go mod tidy

# Conflicts:
#	.github/workflows/go.yml
#	internal/assets/templates/templates_gen.go

.github/workflows/docker.yml

@@ -0,0 +1,212 @@
+name: Docker
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - 'Dockerfile'
+      - 'docker/**'
+      - '.github/workflows/docker.yml'
+  release:
+    types: [ published ]
+
+jobs:
+  buildx:
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
+      packages: write
+    steps:
+      - name: Canel previous runs
+        uses: styfle/cancel-workflow-action@0.9.1
+        with:
+          all_but_latest: true
+          access_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          config-inline: |
+            [worker.oci]
+              max-parallelism = 2
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push images
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: |
+            gogs/gogs:latest
+            ghcr.io/gogs/gogs:latest
+      - name: Send email on failure
+        uses: dawidd6/action-send-mail@v3
+        if: ${{ failure() }}
+        with:
+          server_address: smtp.mailgun.org
+          server_port: 465
+          username: ${{ secrets.SMTP_USERNAME }}
+          password: ${{ secrets.SMTP_PASSWORD }}
+          subject: GitHub Actions (${{ github.repository }}) job result
+          to: github-actions-8ce6454@unknwon.io
+          from: GitHub Actions (${{ github.repository }})
+          reply_to: noreply@unknwon.io
+          body: |
+            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
+
+            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+
+  buildx-pull-request:
+    if: ${{ github.event_name == 'pull_request' && github.repository == 'gogs/gogs' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          config-inline: |
+            [worker.oci]
+              max-parallelism = 2
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Compute short commit SHA
+        uses: benjlevesque/short-sha@v1.2
+      - name: Build and push images
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          tags: |
+            gogs/gogs:commit-${{ env.SHA }}
+
+  buildx-pull-request-fork:
+    if: ${{ github.event_name == 'pull_request' && github.repository != 'gogs/gogs' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          config-inline: |
+            [worker.oci]
+              max-parallelism = 2
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+      - name: Build images
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64
+
+  buildx-release:
+    if: ${{ github.event_name == 'release' }}
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: read
+      packages: write
+    steps:
+      - name: Compute image tag name
+        run: echo "IMAGE_TAG=$(echo $GITHUB_REF_NAME | cut -c 2-)" >> $GITHUB_ENV
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v1
+        with:
+          config-inline: |
+            [worker.oci]
+              max-parallelism = 2
+      - name: Inspect builder
+        run: |
+          echo "Name:      ${{ steps.buildx.outputs.name }}"
+          echo "Endpoint:  ${{ steps.buildx.outputs.endpoint }}"
+          echo "Status:    ${{ steps.buildx.outputs.status }}"
+          echo "Flags:     ${{ steps.buildx.outputs.flags }}"
+          echo "Platforms: ${{ steps.buildx.outputs.platforms }}"
+      - name: Login to Docker Hub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push images
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: true
+          tags: |
+            gogs/gogs:${{ env.IMAGE_TAG }}
+            ghcr.io/gogs/gogs:${{ env.IMAGE_TAG }}
+      - name: Send email on failure
+        uses: dawidd6/action-send-mail@v3
+        if: ${{ failure() }}
+        with:
+          server_address: smtp.mailgun.org
+          server_port: 465
+          username: ${{ secrets.SMTP_USERNAME }}
+          password: ${{ secrets.SMTP_PASSWORD }}
+          subject: GitHub Actions (${{ github.repository }}) job result
+          to: github-actions-8ce6454@unknwon.io
+          from: GitHub Actions (${{ github.repository }})
+          reply_to: noreply@unknwon.io
+          body: |
+            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
+
+            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/go.yml

@@ -6,9 +6,15 @@ on:
       - 'release/**'
     paths:
       - '**.go'
+      - 'go.mod'
+      - '.golangci.yml'
+      - '.github/workflows/go.yml'
   pull_request:
     paths:
       - '**.go'
+      - 'go.mod'
+      - '.golangci.yml'
+      - '.github/workflows/go.yml'
 env:
   GOPROXY: "https://proxy.golang.org"
 
