peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Mirror of Forgejo for evaluating jojo.build customizations.
24806 commits 27 branches 286 tags 266 MiB
Find a file
Mathieu Fenniak fdd794abe3 [v15.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12293) 
Backport: https://codeberg.org/forgejo/forgejo/pulls/12292

When a pull request is opened, the author is able to mark that pull request to "Allow edits from maintainers", which grants the maintainers of the pull request's repo access to edit the pull request branch contents.  It is possible to create a pull request where the pull request author does not have the ability to edit the pull request branch.  Due to a missing security check for this case, maintainers of the pull request repo would be granted the ability to edit the pull request branch, even if the author of the pull request did not have that ability.  By exploiting this missing security check, a user can edit any branch in a repository if they're able to fork that repository.  The issue is being fixed by restricting the scope of "Allow edits from maintainers" to only grant that access if the pull request author also had access to edit the branch.

Thanks to Arvin Shivram of Brutecat Security for discovering and responsibly disclosing the vulnerability.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12293
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
2026-04-29 05:28:56 +02:00
.devcontainer Update dependency go to v1.26 (forgejo) (#11320) 2026-03-12 01:26:23 +01:00
.forgejo ci: update tests to run debian trixie, remove manual installation from testing (#11801) 2026-03-24 21:57:38 +01:00
.semgrep ci: detect and prevent empty case statements in Go code (#11593) 2026-03-10 02:50:28 +01:00
assets Update module github.com/go-webauthn/webauthn to v0.16.1 (forgejo) (#11674) 2026-03-19 04:16:19 +01:00
build [v15.0/forgejo] i18n(mailer): Fix special usage of .Locale in admin_new_user (#12112) 2026-04-14 07:22:44 +02:00
cmd [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
contrib chore: rename 'forgejo_migrations' to 'forgejo_migrations_legacy' 2025-10-14 14:40:49 -06:00
custom/conf [v15.0/forgejo] chore: fix cookie name comments in example ini (#12132) 2026-04-15 23:26:05 +02:00
docker [v15.0/forgejo] chore(Dockerfile.rootless): update shadowed env variables (#12137) 2026-04-16 10:44:47 +02:00
models [v15.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12293) 2026-04-29 05:28:56 +02:00
modules [v15.0/forgejo] fix(i18n): don't log harmless missing translations as errors (#12185) 2026-04-19 01:46:40 +02:00
options [v15.0/forgejo] i18n: backport of translations from Codeberg Translate 2026-04-28 22:27:43 +05:00
public chore(security): update security.txt with new expiration date (#10447) 2025-12-17 12:32:42 +01:00
release-notes feat: ensure repo-specific access tokens can't perform repo admin operations (#11736) 2026-03-20 16:14:36 +01:00
release-notes-published chore(release-notes): Forgejo v14.0.3 [skip ci] (#11583) 2026-03-09 07:00:32 +01:00
releases/images [DOCS] RELEASE-NOTES.md 2024-02-05 14:44:32 +01:00
routers [v15.0/forgejo] fix: compare branches with names diff or patch (#12233) 2026-04-23 01:28:54 +02:00
services [v15.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12293) 2026-04-29 05:28:56 +02:00
templates [v15.0/forgejo] fix: improve runner list and details view (#12130) 2026-04-15 22:07:25 +02:00
tests [v15.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12293) 2026-04-29 05:28:56 +02:00
tools chore: move backend-checks CI checks to Makefile: make pr-go (#11053) 2026-02-17 02:41:40 +01:00
web_src [v15.0/forgejo] Revert "Improve repo file list table semantics for screen readers (#12031)" (#12094) 2026-04-12 03:25:15 +02:00
.air.toml chore: rename 'migrations' to 'gitea_migrations' 2025-10-14 14:40:49 -06:00
.deadcode-out [v15.0/forgejo] fix: duplicate key violates unique constraint in concurrent debian package uploads (#11833) 2026-03-27 01:36:18 +01:00
.dockerignore fix: Dockerfile should re-use bindata files when possible 2025-06-13 14:00:57 +02:00
.editorconfig i18n(next): convert indention style to tabs: en, editorconfig (#10661) 2026-01-02 05:56:48 +01:00
.envrc.example Make direnv optional to let developers use their own direnv configuration 2024-11-06 20:34:49 +01:00
