Merge remote-tracking branch 'upstream/main' into sync-issue-pr-and-more

.spectral.yaml

@@ -0,0 +1,12 @@
+extends: [[spectral:oas, all]]
+
+rules:
+  info-contact: off
+  oas2-api-host: off
+  oas2-parameter-description: off
+  oas2-schema: off
+  oas2-valid-schema-example: off
+  openapi-tags: off
+  operation-description: off
+  operation-singular-tag: off
+  operation-tag-defined: off

CHANGELOG.md

@@ -4,9 +4,15 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
-## [1.16.9](https://github.com/go-gitea/gitea/releases/tag/v1.16.9) - 2022-06-21
+## [1.16.9](https://github.com/go-gitea/gitea/releases/tag/v1.16.9) - 2022-07-12
 
+* SECURITY
+  * Add write check for creating Commit status (#20332) (#20334)
+  * Check for permission when fetching user controlled issues (#20133) (#20196)
 * BUGFIXES
+  * Hide notify mail setting ui if not enabled (#20138) (#20337)
+  * Add write check for creating Commit status (#20332) (#20334)
+  * Only show Followers that current user can access (#20220) (#20253)
   * Release page show all tags in compare dropdown (#20070) (#20071)
   * Fix permission check for delete tag (#19985) (#20001)
   * Only log non ErrNotExist errors in git.GetNote  (#19884) (#19905)

Dockerfile.rootless

@@ -62,7 +62,7 @@ ENV GITEA_CUSTOM /var/lib/gitea/custom
 ENV GITEA_TEMP /tmp/gitea
 ENV TMPDIR /tmp/gitea
 
-#TODO add to docs the ability to define the ini to load (usefull to test and revert a config)
+#TODO add to docs the ability to define the ini to load (useful to test and revert a config)
 ENV GITEA_APP_INI /etc/gitea/app.ini
 ENV HOME "/var/lib/gitea/git"
 VOLUME ["/var/lib/gitea", "/etc/gitea"]

Makefile

@@ -312,6 +312,7 @@ lint: lint-frontend lint-backend
 lint-frontend: node_modules
 	npx eslint --color --max-warnings=0 web_src/js build templates *.config.js docs/assets/js
 	npx stylelint --color --max-warnings=0 web_src/less
+	npx spectral lint -q -F hint $(SWAGGER_SPEC)
 
 .PHONY: lint-backend
 lint-backend: golangci-lint vet editorconfig-checker
@@ -770,7 +771,7 @@ generate-manpage:
 	@mkdir -p man/man1/ man/man5
 	@./gitea docs --man > man/man1/gitea.1
 	@gzip -9 man/man1/gitea.1 && echo man/man1/gitea.1.gz created
-	@#TODO A smal script witch format config-cheat-sheet.en-us.md nicely to suit as config man page
+	@#TODO A small script that formats config-cheat-sheet.en-us.md nicely for use as a config man page
 
 .PHONY: pr\#%
 pr\#%: clean-all

README.md

@@ -102,7 +102,7 @@ NOTES:
 
 Translations are done through Crowdin. If you want to translate to a new language ask one of the managers in the Crowdin project to add a new language there. 
 
-You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope fo fill it as questions pop up.
+You can also just create an issue for adding a language or ask on discord on the #translation channel. If you need context or find some translation issues, you can leave a comment on the string or ask on Discord. For general translation questions there is a section in the docs. Currently a bit empty but we hope to fill it as questions pop up.
 
 https://docs.gitea.io/en-us/translation-guidelines/
 

cmd/manager.go

@@ -82,7 +82,7 @@ var (
 			},
 			cli.BoolFlag{
 				Name:  "no-system",
-				Usage: "Do not show system proceses",
+				Usage: "Do not show system processes",
 			},
 			cli.BoolFlag{
 				Name:  "stacktraces",

