1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-22 12:54:53 -05:00
Commit graph

527 commits

Author SHA1 Message Date
Gusted
3e1b03838e
fix: ensure correct ssh public key is used for authentication
- The root cause is described in b4f1988a35
- Move to a fork of `github.com/gliderlabs/ssh` that exposes the
permissions that was chosen by `x/crypto/ssh` after succesfully
authenticating, this is the recommended mitigation by the Golang
security team. The fork exposes this, since `gliderlabs/ssh` instead
relies on context values to do so, which is vulnerable to the same
attack, although partially mitigated by the fix in `x/crypto/ssh` it
would not be good practice and defense deep to rely on it.
- Existing tests covers that the functionality is preserved.
- No tests are added to ensure it fixes the described security, the
exploit relies on non-standard SSH behavior it would be too hard to
craft SSH packets to exploit this.
2024-12-12 05:54:07 +01:00
Renovate Bot
3bca714bb2 Update github.com/grafana/go-json digest to a119ee5 2024-12-11 00:03:09 +00:00
Renovate Bot
2d259670c6 Update x/tools to v0.28.0 (forgejo) (#6190)
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-12-07 00:36:49 +00:00
Renovate Bot
2300141b84 Update module golang.org/x/net to v0.32.0 2024-12-06 02:03:26 +00:00
Renovate Bot
0c449f7b24 Update module golang.org/x/image to v0.23.0 2024-12-05 04:03:53 +00:00
Renovate Bot
67b25cb9e6 Update module golang.org/x/crypto to v0.30.0 2024-12-05 02:02:57 +00:00
Renovate Bot
4df855f37c Update module code.forgejo.org/go-chi/session to v1.0.1 (forgejo) (#6150)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6150
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-12-04 20:19:11 +00:00
Renovate Bot
91e4cf3744 Update module code.forgejo.org/go-chi/captcha to v1.0.1 (forgejo) (#6148)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6148
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-12-04 17:46:56 +00:00
Mathieu Fenniak
77fafbe578 Add a "summary card" to issues & PRs for consumption by OpenGraph clients (#6053)
## Overview

Hi all, I'm a first-time contributor to Forgejo.  I was looking for something interesting to contribute and the first thing that caught my attention was https://codeberg.org/forgejo/forgejo/issues/6043, a request for an enhancement to include "issue previews" when publishing links to social media platforms.  As a bit of background, the way these platforms work is that they search for meta tags in the posted link's content, and if they find a meta `og:image` (along with other meta tags) they'll pull the image to include in the social media post.  Forgejo currently provides an `og:image` tag but it just renders the repository or repository-owner's avatar.

This PR will render `og:image` for an issue or PR into a link to `{...}/summary-card`, which is a dynamically generated image that contains a summary of the issue.

## Design Notes

### Rendering / Rasterization

The tricky part of solving this problem is rendering an image that combines some text, some images, and some layout elements.  To address this, I've created a `card` module which allows for a handful of operations:
- Create a new rendered image (a "Card")
- Add a margin to a card
- Split the card, horizontally or vertically, into two pieces with a proportional layout (eg. 70%/30%, as desired), each of which are "Cards" that render into the same root image
- Render text into a card, with line-wrapping and text-alignment capabilities
- Render an image onto a card
- Fetches an external image as safely as possible (for server-side fetch of Gravatar, etc.)

The card module can be reused to create `og:image` summary cards for any object in the future, although obviously it's capabilities are limited.  The current implementation is on issues/PRs.

I considered a few alternative approaches before taking this approach, and here's why I rejected those options:
- Provide the summary card as an SVG object which could be rendered much more easily with a template file -- however, support for SVG isn't defined as positive for OpenGraph, and a quick look through some existing implementations suggest that it is not widely supported, if at all
- Rendering as HTML/CSS, or SVG, and then using an external tool to convert into a PNG (or other static) image -- this would be much nicer and easier to implement, but would require tying in some very heavy-weight dependencies
- Rendering using a more sophisticated graphics library, eg. cairo -- also would be nicer and easier to implement, but again a heavy dependency for a small functionality

As a result of the limited capabilities of the new card module, summary cards don't have icons on them (which would require SVG rasterization) or pretty status badges with colors and rounded rects.  In the future if better drawing capabilities were added, the graphics could be improved, but it doesn't seem too important.

### External Avatars

In order to rasterize a user's avatar onto the summary card, it might have to be retrieved by the server from the external source (eg. Gravatar).  A `fetchExternalImage` routine attempts to do this in the safest way possible to protect the server from any possible security exposure from this; (a) verifying that the content-types are acceptable, (b) ensuring that the file-size and image-size are within the safe bounds that are used for custom avatars, (c) using a very-short timeout to avoid stalling the server if an external dependency is offline.

### Caching

Summary cards are cached after rendered.  This has the downside of causing updates to statuses, avatars, titles, etc. being stale on the summary card for the cache TTL.  However, during testing I found that some social media engines like Mastodon will cause the summary card to be accessed a significant number of times after being referenced by a post, causing a mini-tornado of requests.  The cache compensates for this to avoid server load in this situation.

