaction (#38147)\n- OIDC: ignore stale external login links to organizations (#38141)\n- Various security fixes: 2FA timing, branch delete auth, org labels visibility, merge upstream auth (#38151)\n- Allow git clone of private repos with anonymous code access (#38146)\n- hostmatcher: patch incorrect private IP list (#38173)\n\n### v1.26.4 Security (2 commits)\n- Auth: do not auto-reactivate disabled users on OAuth2 callback (#38183)\n- Fix: walk git log context error handling — fixes v1.26.3 regression (#38185)\n\n## Test plan\n- [ ] Verify git push/pull operations work correctly\n- [ ] Verify OAuth2 login flows still function\n- [ ] Verify LFS operations\n- [ ] Verify Actions workflow approval gates\n\nhttps://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller added 13 commits 2026-06-28 07:24:46 +00:00

fix(lfs): reject unknown SSH LFS sub-verbs to prevent auth bypass (#38008) (#38015) 884e568ea2

fix: bound CODEOWNERS regex match time (#38011) (#38025) ... 725acbe112

Backport #38011 by @bircni

User-supplied CODEOWNERS patterns were compiled without a match timeout,
so a crafted pattern (e.g. (a+)+) against a crafted file path could
backtrack for tens of seconds inside the PR creation transaction and
exhaust the database connection pool. Set MatchTimeout on each compiled
rule; the caller already treats match errors as non-matches.

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: bircni <bircni@icloud.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

fix(actions)!: require merged PR to bypass fork PR approval gate (#38010) (#38041) ... e9648f367e

Backport #38010 by @bircni

`ifNeedApproval` in `services/actions/notifier_helper.go` decided
whether a
fork PR's workflow run had to wait for maintainer approval. The bypass
clause
counted any prior `approved_by > 0` run for `(repo_id,
trigger_user_id)`, so
the very first Approve-and-run click on a contributor's fork PR
permanently
trusted that user for every future fork PR in the same repository —
including
PRs whose only change is the workflow YAML itself.

Approving a workflow *run* is not the same as merging *code*. This
change
aligns the gate with GitHub Actions' first-time-contributor model: trust
is
granted only after the user has had a pull request merged in the repo.

## Behavior change

- **Before**: one approval = permanent trust for that user in that repo.
- **After**: every fork PR is gated until the contributor has at least
one
  merged PR in the repo.

Existing already-approved runs and merged PRs continue to work; only the
trust criterion for *future* fork PRs changes. Maintainers who rely on
the
implicit "approve once" trust will see the approval banner reappear
until
they merge a PR from that contributor.

---------

Signed-off-by: bircni <bircni@icloud.com>
Co-authored-by: bircni <bircni@icloud.com>

fix(lfs): require Code-unit access for cross-repo LFS object reuse (#38006) (#38050) d3c6998d3e

fix(hostmatcher): block reserved IP ranges from external/private filters (#38039) (#38059) fedce235d5

fix: bound debian ParseControlFile to a single control stanza (#38044) (#38055) ... 186ac68f03

Backport #38044 by @metsw24-max

**Packages-index stanza injection via Debian control file**

A `.deb` whose `control` file appends extra paragraphs after a blank
line was still accepted, and `ParseControlFile` stored the whole
multi-stanza blob in `p.Control`. That blob is re-emitted verbatim into
the generated `Packages` index, so the embedded blank line splits it
into separate stanzas and an uploader can smuggle a package entry with
an attacker-chosen `Filename` into the shared index. A binary control
file only holds one stanza, so parsing now stops at the blank line that
terminates it; well-formed packages are unaffected and the new subtest
covers the trailing-stanza case.

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: metsw24-max <metsw24@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: bircni <bircni@icloud.com>

fix: Various sec fixes (#38108) (#38147) ... bc578b7eba

Backport #38108

- Enforce repository token scope on RSS/Atom feed endpoints so a PAT
without repo scope can no longer read private repo commit data.
- Block HTTP redirects during repository migration clones to prevent
SSRF reaching internal addresses via an attacker-controlled redirect.
- Redact the notification subject after repo access is revoked so
private issue/PR metadata is no longer leaked through the notification
API.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>

fix(auth): ignore stale OIDC external login links to organizations (#37875) (#38141) ... 26ad4fd03f

Backport #37875

This fixes an OIDC sign-in edge case where a stale `external_login_user`
record can still point to an organization or a deleted user.

In that situation, Gitea may keep resolving the external login to the
wrong account during sign-in. For affected instances, this matches the
behavior reported in #36439 and #37812, where a user signing in with
OIDC/Entra ID could appear as an organization, or hit a 404 after that
organization was removed.

