peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/models/auth
History
Exact
Mathieu Fenniak 32b8d732b8 2026-05-12 security patches (#12493) 
- fix: prevent git write to wiki repo from unauthorized user via git HTTP
- fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
- fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
- fix: implementing missing OAuth validation checks, improve protections against race conditions
- fix: prevent OAuth redirect URI spoofing via non-ascii case collision
- fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12493): <!--number 12493 --><!--line 0 --><!--description MjAyNi0wNS0xMiBzZWN1cml0eSBwYXRjaGVz-->2026-05-12 security patches<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Derzsi Dániel <daniel@tohka.us>
Co-authored-by: jvoisin <julien.voisin@dustri.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12493
2026-05-12 04:54:25 +02:00
..
TestGetRepositoriesAccessibleWithIntegration feat: add repo-specific & public-only authz reducers to authorized integrations (#12267) 2026-04-26 23:54:41 +02:00
TestGetRepositoriesAccessibleWithToken feat: backend DB model for fine-grained repo access tokens 2026-02-27 17:17:29 +01:00
TestGetRepositoriesAccessibleWithTokens feat: read, create, & delete repo-specific access tokens via API (#11504) 2026-03-07 21:55:08 +01:00
TestOrphanedOAuth2Applications test: Global OAuth should not be deleted 2024-11-23 19:49:55 +01:00
access_token.go feat: read, create, & delete repo-specific access tokens via API (#11504) 2026-03-07 21:55:08 +01:00
access_token_resource.go feat: add repo-specific & public-only authz reducers to authorized integrations (#12267) 2026-04-26 23:54:41 +02:00
access_token_resource_test.go feat: read, create, & delete repo-specific access tokens via API (#11504) 2026-03-07 21:55:08 +01:00
access_token_scope.go chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
access_token_scope_test.go [GITEA] silently ignore obsolete sudo scope 2024-02-05 16:05:50 +01:00
access_token_test.go feat: avoid updating all columns (#9572) 2025-10-09 13:22:29 +02:00
auth_token.go feat: add foreign keys to forgejo_auth_token (#9886) 2025-10-29 01:09:06 +01:00
authorized_integration.go feat: allow Authorized Integrations to have multiple values for a claim match (#12482) 2026-05-10 04:52:02 +02:00
authorized_integration_resource_repo.go feat: add CLI command 'admin user create-authorized-integration' (#12299) 2026-04-28 21:32:45 +02:00
authorized_integration_resource_repo_test.go feat: add CLI command 'admin user create-authorized-integration' (#12299) 2026-04-28 21:32:45 +02:00
authorized_integration_test.go feat: add CLI command 'admin user create-authorized-integration' (#12299) 2026-04-28 21:32:45 +02:00
main_test.go chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
oauth2.go 2026-05-12 security patches (#12493) 2026-05-12 04:54:25 +02:00
oauth2_list.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
oauth2_test.go 2026-05-12 security patches (#12493) 2026-05-12 04:54:25 +02:00
session.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
session_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
source.go chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
source_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
two_factor.go feat: consider WebAuthn & SSH for instance signing (#7693) 2025-04-29 10:34:07 +00:00
two_factor_test.go chore: add SQL fault injector testing (#9314) 2025-09-18 00:39:06 +02:00
twofactor.go feat: cache derived keys for faster keying (#10114) 2025-11-16 14:29:14 +01:00
webauthn.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
webauthn_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00