### Scope

I'm considering out-of-scope:
- Summary cards on other objects (eg. repos, users) can be left for future implementation

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Tests

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- ~~I added test coverage for JavaScript changes...~~ n/a, no JS changes
  - [x] ~~in `web_src/js/*.test.js` if it can be unit tested.~~
  - [x] ~~in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).~~
- Manual testing
  - [x] Access & attach screenshots of both an issue and a pull-request's summary card; see below
  - [x] Ensure reasonable (non-crash) behavior of rendering text with glyphs outside the font -- correctly rendered as replacement unicode chars
  - [x] Using a public test instance, verify that og:image behavior looks good on platforms like Mastodon and BlueSky
    - [x] Bluesky: 
    - [x] Mastodon:    (Note that the summary card will be requested many times as the post is federated; either each server, or each client, will fetch it itself)
    - [x] OpenGraph test site (https://www.opengraph.xyz/): 
    - [x] Discord: Looks OK ; needs "twitter:card" to be set to "summary_large_image" to display the large-scale image, but (a) that's probably annoying to use, (b) probably wrong because it doesn't match Twitter Card's spec for a "photographic image", and (c) don't want to encourage/continue use of vendor-specific tag
  - [x] Verify cases with user avatar missing (or autogen), and repo avatar missing (falls back to repo owner avatar)

Pull request summary card:
![image](/attachments/b64283e3-9a3c-4f19-9d00-961662ffe86b)

Issue summary card:
![image](/attachments/318ce589-02e0-493e-b10c-5b2cb2627db2)

(images to the right are the custom repo avatar, w/ fallback to the repo owner avatar)

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
  - OpenGraph capabilities are expected to work in the background without user awareness, and so there is no need for documentation to explain the capabilities for users.