@@ -17,37 +23,66 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout code
+        uses: actions/checkout@v2
       - name: Run golangci-lint
-        uses: actions-contrib/golangci-lint@v1
+        uses: golangci/golangci-lint-action@v2
         with:
-          args: 'run --timeout=30m'
+          version: latest
+          args: --timeout=30m
+      - name: Install Task
+        uses: arduino/setup-task@v1
+      - name: Install go-bindata
+        shell: bash
+        run: |
+          curl --silent --location --output /usr/local/bin/go-bindata https://github.com/kevinburke/go-bindata/releases/download/v3.23.0/go-bindata-linux-amd64
+          chmod +x /usr/local/bin/go-bindata
+      - name: Check Go module tidiness
+        shell: bash
+        run: |
+          go mod tidy
+          STATUS=$(git status --porcelain)
+          if [ ! -z "$STATUS" ]; then
+            echo "Unstaged files:"
+            echo $STATUS
+            echo "Run 'go mod tidy' and commit them"
+            exit 1
+          fi
 
   test:
     name: Test
     strategy:
       matrix:
-        go-version: [1.14.x, 1.15.x]
-        platform: [ubuntu-latest, macos-latest, windows-latest]
+        go-version: [ 1.14.x, 1.15.x, 1.16.x, 1.17.x, 1.18.x ]
+        platform: [ ubuntu-latest, macos-latest, windows-latest ]
     runs-on: ${{ matrix.platform }}
     steps:
       - name: Install Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v2
         with:
           go-version: ${{ matrix.go-version }}
       - name: Checkout code
         uses: actions/checkout@v2
-      - name: Run unit tests
+      - name: Run tests with coverage
         run: go test -v -race -coverprofile=coverage -covermode=atomic ./...
       - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v1.0.6
+        uses: codecov/codecov-action@v1.5.0
         with:
           file: ./coverage
           flags: unittests
-      - name: Cache downloaded modules
-        uses: actions/cache@v1
+      - name: Send email on failure
+        uses: dawidd6/action-send-mail@v3
+        if: ${{ failure() && github.event_name == 'push' && github.ref == 'refs/heads/main' }}
         with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
+          server_address: smtp.mailgun.org
+          server_port: 465
+          username: ${{ secrets.SMTP_USERNAME }}
+          password: ${{ secrets.SMTP_PASSWORD }}
+          subject: GitHub Actions (${{ github.repository }}) job result
+          to: github-actions-8ce6454@unknwon.io
+          from: GitHub Actions (${{ github.repository }})
+          reply_to: noreply@unknwon.io
+          body: |
+            The job "${{ github.job }}" of ${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }} completed with "${{ job.status }}".
+
+            View the job run at: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/lsif.yml

@@ -1,11 +1,19 @@
 name: LSIF
-on: [push]
+on:
+  push:
+    paths:
+      - '**.go'
+      - 'go.mod'
+      - '.github/workflows/lsif.yml'
+env:
+  GOPROXY: "https://proxy.golang.org"
+
 jobs:
   lsif-go:
     if: github.repository == 'gogs/gogs'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
       - name: Generate LSIF data
         uses: sourcegraph/lsif-go-action@master
       - name: Upload LSIF data to sourcegraph.com

.github/workflows/shell.yml

@@ -1,13 +1,14 @@
 name: Shell
 on:
   push:
-    branches: [master]
+    branches: [ main ]
   pull_request:
+
 jobs:
   shellcheck:
     name: Shellcheck
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v2
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@master

.gitignore

@@ -16,3 +16,4 @@ output*
 *.sublime-project
 *.sublime-workspace
 /release
+.task

.golangci.yml

@@ -0,0 +1,21 @@
+linters-settings:
+  nakedret:
+    max-func-lines: 0 # Disallow any unnamed return statement
+
+linters:
+  enable:
+    - deadcode
+    - errcheck
+    - gosimple
+    - govet
+    - ineffassign
+    - staticcheck
+    - structcheck
+    - typecheck
+    - unused
+    - varcheck
+    - nakedret
+    - gofmt
+    - rowserrcheck
+    - unconvert
+    - goimports