custom/conf/app.example.ini

@@ -2232,6 +2232,7 @@ ROUTER = console
 ;BLOCKED_DOMAINS =
 ;;
 ;; Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291 (false by default)
+;; If a domain is allowed by ALLOWED_DOMAINS, this option will be ignored.
 ;ALLOW_LOCALNETWORKS = false
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -1083,7 +1083,7 @@ Task queue configuration has been moved to `queue.task`. However, the below conf
 - `RETRY_BACKOFF`: **3**: Backoff time per http/https request retry (seconds)
 - `ALLOWED_DOMAINS`: **\<empty\>**: Domains allowlist for migrating repositories, default is blank. It means everything will be allowed. Multiple domains could be separated by commas. Wildcard is supported: `github.com, *.github.com`.
 - `BLOCKED_DOMAINS`: **\<empty\>**: Domains blocklist for migrating repositories, default is blank. Multiple domains could be separated by commas. When `ALLOWED_DOMAINS` is not blank, this option has a higher priority to deny domains. Wildcard is supported.
-- `ALLOW_LOCALNETWORKS`: **false**: Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291
+- `ALLOW_LOCALNETWORKS`: **false**: Allow private addresses defined by RFC 1918, RFC 1122, RFC 4632 and RFC 4291. If a domain is allowed by `ALLOWED_DOMAINS`, this option will be ignored.
 - `SKIP_TLS_VERIFY`: **false**: Allow skip tls verify
 
 ## Federation (`federation`)

docs/content/doc/advanced/config-cheat-sheet.zh-cn.md

@@ -346,7 +346,7 @@ ALLOW_DATA_URI_IMAGES = true
 - `ALLOW_DATA_URI_IMAGES`: **false** 允许 data uri 图片 (`<img src="data:image/png;base64,..."/>`)。
 
 多个净化规则可以被同时定义，只要section名称最后一位不重复即可。如： `[markup.sanitizer.TeX-2]`。
-为了针对一种渲染类型进行一个特殊的净化策略，必须使用形如 `[markup.sanitizer.asciidoc.rule-1]` 的方式来命名 seciton。
+为了针对一种渲染类型进行一个特殊的净化策略，必须使用形如 `[markup.sanitizer.asciidoc.rule-1]` 的方式来命名 section。
 如果此规则没有匹配到任何渲染类型，它将会被应用到所有的渲染类型。
 
 ## Time (`time`)

docs/content/doc/advanced/customizing-gitea.en-us.md

@@ -202,7 +202,7 @@ You can display STL file directly in Gitea by adding:
 
 to the file `templates/custom/footer.tmpl`
 
-You also need to download the content of the library [Madeleine.js](https://jinjunho.github.io/Madeleine.js/) and place it under `$GITEA_CUSTOM/public/` folder.
+You also need to download the content of the library [Madeleine.js](https://github.com/beige90/Madeleine.js) and place it under `$GITEA_CUSTOM/public/` folder.
 
 You should end-up with a folder structure similar to:
 

docs/content/doc/packages/nuget.en-us.md

@@ -23,7 +23,7 @@ Publish [NuGet](https://www.nuget.org/) packages for your user or organization.
 ## Requirements
 
 To work with the NuGet package registry, you can use command-line interface tools as well as NuGet features in various IDEs like Visual Studio.
-More informations about NuGet clients can be found in [the official documentation](https://docs.microsoft.com/en-us/nuget/install-nuget-client-tools).
+More information about NuGet clients can be found in [the official documentation](https://docs.microsoft.com/en-us/nuget/install-nuget-client-tools).
 The following examples use the `dotnet nuget` tool.
 
 ## Configuring the package registry

integrations/dump_restore_test.go

@@ -201,7 +201,7 @@ func (c *compareDump) assertEquals(repoBefore, repoAfter *repo_model.Repository)
 		"Assignees": {ignore: true}, // not implemented yet
 		"Head":      {nested: comparePullRequestBranch},
 		"Base":      {nested: comparePullRequestBranch},
-		"Labels":    {ignore: true}, // because org labels are not handled propery
+		"Labels":    {ignore: true}, // because org labels are not handled properly
 	}).([]*base.PullRequest)
 	assert.True(c.t, ok)
 	assert.GreaterOrEqual(c.t, len(prs), 1)

models/db/context.go

@@ -100,7 +100,7 @@ func TxContext() (*Context, Committer, error) {
 }
 
 // WithTx represents executing database operations on a transaction
-// you can optionally change the context to a parrent one
+// you can optionally change the context to a parent one
 func WithTx(f func(ctx context.Context) error, stdCtx ...context.Context) error {
 	parentCtx := DefaultContext
 	if len(stdCtx) != 0 && stdCtx[0] != nil {

models/issues/pull_list.go

@@ -62,7 +62,7 @@ func GetUnmergedPullRequestsByHeadInfo(repoID int64, branch string) ([]*PullRequ
 		Find(&prs)
 }
 