### Release notes

- [ ] I do not want this change to show in the release notes.
- [x] I want the title to show in the release notes with a link to this pull request.
- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6053
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2024-11-29 15:02:03 +00:00
Renovate Bot
8f0de303f3 Update module github.com/stretchr/testify to v1.10.0 2024-11-24 00:03:18 +00:00
Gusted
6d0f2c1b82 Merge pull request 'Update module google.golang.org/grpc to v1.68.0 (forgejo)' (#5969) from renovate/forgejo-google.golang.org-grpc-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5969
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-16 12:25:41 +00:00
Renovate Bot
66dfb2813c Update github.com/grafana/go-json digest to f14426c 2024-11-16 00:03:23 +00:00
Renovate Bot
cdc38ace39 Update module google.golang.org/grpc to v1.68.0 2024-11-15 02:03:08 +00:00
Renovate Bot
8206d509fc Update module code.forgejo.org/forgejo/act to v1.22.0 2024-11-14 02:03:09 +00:00
Renovate Bot
c0309ee367 Update module github.com/blevesearch/bleve/v2 to v2.4.3 2024-11-14 00:03:01 +00:00
Renovate Bot
58ee2386d7 Update module github.com/buildkite/terminal-to-html/v3 to v3.16.4 2024-11-12 02:04:00 +00:00
Gusted
d51847103d Merge pull request 'Update module golang.org/x/net to v0.31.0 (forgejo)' (#5890) from renovate/forgejo-golang.org-x-net-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5890
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-11-10 03:49:16 +00:00
Renovate Bot
b462351933 Update module golang.org/x/net to v0.31.0 2024-11-10 02:13:04 +00:00
Gusted
11667f07c5
chore: lazy-loaded version of goccy/go-json
- This uses a forked version of https://github.com/goccy/go-json, that
has [this pull request](https://github.com/goccy/go-json/pull/490)
applied. It reduces the heap memory usage by 8MiB (idle heap usage from
startup: 40126.59kB -> 32073.56kB). This should be generally safe to
replace as goccy/go-json doesn't see frequent updates and the other user
of this fork is grafana which is another big Go project.
- The only user of this library is minio, but having a configuration
with minio is not a common setup, AFAIK, so this is essentialy wasted
memory for most Forgejo instances. Having it lazy-loaded solves that
problem.
2024-11-10 02:32:35 +01:00
Renovate Bot
71d3e4c317 Update module golang.org/x/crypto to v0.29.0 2024-11-10 00:03:52 +00:00
Renovate Bot
dffee135f8 Update module code.forgejo.org/go-chi/captcha to v1 (forgejo) (#5864)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5864
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-09 07:28:23 +00:00
Renovate Bot
5ab832ba87 Update module code.forgejo.org/go-chi/session to v1 (forgejo) (#5865)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5865
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-08 23:37:13 +00:00
Renovate Bot
bf69683df6 Update module code.forgejo.org/go-chi/cache to v1 (forgejo) (#5863)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5863
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-08 21:12:20 +00:00
Renovate Bot
d2a3eefcd0 Update module code.forgejo.org/go-chi/binding to v1 (forgejo) (#5862)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5862
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-08 17:43:48 +00:00
Gusted
310376525b
[CHORE] Use forked binding library
- Use the forked [binding](https://code.forgejo.org/go-chi/binding)
library. This library has two benefits, it removes the usage of
`github.com/goccy/go-json` (has no benefit as the minimo library is also
using it). It adds the `TrimSpace` feature, which will during the
binding part trim the spaces around the value it got from the form, this
is done before validation.
2024-11-05 22:47:34 +01:00
Renovate Bot
2f8d502541 Update module github.com/gorilla/sessions to v1.4.0 2024-11-03 00:04:40 +00:00
Renovate Bot
370dbbc579 Update module github.com/yuin/goldmark to v1.7.8 2024-11-02 14:04:01 +00:00
Gusted
3f1f19865d Merge pull request 'Update module github.com/fsnotify/fsnotify to v1.8.0 (forgejo)' (#5775) from renovate/forgejo-github.com-fsnotify-fsnotify-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5775
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-11-02 11:41:37 +00:00
Renovate Bot
bd58136c5d Update module github.com/meilisearch/meilisearch-go to v0.29.0 (forgejo) (#5738)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5738
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Reviewed-by: Shiny Nematoda <snematoda@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-11-02 07:32:05 +00:00
Renovate Bot
71b3081e4d Update module github.com/fsnotify/fsnotify to v1.8.0 2024-11-02 02:04:39 +00:00
Renovate Bot
4764e17580 Update module code.forgejo.org/forgejo/act to v1.21.5 2024-11-01 00:03:59 +00:00
Renovate Bot
b597725fa0 Update module github.com/jhillyerd/enmime to v2 2024-10-23 06:04:11 +00:00
Renovate Bot
453b07706a Update module github.com/prometheus/client_golang to v1.20.5 2024-10-19 12:03:54 +00:00
Renovate Bot
dc5de38db0 Update code.forgejo.org/go-chi/session digest to 2a99226 2024-10-19 00:03:40 +00:00
Renovate Bot
dad18d985a Update module github.com/go-enry/go-enry/v2 to v2.9.1 2024-10-18 00:05:06 +00:00
Renovate Bot
d01393efd3 Update github.com/google/pprof digest to 017d972 2024-10-17 22:03:13 +00:00
Renovate Bot
0c146ddf72 Update module github.com/buildkite/terminal-to-html/v3 to v3.16.3 2024-10-16 02:05:17 +00:00
Gusted
42d6e67402 Merge pull request 'Update module github.com/caddyserver/certmagic to v0.21.4 (forgejo)' (#5453) from renovate/forgejo-github.com-caddyserver-certmagic-0.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5453
Reviewed-by: Otto <otto@codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-10-15 10:16:20 +00:00
Renovate Bot
10c6ac7779 Update module github.com/redis/go-redis/v9 to v9.6.2 (forgejo) (#5568)
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5568
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
2024-10-15 07:07:59 +00:00
Renovate Bot
2fc96073a1 Update module github.com/urfave/cli/v2 to v2.27.5 2024-10-14 20:04:59 +00:00
Renovate Bot
a7a577281a Update module github.com/minio/minio-go/v7 to v7.0.78 2024-10-13 00:05:06 +00:00
Renovate Bot
283f94c85f Update module google.golang.org/grpc to v1.67.1 2024-10-10 08:03:23 +00:00
Earl Warren
6f7aee2b3e Merge pull request 'Update module google.golang.org/protobuf to v1.35.1 (forgejo)' (#5510) from renovate/forgejo-google.golang.org-protobuf-1.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5510
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-10-10 07:27:29 +00:00
Renovate Bot
dc93b843cd Update x/tools to v0.26.0 2024-10-10 06:03:14 +00:00
Renovate Bot
b1dcd28b7e Update module google.golang.org/protobuf to v1.35.1 2024-10-10 02:04:07 +00:00
Renovate Bot
5b25a882e0 Update module golang.org/x/image to v0.21.0 2024-10-09 02:03:22 +00:00
Renovate Bot
aad9e21f57 Update module github.com/mattn/go-sqlite3 to v1.14.24 2024-10-06 00:03:58 +00:00
Otto
2c4a3d6641 Merge pull request 'Remove some Windows-specific files' (#5353) from 0ko/forgejo:no-windows into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5353
Reviewed-by: Otto <otto@codeberg.org>
2024-10-04 14:03:07 +00:00
Renovate Bot
2bd9a253ed Update module github.com/caddyserver/certmagic to v0.21.4 2024-10-03 00:03:02 +00:00
Earl Warren
ffed8ac7b4 Merge pull request 'Update module github.com/minio/minio-go/v7 to v7.0.77 (forgejo)' (#5398) from renovate/forgejo-github.com-minio-minio-go-v7-7.x into forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/5398
Reviewed-by: Michael Kriese <michael.kriese@gmx.de>
2024-09-29 09:26:54 +00:00