- validate the user resolved from `external_login_user` during
OAuth2/OIDC login
- ignore stale links when the linked user no longer exists
- ignore stale links when the linked user is not an individual user
- remove the stale external login row so the sign-in flow can relink the
external account to the correct user

- Fixes #37812
- Related to #36439

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.8) <noreply@anthropic.com>
Co-authored-by: bircni <bircni@icloud.com>

fix: Various security fixes (#38103) (#38151) ... cbf34fb987

Backport #38103

- Enforce org visibility on organization label read endpoints (private
org labels no longer leak to non-members).
- Block fork sync (`merge-upstream`) when the base repo is no longer
readable (stops pulling commits after a parent goes private).
- Remove `REVERSE_PROXY_LIMIT` / `REVERSE_PROXY_TRUSTED_PROXIES` from
the Docker `app.ini` templates (the `= *` default allowed
`X-WEBAUTH-USER` impersonation; reverse-proxy auth is now opt-in and
admin-configured).
- Enforce single-use TOTP passcodes across web login, password-reset,
and Basic-Auth `X-Gitea-OTP` (fixes a TOCTOU race and a stateless
replay).
- Re-check branch write permission for every ref in a push (the
pre-receive hook cached the first ref's result, letting a per-branch
maintainer-edit grant escalate to full repo write).

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

fix: allow git clone of private repos with anonymous code access (#38074) (#38146) ... 94590bc834

Backport #38074

Fixes #38062.

Private repositories with a code unit configured for **anonymous read
access** (Settings → Public Access → Code: anonymous view) could not be
cloned without credentials. The git HTTP auth gate (`httpBase`) only
bypassed authentication for non-private repos, ignoring the per-unit
anonymous access setting entirely.

- Check anonymous permissions via
`access_model.GetDoerRepoPermission(ctx, repo, nil)` + `CanAccess`
before requiring auth on pull operations, so the per-unit
`AnonymousAccessMode` is respected through the existing permission model
- This also correctly handles `setting.Repository.ForcePrivate` (which
the naive direct-field check would have missed)
- Push (receive-pack) and `RequireSignInViewStrict` continue to require
credentials as before

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

fix(hostmacher): patch incorrect private list (#38170) (#38173) ... 0dc858c15c

Backport #38170 by @TheFox0x7

regression from #38039

Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>

fix(auth): do not auto-reactivate disabled users on OAuth2 callback (#38009) (#38183) ... c0f89a373d

Backport #38009

The OAuth2 sign-in callback unconditionally set IsActive=true on the
local user row whenever the IdP authenticated them, silently undoing an
administrator's "Disable Account" action and granting the user a fresh
session in the same response. Treat the local IsActive flag as an
authoritative admin override: inactive users get a session and are
routed through the existing activate / prohibit-login pages by
verifyAuthWithOptions, matching the local-credentials sign-in path.

Adds an integration regression test that disables a linked local user
and asserts the row stays IsActive=false after a full OIDC callback.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

fix: walk git log context error handling (#38182) (#38185) ... 2ff0e4aa21

Backport #38182

Fix #38177

Make WalkGitLog can handle EOF and context errors correctly, and don't
export these private functions & methods & structs.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

jmiller added 2 commits 2026-06-28 07:35:23 +00:00

docs: add security section to changelog for upstream v1.26.3/v1.26.4 fixes ... b0bbaab621

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

fix: log error when pre-receive secret scan cannot read commit ... e947600ea7

Previously, GetCommit failures were silently swallowed, allowing
pushes to proceed without scanning. Now logs the error so admins
can diagnose issues while still allowing the push.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller added 1 commit 2026-06-28 07:38:06 +00:00

fix: revert accidental secret scanning code from security fix branch ... 4e5aa5f3ce

The pre-receive hook had security scanning code from the wrong feature
branch (feature/secret-scanning-clean). Restoring to the correct state
with only upstream security cherry-picks.

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller added 1 commit 2026-06-28 08:32:15 +00:00

fix: resolve merge conflict marker and fix import paths in cherry-picked tests ... 5da6a40f10

- Remove residual <<<<<<< HEAD marker from api_org_test.go
- Convert code.gitea.io/gitea to mokoconsulting paths in 5 new test files:
  cmd/serv_test.go, models/auth/twofactor_test.go,
  modules/git/commit_info_nogogit_test.go,
  routers/private/hook_pre_receive_test.go,
  services/actions/notifier_helper_test.go
- Add changelog entries for new features (#460, #507, #513)

Claude-Session: https://claude.ai/code/session_011AAFzotGMf3ayvXhEmStCd

jmiller merged commit 0b44e92369 into main 2026-06-28 08:45:15 +00:00

jmiller deleted branch fix/upstream-security-v1.26.3 2026-06-28 08:45:17 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

feature: wiki

Wiki system enhancements

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

sync-failure

Sync or mirror failed

tech-debt

Technical debt and TODO/FIXME items

upstream

upstream

Inherited from upstream Gitea

work-in-progress

Draft or incomplete work

No labels

Priority -

Type -

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea-Fork#712