.gitattributes Add interface{} to any replacement to make fmt, exclude *.pb.go (#30461) 2024-04-15 20:01:36 +02:00
.gitignore chore: polish linter error vs. dead code reporting (#11217) 2026-03-20 07:06:09 +01:00
.gitmodules cleanup(tests): remove manual testing submodule 2024-04-21 10:13:51 +02:00
.gitpod.yml Remove sqlite-viewer and using database client (#31223) 2024-06-09 11:13:39 +02:00
.golangci.yml [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
.ignore Add /options/license and /options/gitignore to .ignore (#30219) 2024-04-07 15:40:31 +02:00
.mailmap Add .mailmap with aliases for Unknwon (github.com/Unknwon) 2024-08-14 08:26:16 -04:00
.markdownlint.yaml Update JS dependencies (#28537) 2023-12-30 05:29:03 +00:00
.node-version Update Node.js to v24.14.1 (forgejo) (#11805) 2026-03-25 06:47:24 +01:00
.npmrc Upgrade to npm lockfile v3 and explicitely set it (#23561) 2023-03-18 19:38:10 +01:00
.release-notes-assistant.yaml chore(release-notes): teach release-notes-assistant that v11.0 is LTS (#10638) 2025-12-30 10:00:22 +01:00
.spectral.yaml Add spectral linter for Swagger (#20321) 2022-07-11 18:07:16 -05:00
.yamllint.yaml fully replace drone with actions (#27556) 2023-10-11 06:39:32 +00:00
BSDmakefile feat: Makefile & BSDmakefile changes (#7455) 2025-04-27 10:04:32 +00:00
CODEOWNERS chore: add @0xllx0 to federation codeowners (#10716) 2026-01-09 23:53:06 +01:00
CONTRIBUTING.md docs: replace Developer Guide link with the new Contributor Guide one. 2024-08-26 13:22:39 +03:00
DCO Remove address from DCO (#22595) 2023-01-24 18:52:38 +00:00
Dockerfile Update data.forgejo.org/oci/golang Docker tag to v1.26 (forgejo) (#11662) 2026-03-13 08:17:21 +01:00
Dockerfile.rootless Update data.forgejo.org/oci/golang Docker tag to v1.26 (forgejo) (#11662) 2026-03-13 08:17:21 +01:00
eslint.config.mjs Update linters (forgejo) (#11627) 2026-03-12 18:27:43 +01:00
flake.lock chore: bump nixpkgs in flake.lock (#10128) 2025-11-16 01:18:26 +01:00
flake.nix refactor: Simplify flake.nix (#9805) 2025-10-22 19:09:11 +02:00
go.mod Update module github.com/jackc/pgx/v5 to v5.9.2 [SECURITY] (v15.0/forgejo) (#12235) 2026-04-23 16:04:34 +02:00
go.sum Update module github.com/jackc/pgx/v5 to v5.9.2 [SECURITY] (v15.0/forgejo) (#12235) 2026-04-23 16:04:34 +02:00
LICENSE Forgejo v9.0 is GPLv3+ 2024-08-22 09:09:29 +02:00
main.go fix: do not mix urfave v2 with urfave v3 (#8168) 2025-06-12 15:38:03 +02:00
Makefile Update module github.com/golangci/golangci-lint/v2/cmd/golangci-lint to v2.11.4 (v15.0/forgejo) (#11948) 2026-04-02 03:29:58 +02:00
manifest.scm Add a GNU Guix manifest (#8038) 2025-06-03 08:08:17 +02:00
package-lock.json Update dependency postcss to v8.5.10 [SECURITY] (v15.0/forgejo) (#12255) 2026-04-24 19:56:09 +02:00
package.json Update dependency postcss to v8.5.10 [SECURITY] (v15.0/forgejo) (#12255) 2026-04-24 19:56:09 +02:00
playwright.config.ts chore: remove webkit and mobile safari from playwright (#10103) 2025-11-13 17:23:08 +01:00
README.md chore: fix a few typos in the documentation (#9134) 2025-09-04 01:53:40 +02:00
release-notes-assistant.sh chore: improve the wording of the "not worth a release note" category (#8542) 2025-07-18 07:19:15 +02:00
RELEASE-NOTES.md chore(release-notes): fix release notes of chroma update in v8.0.0 2025-10-05 17:10:38 +05:00
shell.nix chore: use interactive sqlite via nix (#10439) 2025-12-17 13:20:33 +01:00
stylelint.config.js Merge pull request 'Port "Enable declaration-block-no-redundant-longhand-properties (#30950)' (#3769) from beowulf/gitea-port-pull-30950 into forgejo 2024-05-14 22:23:54 +00:00
tailwind.config.js chore(ui): change /devtest to /-/demo (#11019) 2026-01-26 13:12:25 +01:00
tsconfig.json feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
vitest.config.ts feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
webpack.config.js chore(ui): change /devtest to /-/demo (#11019) 2026-01-26 13:12:25 +01:00

README.md

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of built-in functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

License

Forgejo is distributed under the terms of the GPL version 3.0 or any later version.

The agreement for this license was documented in June 2023 and implemented during the development of Forgejo v9.0. All Forgejo versions before v9.0 are distributed under the MIT license.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.