-// CanMaintainerWriteToBranch check whether user is a matainer and could write to the branch
+// CanMaintainerWriteToBranch check whether user is a maintainer and could write to the branch
 func CanMaintainerWriteToBranch(p access_model.Permission, branch string, user *user_model.User) bool {
 	if p.CanWrite(unit.TypeCode) {
 		return true

models/organization/team_repo.go

@@ -55,7 +55,7 @@ func GetTeamRepositories(ctx context.Context, opts *SearchTeamRepoOptions) ([]*r
 		Find(&repos)
 }
 
-// AddTeamRepo addes a repo for an organization's team
+// AddTeamRepo adds a repo for an organization's team
 func AddTeamRepo(ctx context.Context, orgID, teamID, repoID int64) error {
 	_, err := db.GetEngine(ctx).Insert(&TeamRepo{
 		OrgID:  orgID,

models/perm/access/access.go

@@ -86,7 +86,13 @@ func updateUserAccess(accessMap map[int64]*userAccess, user *user_model.User, mo
 // FIXME: do cross-comparison so reduce deletions and additions to the minimum?
 func refreshAccesses(ctx context.Context, repo *repo_model.Repository, accessMap map[int64]*userAccess) (err error) {
 	minMode := perm.AccessModeRead
-	if !repo.IsPrivate {
+	if err := repo.GetOwner(ctx); err != nil {
+		return fmt.Errorf("GetOwner: %v", err)
+	}
+
+	// If the repo isn't private and isn't owned by a organization,
+	// increase the minMode to Write.
+	if !repo.IsPrivate && !repo.Owner.IsOrganization() {
 		minMode = perm.AccessModeWrite
 	}
 

modules/charset/charset.go

@@ -23,7 +23,7 @@ import (
 // UTF8BOM is the utf-8 byte-order marker
 var UTF8BOM = []byte{'\xef', '\xbb', '\xbf'}
 
-// ToUTF8WithFallbackReader detects the encoding of content and coverts to UTF-8 reader if possible
+// ToUTF8WithFallbackReader detects the encoding of content and converts to UTF-8 reader if possible
 func ToUTF8WithFallbackReader(rd io.Reader) io.Reader {
 	buf := make([]byte, 2048)
 	n, err := util.ReadAtMost(rd, buf)
@@ -76,7 +76,7 @@ func ToUTF8WithErr(content []byte) (string, error) {
 	return string(result), err
 }
 
-// ToUTF8WithFallback detects the encoding of content and coverts to UTF-8 if possible
+// ToUTF8WithFallback detects the encoding of content and converts to UTF-8 if possible
 func ToUTF8WithFallback(content []byte) []byte {
 	bs, _ := io.ReadAll(ToUTF8WithFallbackReader(bytes.NewReader(content)))
 	return bs
@@ -191,7 +191,7 @@ func DetectEncoding(content []byte) (string, error) {
 			break
 		}
 
-		// Otherwise check if this results is earlier in the DetectedCharsetOrder than our current top guesss
+		// Otherwise check if this results is earlier in the DetectedCharsetOrder than our current top guess
 		resultPriority, resultHas := setting.Repository.DetectedCharsetScore[strings.ToLower(strings.TrimSpace(result.Charset))]
 		if resultHas && (!has || resultPriority < priority) {
 			topResult = result

modules/doctor/breaking.go

@@ -32,8 +32,8 @@ func iterateUserAccounts(ctx context.Context, each func(*user.User) error) error
 // Ref: https://github.com/go-gitea/gitea/pull/19085 & https://github.com/go-gitea/gitea/pull/17688
 func checkUserEmail(ctx context.Context, logger log.Logger, _ bool) error {
 	// We could use quirky SQL to get all users that start without a [a-zA-Z0-9], but that would mean
-	// DB provider-specific SQL and only works _now_. So instead we iterate trough all user accounts and
-	// use the user.ValidateEmail function to be future-proof.
+	// DB provider-specific SQL and only works _now_. So instead we iterate through all user accounts
+	// and use the user.ValidateEmail function to be future-proof.
 	var invalidUserCount int64
 	if err := iterateUserAccounts(ctx, func(u *user.User) error {
 		// Only check for users, skip

modules/hostmatcher/hostmatcher.go

@@ -125,14 +125,14 @@ func (hl *HostMatchList) checkIP(ip net.IP) bool {
 
 // MatchHostName checks if the host matches an allow/deny(block) list
 func (hl *HostMatchList) MatchHostName(host string) bool {
+	if hl == nil {
+		return false
+	}
+
 	hostname, _, err := net.SplitHostPort(host)
 	if err != nil {
 		hostname = host
 	}
-
-	if hl == nil {
-		return false
-	}
 	if hl.checkPattern(hostname) {
 		return true
 	}