CHANGELOG.md

@@ -7,6 +7,10 @@ All notable changes to Gogs are documented in this file.
 ### Added
 
 - An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. [#5733](https://github.com/gogs/gogs/issues/5733)
+- New configuration option `[git.timeout] DIFF` for customizing operation timeout of `git diff`. [#6315](https://github.com/gogs/gogs/issues/6315)
+- New configuration option `[server] SSH_SERVER_MACS` for setting list of accepted MACs for connections to builtin SSH server. [#6434](https://github.com/gogs/gogs/issues/6434)
+- Support specifying custom schema for PostgreSQL. [#6695](https://github.com/gogs/gogs/pull/6695)
+- New languages support: Mongolian. [#6510](https://github.com/gogs/gogs/pull/6510)
 
 ### Changed
 
@@ -16,33 +20,45 @@ All notable changes to Gogs are documented in this file.
 
 ### Fixed
 
-- _Regression:_ Pages are correctly rendered when requesting `?go-get=1` for subdirectories. [#6314](https://github.com/gogs/gogs/issues/6314)
-- _Regression:_ Submodule with a relative path is linked correctly. [#6319](https://github.com/gogs/gogs/issues/6319)
-- Backup can be processed when `--target` is specified on Windows. [#6339](https://github.com/gogs/gogs/issues/6339)
-- Commit message contains keywords look like an issue reference no longer fails the push entirely. [#6289](https://github.com/gogs/gogs/issues/6289)
-- _Regression:_ When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". [#6316](https://github.com/gogs/gogs/issues/6316)
-- Auto-linked commit SHAs now have correct links. [#6300](https://github.com/gogs/gogs/issues/6300)
-- Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header `Content-Type` to be `application/octet-stream`. The server now tells the LFS client to always use `Content-Type: application/octet-stream` when upload files.
+- Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409)
+- _Regression:_ Fixed smart links for issues stops rendering. [#6506](https://github.com/gogs/gogs/issues/6506)
+- _Security:_ Potential SSRF attack by CRLF injection via repository migration. [#6413](https://github.com/gogs/gogs/issues/6413)
 
