This change tightens relative URL validation to reject raw backslashes
and `%5c` (encoded backslash), since browsers and URL normalizers can
treat backslashes as path separators. That normalization can turn
seemingly relative paths into scheme-relative URLs, creating
open-redirect risk.
Visiting below URL to reproduce the problem.
http://localhost:3000/user/login?redirect_to=/a/../\example.comhttp://localhost:3000/user/login?redirect_to=/a/../%5cexample.com
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
## Summary
- Move `cors.X_FRAME_OPTIONS` to `security.X_FRAME_OPTIONS` (old
location still works with a deprecation warning)
- Support `"unset"` as a special value to remove the `X-Frame-Options`
header entirely
- Remove `X-Frame-Options` header from API responses (only set for
web/HTML responses)
## Migration
If you had customized `cors.X_FRAME_OPTIONS`, move it to the
`[security]` section. The old location is deprecated and will be removed
in a future release.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
The jobparser sub package in act is only used by Gitea. Move it to Gitea
to make it more easier to maintain.
---------
Co-authored-by: Christopher Homberger <christopher.homberger@web.de>
When display or search branch's pushed time, we should use
`updated_unix` rather than `commit_time`.
Fix#36633
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
Newbies often use the "Close with Comments" button instead of deleting
their comment. Icon should prevent mis-clicks.
---------
Co-authored-by: Yuriy.Khlynovskiy <yuriy.khlynovskiy@incomsystem.ru>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Based on my recent experience of both using AI tools and reviewing
AI-generated pull requests. Partially based on
https://typescript-eslint.io/contributing/ai-policy/.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
- Replace the e2e tests initialization with a simple bash script,
removing the previous Go harness.
- `make test-e2e` is the single entry point. It always starts a fully
isolated ephemeral Gitea instance with its own temp directory, SQLite
database, and config — no interference with the developer's running
instance.
- A separate `gitea-e2e` binary is built via `EXECUTABLE_E2E` using
`TEST_TAGS` (auto-includes sqlite with `CGO_ENABLED=1`), keeping the
developer's regular `gitea` binary untouched.
- No more split into database-specific e2e tests. Test timeouts are
strict, can be relaxed later if needed.
- Simplified and streamlined the playwright config and test files.
- Remove all output generation of playwright and all references to
visual testing.
- Tests run on Chrome locally, Chrome + Firefox on CI.
- Simplified CI workflow — visible separate steps for frontend, backend,
and test execution.
- All exported env vars use `GITEA_TEST_E2E_*` prefix.
- Use `GITEA_TEST_E2E_FLAGS` to pass flags to playwright, e.g.
`GITEA_TEST_E2E_FLAGS="--ui" make test-e2e` for UI mode or
`GITEA_TEST_E2E_FLAGS="--headed" make test-e2e` for headed mode.
- Use `GITEA_TEST_E2E_DEBUG=1 make test-e2e` to show Gitea server
output.
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This is the result of a full-repo review to look for `style` attributes
that can be replaced with tailwind or other methods. I will manually
validate later.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Workflows triggered by pull_request_review events (approved, rejected,
comment) complete successfully but never create a commit status on the
PR. This makes them invisible in the merge checks UI, breaking any CI
gate that re-evaluates on review submission.
The commit status handler's switch statement was missing the three
review event types, so they fell through to the default case which
returned empty strings. Additionally, review events use
PullRequestPayload but IsPullRequest() returns false for them (Event()
returns "pull_request_approved" etc. instead of "pull_request"), so
GetPullRequestEventPayload() refuses to parse their payload.
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
Co-authored-by: silverwind <me@silverwind.io>
[`colord`](https://github.com/omgovich/colord) is significantly smaller
than [`tinycolor2`](https://github.com/bgrins/TinyColor) (~4KB vs ~29KB
minified) and ships its own TypeScript types, removing the need for
`@types/tinycolor2`.
Behaviour is exactly the same for our use cases. By using `.alpha(1)` we
force the function to always output 6-digit hex format (it would output
8-digit for non-opaque colors).
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Change `security-check` not break the build which is a major
inconvenience as it breaks CI on all PRs.
https://github.com/go-gitea/gitea/security/dependabot already provides a
clean overview of outstanding security issues in dependencies and I'm
using it all the time to find and update vulnerable dependencies.
This simplifies the Makefile by removing the whole-file wrapping that
creates a tempdir introduced by
https://github.com/go-gitea/gitea/pull/11126. REPO_TEST_DIR is removed
as well.
Also clean up a lot of legacy code: unnecessary XSS test, incorrect test
env init, unused "_old_uid" hack, etc
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Fixes: https://github.com/go-gitea/gitea/issues/36612
This new setting controls which workflow directories are searched. The
default value matches the previous hardcoded behaviour.
This allows users for example to exclude `.github/workflows` from being
picked up by Actions in mirrored repositories by setting `WORKFLOW_DIRS
= .gitea/workflows`.
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Rewrite `build/generate-go-licenses.go` to use `go list -m -json all`
and read license files directly from the Go module cache instead of
relying on the buggy `google/go-licenses` tool.
This removes the need for CGO, GOOS=linux, and the intermediate temp
directory, while being like 100 times faster than before:
```
$ rm assets/go-licenses.json && time make assets/go-licenses.json
go run build/generate-go-licenses.go assets/go-licenses.json
make assets/go-licenses.json 0.21s user 0.22s system 173% cpu 0.247 total
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