modules/nosql/manager_leveldb.go

@@ -103,7 +103,7 @@ func (m *Manager) getLevelDB(connection string) (*leveldb.DB, error) {
 	db, ok = m.LevelDBConnections[dataDir]
 	if ok {
 		db.count++
-		log.Warn("Duplicate connnection to level db: %s with different connection strings. Initial connection: %s. This connection: %s", dataDir, db.name[0], connection)
+		log.Warn("Duplicate connection to level db: %s with different connection strings. Initial connection: %s. This connection: %s", dataDir, db.name[0], connection)
 		db.name = append(db.name, connection)
 		m.LevelDBConnections[connection] = db
 		return db.db, nil

modules/setting/database.go

@@ -156,6 +156,12 @@ func parsePostgreSQLHostPort(info string) (string, string) {
 	} else if len(info) > 0 {
 		host = info
 	}
+	if host == "" {
+		host = "127.0.0.1"
+	}
+	if port == "" {
+		port = "5432"
+	}
 	return host, port
 }
 
@@ -173,6 +179,7 @@ func getPostgreSQLConnectionString(dbHost, dbUser, dbPasswd, dbName, dbParam, db
 
 // ParseMSSQLHostPort splits the host into host and port
 func ParseMSSQLHostPort(info string) (string, string) {
+	// the default port "0" might be related to MSSQL's dynamic port, maybe it should be double-confirmed in the future
 	host, port := "127.0.0.1", "0"
 	if strings.Contains(info, ":") {
 		host = strings.Split(info, ":")[0]
@@ -183,5 +190,11 @@ func ParseMSSQLHostPort(info string) (string, string) {
 	} else if len(info) > 0 {
 		host = info
 	}
+	if host == "" {
+		host = "127.0.0.1"
+	}
+	if port == "" {
+		port = "0"
+	}
 	return host, port
 }

modules/web/middleware/locale.go

@@ -60,7 +60,7 @@ func SetLocaleCookie(resp http.ResponseWriter, lang string, expiry int) {
 }
 
 // DeleteLocaleCookie convenience function to delete the locale cookie consistently
-// Setting the lang cookie will trigger the middleware to reset the language ot previous state.
+// Setting the lang cookie will trigger the middleware to reset the language to previous state.
 func DeleteLocaleCookie(resp http.ResponseWriter) {
 	SetCookie(resp, "lang", "",
 		-1,

modules/web/routing/context.go

@@ -25,7 +25,7 @@ func UpdateFuncInfo(ctx context.Context, funcInfo *FuncInfo) {
 	record.lock.Unlock()
 }
 
-// MarkLongPolling marks the reuqest is a long-polling request, and the logger may output different message for it
+// MarkLongPolling marks the request is a long-polling request, and the logger may output different message for it
 func MarkLongPolling(resp http.ResponseWriter, req *http.Request) {
 	record, ok := req.Context().Value(contextKey).(*requestRecord)
 	if !ok {

options/gitignore/Bazel

@@ -6,7 +6,7 @@
 /bazel-*
 
 # Directories for the Bazel IntelliJ plugin containing the generated
-# IntelliJ project files and plugin configuration. Seperate directories are
+# IntelliJ project files and plugin configuration. Separate directories are
 # for the IntelliJ, Android Studio and CLion versions of the plugin.
 /.ijwb/
 /.aswb/

options/locale/locale_en-US.ini

@@ -932,7 +932,7 @@ form.name_pattern_not_allowed = The pattern '%s' is not allowed in a repository
 need_auth = Authorization
 migrate_options = Migration Options
 migrate_service = Migration Service
-migrate_options_mirror_helper = This repository will be a <span class="text blue">mirror</span>
+migrate_options_mirror_helper = This repository will be a mirror
 migrate_options_lfs = Migrate LFS files
 migrate_options_lfs_endpoint.label = LFS Endpoint
 migrate_options_lfs_endpoint.description = Migration will attempt to use your Git remote to <a target="_blank" rel="noopener noreferrer" href="%s">determine the LFS server</a>. You can also specify a custom endpoint if the repository LFS data is stored somewhere else.

options/locale/locale_pt-PT.ini

@@ -1303,6 +1303,7 @@ issues.previous=Anterior
 issues.next=Seguinte
 issues.open_title=Aberta
 issues.closed_title=Fechada
+issues.draft_title=Rascunho
 issues.num_comments=%d comentários
 issues.commented_at=`comentou <a href="#%s">%s</a>`
 issues.delete_comment_confirm=Tem a certeza que quer eliminar este comentário?

