Mathieu Fenniak 32b8d732b8 2026-05-12 security patches (#12493) ... - fix: prevent git write to wiki repo from unauthorized user via git HTTP - fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo - fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...) - fix: implementing missing OAuth validation checks, improve protections against race conditions - fix: prevent OAuth redirect URI spoofing via non-ascii case collision - fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Security bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/12493): <!--number 12493 --><!--line 0 --><!--description MjAyNi0wNS0xMiBzZWN1cml0eSBwYXRjaGVz-->2026-05-12 security patches<!--description--> <!--end release-notes-assistant--> Co-authored-by: Derzsi Dániel <daniel@tohka.us> Co-authored-by: jvoisin <julien.voisin@dustri.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12493		2026-05-12 04:54:25 +02:00
..
TestActionConcurrencyGroupQueue	refactor: migrate from lib/pq to jackc/pgx (#10219)	2025-11-30 17:47:45 +01:00
TestActionConcurrencyRunnerFiltering	refactor: migrate from lib/pq to jackc/pgx (#10219)	2025-11-30 17:47:45 +01:00
TestActionRunDeletion	feat: make it possible to remove workflow runs (#12478)	2026-05-11 16:02:36 +02:00
TestActionRunsList	feat: show workflow name for scheduled runs (#11770)	2026-03-24 01:27:32 +01:00
TestActionsAPIDeleteActionRun	feat: make it possible to remove workflow runs (#12478)	2026-05-11 16:02:36 +02:00
TestActionVariablesModification	fix(sec): web route test edit and delete variable	2025-02-08 07:21:14 +00:00
TestActionViewRunDeletion	feat: make it possible to remove workflow runs (#12478)	2026-05-11 16:02:36 +02:00
TestActionViewsView	feat: show workflow name for scheduled runs (#11770)	2026-03-24 01:27:32 +01:00
TestAdminDeleteUser	fix: reduce deadlocks merging PRs by using caching for repo issue count stats (#9922)	2025-10-31 23:50:05 +01:00
TestAdminFederationViewHostsAndUsers	feat: add admin views for federation configuration, hosts and users (#11115)	2026-04-09 19:38:33 +02:00
TestAdminModerationViewReports	feat: render a link to poster profile next to the ID within shadow copy details (#10194)	2025-12-09 15:19:10 +01:00
TestAPIGetTeamRepoAccessTokenResources	feat: implement fine-grained access tokens in /teams/{id}/repos/{org}/{repo}	2026-03-01 17:05:53 +01:00
TestAPIGetTeamReposAccessTokenResources	feat: implement fine-grained access tokens in /teams/{id}/repos	2026-03-01 10:54:43 -07:00
TestAPIGlobalActionsRunnerOperations	feat: implement ephemeral runners (#9962)	2026-02-16 18:56:56 +01:00
TestAPIGlobalActionsRunnerRegistrationTokenOperations	feat: add foreign keys to the action_runner_token table (#10756)	2026-01-12 21:59:40 +01:00
TestAPIOrgActionsRunnerOperations	feat: implement ephemeral runners (#9962)	2026-02-16 18:56:56 +01:00
TestAPIOrgActionsRunnerRegistrationTokenOperations	feat: add foreign keys to the action_runner_token table (#10756)	2026-01-12 21:59:40 +01:00
TestAPIRemoveIssueLabelByName	feat: github compatability for removing label from issue API (#8831)	2025-08-30 03:29:23 +02:00
TestAPIRepoActionsRunnerOperations	feat: implement ephemeral runners (#9962)	2026-02-16 18:56:56 +01:00
TestAPIRepoActionsRunnerRegistrationTokenOperations	feat: add foreign keys to the action_runner_token table (#10756)	2026-01-12 21:59:40 +01:00
TestAPIUserActionsRunnerOperations	feat: implement ephemeral runners (#9962)	2026-02-16 18:56:56 +01:00
TestAPIUserActionsRunnerRegistrationTokenOperations	feat: add foreign keys to the action_runner_token table (#10756)	2026-01-12 21:59:40 +01:00
TestAssignProject	fix(web): org projects assignment in issue view (#7999)	2026-05-02 01:29:40 +02:00
TestBlockActions
TestBlockedNotifications
TestCommitRefComment	[GITEA] Use correct translations for pull request	2024-02-05 16:54:44 +01:00
TestEphemeralRunner	feat: implement ephemeral runners (#9962)	2026-02-16 18:56:56 +01:00
TestFeed	ensure consistent sort order in TestFeed fixture (#11176)	2026-02-06 20:19:00 +01:00
TestForcePushCommitStatus	fix: ignore existence of commits for force pushes (#9262)	2025-09-12 07:27:15 +02:00
TestGetAttachmentViaAPITokens	2026-05-12 security patches (#12493)	2026-05-12 04:54:25 +02:00
TestGetContentHistory
TestIssueCommentChangeProject	fix: construct project links in timeline better (#9872)	2025-10-29 17:46:13 +01:00
TestPackageContainerCleanup	fix: reduce runtime of container cleanup by relying on mass digest cleanup (#10297)	2025-12-05 15:45:47 +01:00
TestPullCombinedReviewRequest	feat: combine review requests comments	2024-10-25 22:57:32 +02:00
TestPullEditable	feat: display the PR editable status in the right-hand side menu (#9392)	2025-09-27 13:08:38 +02:00
TestPullMirrorRedactCredentials	fix: reduce deadlocks merging PRs by using caching for repo issue count stats (#9922)	2025-10-31 23:50:05 +01:00
TestPullRequestParticipants	fix: don't display pending reviews as participants (#10528)	2026-01-06 10:47:21 +01:00
TestPullRequestReplyMail	fix: no notification for replies to pending comments (#7167)	2025-03-09 15:07:12 +00:00
TestRunnerModification	feat: add form-based runner management (#11516)	2026-03-12 02:14:45 +01:00
TestRunnerVisibility	chore: increase test coverage of runner management (#10490)	2025-12-20 15:29:40 +01:00
TestSystemCommentRoles	fix(commenter roles): don't give system users roles (#6766)	2025-02-05 17:34:45 +00:00
TestUserPasswordResetOAuth2	Reject password reset attempts for OAuth2 users without a current password (#9060)	2025-09-12 00:08:29 +02:00
TestUserRename	fix: reflect allowed username change in profile setting (#11171)	2026-02-06 17:47:30 +01:00
TestXSSReviewDismissed	[SECURITY] Test XSS in dismissed review	2024-02-22 15:33:20 +01:00