mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-13 07:27:41 +00:00
f69e15afe7
Addresses a batch of privately reported security issues, grouped by area: - **SSRF** - migration PR-patch/asset fetches, OAuth2 avatar & OpenID discovery, pull-mirror URL re-validation, and the outbound proxy path. - **Access-token scope** - prevent scope escalation on token creation; keep public-only tokens confined (feeds, packages, Actions listings, star/watch lists, limited/private owners). - **Access control / disclosure** - go-get default-branch leak, webhook authorization-header leak, watch clearing on private transitions, label/attachment scoping. - **Denial of service** - input bounds for npm dist-tags, Debian control files, Arch file lists, and SSH keys. ### 📌 Attention for site admins Not breaking - existing configs keep working - but two changes are worth a look: - **New SSRF protection** Outbound requests (migrations, OAuth2 avatars, OpenID discovery, pull mirrors, proxy path) are now validated against the allow/block host lists. If your instance legitimately reaches internal hosts, you may need to add them to `[security].ALLOWED_HOST_LIST` (and the relevant `ALLOW_LOCALNETWORKS` settings). - **Deprecation** `[webhook].ALLOWED_HOST_LIST` is deprecated and will be removed in a future release. Use `[security].ALLOWED_HOST_LIST` instead; the old key still works for now. --------- Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: techknowlogick <techknowlogick@gitea.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Zettat123 <zettat123@gmail.com>
54 lines
1.5 KiB
Go
54 lines
1.5 KiB
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package setting
|
|
|
|
import (
|
|
"net/url"
|
|
|
|
"gitea.dev/modules/log"
|
|
)
|
|
|
|
// Webhook settings
|
|
var Webhook = struct {
|
|
QueueLength int
|
|
DeliverTimeout int
|
|
SkipTLSVerify bool
|
|
AllowedHostList string
|
|
Types []string
|
|
PagingNum int
|
|
ProxyURL string
|
|
ProxyURLFixed *url.URL
|
|
ProxyHosts []string
|
|
}{
|
|
QueueLength: 1000,
|
|
DeliverTimeout: 5,
|
|
SkipTLSVerify: false,
|
|
PagingNum: 10,
|
|
ProxyURL: "",
|
|
ProxyHosts: []string{},
|
|
}
|
|
|
|
func loadWebhookFrom(rootCfg ConfigProvider) {
|
|
sec := rootCfg.Section("webhook")
|
|
Webhook.QueueLength = sec.Key("QUEUE_LENGTH").MustInt(1000)
|
|
Webhook.DeliverTimeout = sec.Key("DELIVER_TIMEOUT").MustInt(5)
|
|
Webhook.SkipTLSVerify = sec.Key("SKIP_TLS_VERIFY").MustBool()
|
|
|
|
deprecatedSetting(rootCfg, "webhook", "ALLOWED_HOST_LIST", "security", "ALLOWED_HOST_LIST", "v28.0.0")
|
|
Webhook.AllowedHostList = sec.Key("ALLOWED_HOST_LIST").MustString(Security.AllowedHostList)
|
|
|
|
Webhook.Types = []string{"gitea", "gogs", "slack", "discord", "dingtalk", "telegram", "msteams", "feishu", "matrix", "wechatwork", "packagist"}
|
|
Webhook.PagingNum = sec.Key("PAGING_NUM").MustInt(10)
|
|
Webhook.ProxyURL = sec.Key("PROXY_URL").MustString("")
|
|
if Webhook.ProxyURL != "" {
|
|
var err error
|
|
Webhook.ProxyURLFixed, err = url.Parse(Webhook.ProxyURL)
|
|
if err != nil {
|
|
log.Error("Webhook PROXY_URL is not valid")
|
|
Webhook.ProxyURL = ""
|
|
}
|
|
}
|
|
Webhook.ProxyHosts = sec.Key("PROXY_HOSTS").Strings(",")
|
|
}
|