options/locale/locale_zh-CN.ini

@@ -861,7 +861,9 @@ default_branch=默认分支
 default_branch_helper=默认分支是用于合并请求和代码提交的基础分支。
 mirror_prune=修剪
 mirror_prune_desc=删除过时的远程跟踪引用
+mirror_interval=镜像间隔 (有效的时间单位是 'h', 'm', 's')。0 禁用自动定期同步 (最短间隔: %s)
 mirror_interval_invalid=镜像间隔无效。
+mirror_sync_on_commit=推送提交时同步
 mirror_address=从URL克隆
 mirror_address_desc=在授权框中输入必要的凭据。
 mirror_address_url_invalid=URL无效。请检查您所输入的URL是否正确。
@@ -1301,6 +1303,7 @@ issues.previous=上一页
 issues.next=下一页
 issues.open_title=开启中
 issues.closed_title=已关闭
+issues.draft_title=草稿
 issues.num_comments=%d 条评论
 issues.commented_at=`评论于 <a href="#%s">%s</a>`
 issues.delete_comment_confirm=您确定要删除该条评论吗？

package.json

@@ -45,6 +45,7 @@
   },
   "devDependencies": {
     "@happy-dom/jest-environment": "4.0.1",
+    "@stoplight/spectral-cli": "6.4.1",
     "eslint": "8.15.0",
     "eslint-plugin-html": "6.2.0",
     "eslint-plugin-import": "2.26.0",

routers/api/packages/composer/api.go

@@ -76,7 +76,7 @@ type PackageVersionMetadata struct {
 	Dist    Dist      `json:"dist"`
 }
 
-// Dist contains package download informations
+// Dist contains package download information
 type Dist struct {
 	Type     string `json:"type"`
 	URL      string `json:"url"`

routers/api/packages/conan/conan.go

@@ -429,14 +429,14 @@ func uploadFile(ctx *context.Context, fileFilter stringSet, fileKey string) {
 	ctx.Status(http.StatusCreated)
 }
 
-// DownloadRecipeFile serves the conent of the requested recipe file
+// DownloadRecipeFile serves the content of the requested recipe file
 func DownloadRecipeFile(ctx *context.Context) {
 	rref := ctx.Data[recipeReferenceKey].(*conan_module.RecipeReference)
 
 	downloadFile(ctx, recipeFileList, rref.AsKey())
 }
 
-// DownloadPackageFile serves the conent of the requested package file
+// DownloadPackageFile serves the content of the requested package file
 func DownloadPackageFile(ctx *context.Context) {
 	pref := ctx.Data[packageReferenceKey].(*conan_module.PackageReference)
 

routers/api/packages/rubygems/rubygems.go

@@ -37,7 +37,7 @@ func EnumeratePackages(ctx *context.Context) {
 	enumeratePackages(ctx, "specs.4.8", packages)
 }
 
-// EnumeratePackagesLatest serves the list of the lastest version of every package
+// EnumeratePackagesLatest serves the list of the latest version of every package
 func EnumeratePackagesLatest(ctx *context.Context) {
 	pvs, _, err := packages_model.SearchLatestVersions(ctx, &packages_model.PackageSearchOptions{
 		OwnerID: ctx.Package.Owner.ID,

routers/api/v1/api.go

@@ -1017,7 +1017,7 @@ func Routes() *web.Route {
 				}, mustAllowPulls, reqRepoReader(unit.TypeCode), context.ReferencesGitRepo())
 				m.Group("/statuses", func() {
 					m.Combo("/{sha}").Get(repo.GetCommitStatuses).
-						Post(reqToken(), bind(api.CreateStatusOption{}), repo.NewCommitStatus)
+						Post(reqToken(), reqRepoWriter(unit.TypeCode), bind(api.CreateStatusOption{}), repo.NewCommitStatus)
 				}, reqRepoReader(unit.TypeCode))
 				m.Group("/commits", func() {
 					m.Get("", context.ReferencesGitRepo(), repo.GetAllCommits)

routers/api/v1/org/hook.go

@@ -100,7 +100,7 @@ func GetHook(ctx *context.APIContext) {
 
 // CreateHook create a hook for an organization
 func CreateHook(ctx *context.APIContext) {
-	// swagger:operation POST /orgs/{org}/hooks/ organization orgCreateHook
+	// swagger:operation POST /orgs/{org}/hooks organization orgCreateHook
 	// ---
 	// summary: Create a hook
 	// consumes:

routers/api/v1/swagger/options.go

@@ -107,9 +107,6 @@ type swaggerParameterBodies struct {
 	// in:body
 	EditUserOption api.EditUserOption
 