 ### Removed
 
 - ⚠️ Migrations before 0.12 are removed, installations not on 0.12 should upgrade to it to run the migrations and then upgrade to 0.13.
-- Configuration section `[mailer]` is no longer used.
-- Configuration section `[service]` is no longer used.
-- Configuration option `APP_NAME` is no longer used.
-- Configuration option `[security] REVERSE_PROXY_AUTHENTICATION_USER` is no longer used.
-- Configuration option `[database] PASSWD` is no longer used.
-- Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is no longer used.
-- Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is no longer used.
-- Configuration option `[auth] ENABLE_CAPTCHA` is no longer used.
-- Configuration option `[auth] ENABLE_NOTIFY_MAIL` is no longer used.
-- Configuration option `[auth] REGISTER_EMAIL_CONFIRM` is no longer used.
-- Configuration option `[session] GC_INTERVAL_TIME` is no longer used.
-- Configuration option `[session] SESSION_LIFE_TIME` is no longer used.
-- Configuration option `[server] ROOT_URL` is no longer used.
-- Configuration option `[server] LANDING_PAGE` is no longer used.
-- Configuration option `[database] DB_TYPE` is no longer used.
-- Configuration option `[database] PASSWD` is no longer used.
+- Configuration section `[mailer]` is no longer used, please use `[email]`.
+- Configuration section `[service]` is no longer used, please use `[auth]`.
+- Configuration option `APP_NAME` is no longer used, please use `BRAND_NAME`.
+- Configuration option `[security] REVERSE_PROXY_AUTHENTICATION_USER` is no longer used, please use `[auth] REVERSE_PROXY_AUTHENTICATION_HEADER`.
+- Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is no longer used, please use `[auth] ACTIVATE_CODE_LIVES`.
+- Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is no longer used, please use `[auth] RESET_PASSWORD_CODE_LIVES`.
+- Configuration option `[auth] ENABLE_CAPTCHA` is no longer used, please use `[auth] ENABLE_REGISTRATION_CAPTCHA`.
+- Configuration option `[auth] ENABLE_NOTIFY_MAIL` is no longer used, please use `[user] ENABLE_EMAIL_NOTIFICATION`.
+- Configuration option `[auth] REGISTER_EMAIL_CONFIRM` is no longer used, please use `[auth] REQUIRE_EMAIL_CONFIRMATION`.
+- Configuration option `[session] GC_INTERVAL_TIME` is no longer used, please use `[session] GC_INTERVAL`.
+- Configuration option `[session] SESSION_LIFE_TIME` is no longer used, please use `[session] MAX_LIFE_TIME`.
+- Configuration option `[server] ROOT_URL` is no longer used, please use `[server] EXTERNAL_URL`.
+- Configuration option `[server] LANDING_PAGE` is no longer used, please use `[server] LANDING_URL`.
+- Configuration option `[database] DB_TYPE` is no longer used, please use `[database] TYPE`.
+- Configuration option `[database] PASSWD` is no longer used, please use `[database] PASSWORD`.
+
+## 0.12.3
+
+### Fixed
+
+- _Regression:_ When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". [#6316](https://github.com/gogs/gogs/issues/6316)
+- Auto-linked commit SHAs now have correct links. [#6300](https://github.com/gogs/gogs/issues/6300)
+- Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header `Content-Type` to be `application/octet-stream`. The server now tells the LFS client to always use `Content-Type: application/octet-stream` when upload files.
+
+## 0.12.2
+
+### Fixed
+
+- _Regression:_ Pages are correctly rendered when requesting `?go-get=1` for subdirectories. [#6314](https://github.com/gogs/gogs/issues/6314)
+- _Regression:_ Submodule with a relative path is linked correctly. [#6319](https://github.com/gogs/gogs/issues/6319)
+- Backup can be processed when `--target` is specified on Windows. [#6339](https://github.com/gogs/gogs/issues/6339)
+- Commit message contains keywords look like an issue reference no longer fails the push entirely. [#6289](https://github.com/gogs/gogs/issues/6289)
 
 ## 0.12.1
 
@@ -81,6 +97,7 @@ All notable changes to Gogs are documented in this file.
 - Configuration section `[service]` is deprecated and will end support in 0.13.0, please start using `[auth]`.
 - Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] ACTIVATE_CODE_LIVES`.
 - Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] RESET_PASSWORD_CODE_LIVES`.
+- Configuration option `[auth] REGISTER_EMAIL_CONFIRM` is deprecated and will end support in 0.13.0, please start using `[auth] REQUIRE_EMAIL_CONFIRMATION`.
 - Configuration option `[auth] ENABLE_CAPTCHA` is deprecated and will end support in 0.13.0, please start using `[auth] ENABLE_REGISTRATION_CAPTCHA`.
 - Configuration option `[auth] ENABLE_NOTIFY_MAIL` is deprecated and will end support in 0.13.0, please start using `[user] ENABLE_EMAIL_NOTIFICATION`.
 - Configuration option `[session] GC_INTERVAL_TIME` is deprecated and will end support in 0.13.0, please start using `[session] GC_INTERVAL`.

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:alpine3.11 AS binarybuilder
+FROM golang:alpine3.14 AS binarybuilder
 RUN apk --no-cache --no-progress add --virtual \
   build-deps \
   build-base \
@@ -7,11 +7,18 @@ RUN apk --no-cache --no-progress add --virtual \
 
 WORKDIR /gogs.io/gogs
 COPY . .
-RUN make build-no-gen TAGS="cert pam"
+RUN make build TAGS="cert pam"
 