-	// in:body
-	MigrateRepoForm forms.MigrateRepoForm
-
 	// in:body
 	EditAttachmentOptions api.EditAttachmentOptions
 

routers/web/repo/pull.go

@@ -1440,7 +1440,7 @@ func UpdatePullRequestTarget(ctx *context.Context) {
 			err := err.(issues_model.ErrPullRequestAlreadyExists)
 
 			RepoRelPath := ctx.Repo.Owner.Name + "/" + ctx.Repo.Repository.Name
-			errorMessage := ctx.Tr("repo.pulls.has_pull_request", html.EscapeString(ctx.Repo.RepoLink+"/pulls/"+strconv.FormatInt(err.IssueID, 10)), html.EscapeString(RepoRelPath), err.IssueID) // FIXME: Creates url insidde locale string
+			errorMessage := ctx.Tr("repo.pulls.has_pull_request", html.EscapeString(ctx.Repo.RepoLink+"/pulls/"+strconv.FormatInt(err.IssueID, 10)), html.EscapeString(RepoRelPath), err.IssueID) // FIXME: Creates url inside locale string
 
 			ctx.Flash.Error(errorMessage)
 			ctx.JSON(http.StatusConflict, map[string]interface{}{

routers/web/repo/release.go

@@ -98,8 +98,8 @@ func releasesOrTags(ctx *context.Context, isTagList bool) {
 		listOptions.PageSize = setting.API.MaxResponseItems
 	}
 
-	// TODO(20073) tags are used for compare feature witch needs all tags
-	// filtering is doen at the client side atm
+	// TODO(20073) tags are used for compare feature which needs all tags
+	// filtering is done on the client-side atm
 	tagListStart, tagListEnd := 0, 0
 	if isTagList {
 		tagListStart, tagListEnd = listOptions.GetStartEnd()
@@ -514,12 +514,12 @@ func EditReleasePost(ctx *context.Context) {
 	ctx.Redirect(ctx.Repo.RepoLink + "/releases")
 }
 
-// DeleteRelease delete a release
+// DeleteRelease deletes a release
 func DeleteRelease(ctx *context.Context) {
 	deleteReleaseOrTag(ctx, false)
 }
 
-// DeleteTag delete a tag
+// DeleteTag deletes a tag
 func DeleteTag(ctx *context.Context) {
 	deleteReleaseOrTag(ctx, true)
 }

routers/web/web.go

@@ -85,7 +85,7 @@ func CorsHandler() func(next http.Handler) http.Handler {
 // for users that have already signed in.
 func buildAuthGroup() *auth_service.Group {
 	group := auth_service.NewGroup(
-		&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth realted routers
+		&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth related routers
 		&auth_service.Basic{},  // FIXME: this should be removed and only applied in download and git/lfs routers
 		&auth_service.Session{},
 	)

routers/web/webfinger.go

@@ -33,7 +33,7 @@ type webfingerLink struct {
 	Properties map[string]interface{} `json:"properties,omitempty"`
 }
 
-// WebfingerQuery returns informations about a resource
+// WebfingerQuery returns information about a resource
 // https://datatracker.ietf.org/doc/html/rfc7565
 func WebfingerQuery(ctx *context.Context) {
 	appURL, _ := url.Parse(setting.AppURL)

services/auth/source/oauth2/providers.go

@@ -35,7 +35,7 @@ type GothProvider interface {
 	GothProviderCreator
 }
 
-// ImagedProvider provide an overrided image setting for the provider
+// ImagedProvider provide an overridden image setting for the provider
 type ImagedProvider struct {
 	GothProvider
 	image string

services/migrations/gitea_uploader.go

@@ -7,7 +7,6 @@ package migrations
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -281,7 +280,7 @@ func (g *GiteaLocalUploader) CreateReleases(releases ...*base.Release) error {
 		// calc NumCommits if possible
 		if rel.TagName != "" {
 			commit, err := g.gitRepo.GetTagCommit(rel.TagName)
-			if !errors.Is(err, git.ErrNotExist{}) {
+			if !git.IsErrNotExist(err) {
 				if err != nil {
 					return fmt.Errorf("GetTagCommit[%v]: %v", rel.TagName, err)
 				}

services/migrations/migrate.go

@@ -84,7 +84,10 @@ func IsMigrateURLAllowed(remoteURL string, doer *user_model.User) error {
 
 	// some users only use proxy, there is no DNS resolver. it's safe to ignore the LookupIP error
 	addrList, _ := net.LookupIP(hostName)
+	return checkByAllowBlockList(hostName, addrList)
+}
 
+func checkByAllowBlockList(hostName string, addrList []net.IP) error {
 	var ipAllowed bool
 	var ipBlocked bool
 	for _, addr := range addrList {
@@ -93,12 +96,12 @@ func IsMigrateURLAllowed(remoteURL string, doer *user_model.User) error {
 	}
 	var blockedError error
 	if blockList.MatchHostName(hostName) || ipBlocked {
-		blockedError = &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true}
+		blockedError = &models.ErrInvalidCloneAddr{Host: hostName, IsPermissionDenied: true}
 	}
-	// if we have an allow-list, check the allow-list first
+	// if we have an allow-list, check the allow-list before return to get the more accurate error
 	if !allowList.IsEmpty() {
 		if !allowList.MatchHostName(hostName) && !ipAllowed {
-			return &models.ErrInvalidCloneAddr{Host: u.Host, IsPermissionDenied: true}
+			return &models.ErrInvalidCloneAddr{Host: hostName, IsPermissionDenied: true}
 		}
 	}
 	// otherwise, we always follow the blocked list
@@ -474,5 +477,7 @@ func Init() error {
 		allowList.AppendBuiltin(hostmatcher.MatchBuiltinPrivate)
 		allowList.AppendBuiltin(hostmatcher.MatchBuiltinLoopback)
 	}
+	// TODO: at the moment, if ALLOW_LOCALNETWORKS=false, ALLOWED_DOMAINS=domain.com, and domain.com has IP 127.0.0.1, then it's still allowed.
+	// if we want to block such case, the private&loopback should be added to the blockList when ALLOW_LOCALNETWORKS=false
 	return nil
 }

services/migrations/migrate_test.go

@@ -5,6 +5,7 @@
 package migrations
 
 import (
+	"net"
 	"path/filepath"
 	"testing"
 
@@ -74,3 +75,42 @@ func TestMigrateWhiteBlocklist(t *testing.T) {
 
 	setting.ImportLocalPaths = old
 }
+
+func TestAllowBlockList(t *testing.T) {
+	init := func(allow, block string, local bool) {
+		setting.Migrations.AllowedDomains = allow
+		setting.Migrations.BlockedDomains = block
+		setting.Migrations.AllowLocalNetworks = local
+		assert.NoError(t, Init())
+	}
+
+	// default, allow all external, block none, no local networks
+	init("", "", false)
+	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
+	assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
+
+	// allow all including local networks (it could lead to SSRF in production)
+	init("", "", true)
+	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
+	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
+
+	// allow wildcard, block some subdomains. if the domain name is allowed, then the local network check is skipped
+	init("*.domain.com", "blocked.domain.com", false)
+	assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
+	assert.NoError(t, checkByAllowBlockList("sub.domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
+	assert.Error(t, checkByAllowBlockList("blocked.domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
+	assert.Error(t, checkByAllowBlockList("sub.other.com", []net.IP{net.ParseIP("1.2.3.4")}))
+
+	// allow wildcard (it could lead to SSRF in production)
+	init("*", "", false)
+	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
+	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
+
+	// local network can still be blocked
+	init("*", "127.0.0.*", false)
+	assert.NoError(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("1.2.3.4")}))
+	assert.Error(t, checkByAllowBlockList("domain.com", []net.IP{net.ParseIP("127.0.0.1")}))
+
+	// reset
+	init("", "", false)
+}

templates/repo/issue/view_content/pull.tmpl

@@ -254,7 +254,7 @@
 
 				{{$notAllOverridableChecksOk := or .IsBlockedByApprovals .IsBlockedByRejection .IsBlockedByOfficialReviewRequests .IsBlockedByOutdatedBranch .IsBlockedByChangedProtectedFiles (and .EnableStatusCheck (not .RequiredStatusCheckState.IsSuccess))}}
 