-FROM alpine:3.11
-ADD https://github.com/tianon/gosu/releases/download/1.11/gosu-amd64 /usr/sbin/gosu
-RUN chmod +x /usr/sbin/gosu \
+FROM alpine:3.14
+RUN if [ `uname -m` == "aarch64" ] ; then \
+      export arch="arm64" ; \
+  elif [ `uname -m` == "armv7l" ] ; then \
+      export arch="armhf"; \
+  else \
+      export arch="amd64" ; \
+  fi \
+  && wget https://github.com/tianon/gosu/releases/download/1.11/gosu-$arch -O /usr/sbin/gosu \
+  && chmod +x /usr/sbin/gosu \
   && echo http://dl-2.alpinelinux.org/alpine/edge/community/ >> /etc/apk/repositories \
   && apk --no-cache --no-progress add \
   bash \
@@ -28,7 +35,7 @@ RUN chmod +x /usr/sbin/gosu \
 
 ENV GOGS_CUSTOM /data/gogs
 
-# Configure LibC Name Service
+# Configure LibC Name Service
 COPY docker/nsswitch.conf /etc/nsswitch.conf
 
 WORKDIR /app/gogs
@@ -37,7 +44,7 @@ COPY --from=binarybuilder /gogs.io/gogs/gogs .
 
 RUN ./docker/finalize.sh
 
-# Configure Docker Container
+# Configure Docker Container
 VOLUME ["/data", "/backup"]
 EXPOSE 22 3000
 ENTRYPOINT ["/app/gogs/docker/start.sh"]

Makefile

@@ -5,8 +5,6 @@ CONF_FILES := $(shell find conf | sed 's/ /\\ /g')
 TEMPLATES_FILES := $(shell find templates | sed 's/ /\\ /g')
 PUBLIC_FILES := $(shell find public | sed 's/ /\\ /g')
 LESS_FILES := $(wildcard public/less/*.less)
-ASSETS_GENERATED := internal/assets/conf/conf_gen.go internal/assets/templates/templates_gen.go internal/assets/public/public_gen.go
-GENERATED := $(ASSETS_GENERATED) public/css/gogs.min.css
 
 TAGS = ""
 BUILD_FLAGS = "-v"
@@ -28,10 +26,7 @@ dist: release
 web: build
 	./gogs web
 
-build: $(GENERATED)
-	go build $(BUILD_FLAGS) -ldflags '$(LDFLAGS)' -tags '$(TAGS)' -trimpath -o gogs
-
-build-no-gen:
+build:
 	go build $(BUILD_FLAGS) -ldflags '$(LDFLAGS)' -tags '$(TAGS)' -trimpath -o gogs
 
 pack:
@@ -42,22 +37,10 @@ pack:
 
 release: build pack
 
-generate: clean $(ASSETS_GENERATED)
-
-internal/assets/conf/conf_gen.go: $(CONF_FILES)
-	-rm -f $@
+generate: clean
 	go generate internal/assets/conf/conf.go
-	gofmt -s -w $@
-
-internal/assets/templates/templates_gen.go: $(TEMPLATES_FILES)
-	-rm -f $@
 	go generate internal/assets/templates/templates.go
-	gofmt -s -w $@
-
-internal/assets/public/public_gen.go: $(PUBLIC_FILES)
-	-rm -f $@
 	go generate internal/assets/public/public.go
-	gofmt -s -w $@
 