-				{{/* admin can merge without checks, writer can merge when checkes succeed */}}
+				{{/* admin can merge without checks, writer can merge when checks succeed */}}
 				{{$canMergeNow := and (or $.IsRepoAdmin (not $notAllOverridableChecksOk)) (or (not .AllowMerge) (not .RequireSigned) .WillSign)}}
 				{{/* admin and writer both can make an auto merge schedule */}}
 

templates/repo/migrate/options.tmpl

@@ -3,7 +3,7 @@
 	<label>{{.locale.Tr "repo.migrate_options"}}</label>
 	<div class="ui checkbox">
 		<input id="mirror" name="mirror" type="checkbox" {{if .mirror}} checked{{end}}>
-		<label>{{.locale.Tr "repo.migrate_options_mirror_helper" | Safe}}</label>
+		<label>{{.locale.Tr "repo.migrate_options_mirror_helper"}}</label>
 	</div>
 </div>
 {{end}}

templates/swagger/v1_json.tmpl

@@ -1131,9 +1131,7 @@
             "$ref": "#/responses/HookList"
           }
         }
-      }
-    },
-    "/orgs/{org}/hooks/": {
+      },
       "post": {
         "consumes": [
           "application/json"
@@ -16078,12 +16076,6 @@
       },
       "x-go-package": "code.gitea.io/gitea/modules/structs"
     },
-    "GitServiceType": {
-      "description": "GitServiceType represents a git service",
-      "type": "integer",
-      "format": "int64",
-      "x-go-package": "code.gitea.io/gitea/modules/structs"
-    },
     "GitTreeResponse": {
       "description": "GitTreeResponse returns a git tree",
       "type": "object",
@@ -16473,94 +16465,6 @@
       "x-go-name": "MergePullRequestForm",
       "x-go-package": "code.gitea.io/gitea/services/forms"
     },
-    "MigrateRepoForm": {
-      "description": "MigrateRepoForm form for migrating repository\nthis is used to interact with web ui",
-      "type": "object",
-      "required": [
-        "clone_addr",
-        "uid",
-        "repo_name"
-      ],
-      "properties": {
-        "auth_password": {
-          "type": "string",
-          "x-go-name": "AuthPassword"
-        },
-        "auth_token": {
-          "type": "string",
-          "x-go-name": "AuthToken"
-        },
-        "auth_username": {
-          "type": "string",
-          "x-go-name": "AuthUsername"
-        },
-        "clone_addr": {
-          "type": "string",
-          "x-go-name": "CloneAddr"
-        },
-        "description": {
-          "type": "string",
-          "x-go-name": "Description"
-        },
-        "issues": {
-          "type": "boolean",
-          "x-go-name": "Issues"
-        },
-        "labels": {
-          "type": "boolean",
-          "x-go-name": "Labels"
-        },
-        "lfs": {
-          "type": "boolean",
-          "x-go-name": "LFS"
-        },
-        "lfs_endpoint": {
-          "type": "string",
-          "x-go-name": "LFSEndpoint"
-        },
-        "milestones": {
-          "type": "boolean",
-          "x-go-name": "Milestones"
-        },
-        "mirror": {
-          "type": "boolean",
-          "x-go-name": "Mirror"
-        },
-        "mirror_interval": {
-          "type": "string",
-          "x-go-name": "MirrorInterval"
-        },
-        "private": {
-          "type": "boolean",
-          "x-go-name": "Private"
-        },
-        "pull_requests": {
-          "type": "boolean",
-          "x-go-name": "PullRequests"
-        },
-        "releases": {
-          "type": "boolean",
-          "x-go-name": "Releases"
-        },
-        "repo_name": {
-          "type": "string",
-          "x-go-name": "RepoName"
-        },
-        "service": {
-          "$ref": "#/definitions/GitServiceType"
-        },
-        "uid": {
-          "type": "integer",
-          "format": "int64",
-          "x-go-name": "UID"
-        },
-        "wiki": {
-          "type": "boolean",
-          "x-go-name": "Wiki"
-        }
-      },
-      "x-go-package": "code.gitea.io/gitea/services/forms"
-    },
     "MigrateRepoOptions": {
       "description": "MigrateRepoOptions options for migrating repository's\nthis is used to interact with api v1",
       "type": "object",

web_src/js/features/repo-projects.js

@@ -192,7 +192,7 @@ function setLabelColor(label, color) {
 }
 
 /**
- * Inspired by W3C recommandation https://www.w3.org/TR/WCAG20/#relativeluminancedef
+ * Inspired by W3C recommendation https://www.w3.org/TR/WCAG20/#relativeluminancedef
  */
 function getRelativeColor(color) {
   color /= 255;

web_src/less/_dashboard.less

@@ -68,7 +68,7 @@
 
   .dashboard-repos,
   .dashboard-orgs {
-    margin: 0 1px; /* Accomodate for Semantic's 1px hacks on .attached elements */
+    margin: 0 1px; /* Accommodate for Semantic's 1px hacks on .attached elements */
   }
 
   .dashboard-navbar {