 less: clean public/css/gogs.min.css
 

Taskfile.yml

@@ -0,0 +1,91 @@
+version: '3'
+
+vars:
+  BINARY_EXT:
+    sh: echo '{{if eq OS "windows"}}.exe{{end}}'
+
+tasks:
+  web:
+    desc: Build the binary and start the web server.
+    deps: [build]
+    cmds:
+      - ./gogs web
+
+  build:
+    desc: Build the binary.
+    cmds:
+      - go build -v
+        -ldflags '
+        -X "{{.PKG_PATH}}.BuildTime={{.BUILD_TIME}}"
+        -X "{{.PKG_PATH}}.BuildCommit={{.BUILD_COMMIT}}"
+        '
+        -tags '{{.TAGS}}'
+        -trimpath -o gogs{{.BINARY_EXT}}
+    vars:
+      PKG_PATH: gogs.io/gogs/internal/conf
+      BUILD_TIME:
+        sh: date -u '+%Y-%m-%d %I:%M:%S %Z'
+      BUILD_COMMIT:
+        sh: git rev-parse HEAD
+    sources:
+      - gogs.go
+      - internal/**/*.go
+
+  generate-bindata:
+    desc: Generate bindata for all assets.
+    deps: [clean]
+    cmds:
+      - go generate internal/assets/conf/conf.go
+      - go generate internal/assets/templates/templates.go
+      - go generate internal/assets/public/public.go
+
+  generate-schemadoc:
+    desc: Generate database schema documentation.
+    cmds:
+      - go generate ./internal/db/schemadoc
+
+  generate:
+    desc: Run all go:generate commands.
+    deps: [generate-bindata, generate-schemadoc]
+
+  test:
+    desc: Run all tests.
+    cmds:
+      - go test -cover -race ./...
+
+  clean:
+    desc: Cleans up system meta files for code generation.
+    cmds:
+      - find . -name "*.DS_Store" -type f -delete
+
+  release:
+    desc: Build the binary and pack resources to a ZIP file.
+    deps: [build]
+    cmds:
+      - rm -rf {{.RELEASE_GOGS}}
+      - mkdir -p {{.RELEASE_GOGS}}
+      - cp -r gogs{{.BINARY_EXT}} LICENSE README.md README_ZH.md scripts {{.RELEASE_GOGS}}
+      - cd {{.RELEASE_ROOT}} && zip -r gogs.$(NOW).zip "gogs"
+    vars:
+      RELEASE_ROOT: release
+      RELEASE_GOGS: release/gogs
+
+  less:
+    desc: Generate CSS from LESS files.
+    cmds:
+      - lessc --clean-css --source-map "public/less/gogs.less" public/css/gogs.min.css
+
+  fixme:
+    desc: Show all occurrences of "FIXME".
+    cmds:
+      - grep -rnw "FIXME" internal
+
+  todo:
+    desc: Show all occurrences of "TODO".
+    cmds:
+      - grep -rnw "TODO" internal
+
+  legacy:
+    desc: Identify legacy and deprecated lines.
+    cmds:
+      - grep -rnw "\(LEGACY\|Deprecated\)" internal

conf/app.ini

@@ -169,6 +169,8 @@ COOKIE_SECURE = false
 ENABLE_LOGIN_STATUS_COOKIE = false
 ; The cookie name to store user login status.
 LOGIN_STATUS_COOKIE_NAME = login_status
+; A comma separated list of hostnames that are explicitly allowed to be accessed within the local network.
+LOCAL_NETWORK_ALLOWLIST =
 
 [email]
 ; Whether to enable the email service.

conf/locale/locale_en-US.ini

@@ -1242,6 +1242,7 @@ config.security.cookie_secure = Enable secure cookie
 config.security.reverse_proxy_auth_user = Reverse proxy authentication header
 config.security.enable_login_status_cookie = Enable login status cookie
 config.security.login_status_cookie_name = Login status cookie
+config.security.local_network_allowlist = Local network allowlist
 
 config.email_config = Email configuration
 config.email.enabled = Enabled

docker/Dockerfile.aarch64

@@ -1,44 +0,0 @@
-FROM arm64v8/golang:1.14-alpine3.11 AS binarybuilder
-RUN apk --no-cache --no-progress add --virtual \
-  build-deps \
-  build-base \
-  git \
-  linux-pam-dev
-
-WORKDIR /gogs.io/gogs
-COPY . .
-RUN make build-no-gen TAGS="cert pam"
-
-FROM arm64v8/alpine:3.11
-ADD https://github.com/tianon/gosu/releases/download/1.11/gosu-arm64 /usr/sbin/gosu
-RUN chmod +x /usr/sbin/gosu \
-  && echo http://dl-2.alpinelinux.org/alpine/edge/community/ >> /etc/apk/repositories \
-  && apk --no-cache --no-progress add \
-  bash \
-  ca-certificates \
-  curl \
-  git \
-  linux-pam \
-  openssh \
-  s6 \
-  shadow \
-  socat \
-  tzdata \
-  rsync
-
-ENV GOGS_CUSTOM /data/gogs
-
-# Configure LibC Name Service
-COPY docker/nsswitch.conf /etc/nsswitch.conf
-
-WORKDIR /app/gogs
-COPY docker ./docker
-COPY --from=binarybuilder /gogs.io/gogs/gogs .
-
-RUN ./docker/finalize.sh
-
-# Configure Docker Container
-VOLUME ["/data", "/backup"]
-EXPOSE 22 3000
-ENTRYPOINT ["/app/gogs/docker/start.sh"]
-CMD ["/bin/s6-svscan", "/app/gogs/docker/s6/"]

docker/Dockerfile.rpi

@@ -1,4 +1,4 @@
-FROM arm32v7/golang:1.14-alpine3.11 AS binarybuilder
+FROM arm32v7/golang:1.14-alpine3.14 AS binarybuilder
 RUN apk --no-cache --no-progress add --virtual \
   build-deps \
   build-base \
@@ -7,11 +7,11 @@ RUN apk --no-cache --no-progress add --virtual \
 
 WORKDIR /gogs.io/gogs
 COPY . .
-RUN make build-no-gen TAGS="cert pam"
+RUN make build TAGS="cert pam"
 
-FROM arm32v7/alpine:3.11
-ADD https://github.com/tianon/gosu/releases/download/1.12/gosu-armhf /usr/sbin/gosu
-RUN chmod +x /usr/sbin/gosu \
+FROM arm32v7/alpine:3.14
+RUN wget https://github.com/tianon/gosu/releases/download/1.12/gosu-armhf -O /usr/sbin/gosu \
+  && chmod +x /usr/sbin/gosu \
   && echo http://dl-2.alpinelinux.org/alpine/edge/community/ >> /etc/apk/repositories \
   && apk --no-cache --no-progress add \
   bash \
@@ -28,7 +28,7 @@ RUN chmod +x /usr/sbin/gosu \
 
 ENV GOGS_CUSTOM /data/gogs
 
-# Configure LibC Name Service
+# Configure LibC Name Service
 COPY docker/nsswitch.conf /etc/nsswitch.conf
 
 WORKDIR /app/gogs
@@ -37,8 +37,9 @@ COPY --from=binarybuilder /gogs.io/gogs/gogs .
 
 RUN ./docker/finalize.sh
 
-# Configure Docker Container
+# Configure Docker Container
 VOLUME ["/data", "/backup"]
 EXPOSE 22 3000
+HEALTHCHECK CMD (nc -z -w 3 localhost 22 && curl -o /dev/null -sS http://localhost:3000/healthcheck) || exit 1
 ENTRYPOINT ["/app/gogs/docker/start.sh"]
 CMD ["/bin/s6-svscan", "/app/gogs/docker/s6/"]

docker/README.md

@@ -1,8 +1,8 @@
 # Docker for Gogs
 
-![Docker pulls](https://img.shields.io/docker/pulls/gogs/gogs?logo=docker&style=for-the-badge) ![Docker image size](https://img.shields.io/microbadger/image-size/gogs/gogs?logo=docker&style=for-the-badge)
+![Docker pulls](https://img.shields.io/docker/pulls/gogs/gogs?logo=docker&style=for-the-badge)
 
-Visit [Docker Hub](https://hub.docker.com/u/gogs) see all available images and tags.
+Visit [Docker Hub](https://hub.docker.com/u/gogs) or [GitHub Container registry](https://github.com/gogs/gogs/pkgs/container/gogs) to see all available images and tags.
 
 ## Usage
 
@@ -18,13 +18,13 @@ $ docker pull gogs/gogs
 $ mkdir -p /var/gogs
 
 # Use `docker run` for the first time.
-$ docker run --name=gogs -p 10022:22 -p 10080:3000 -v /var/gogs:/data gogs/gogs
+$ docker run --name=gogs -p 10022:22 -p 10880:3000 -v /var/gogs:/data gogs/gogs
 
 # Use `docker start` if you have stopped it.
 $ docker start gogs
 ```
 
-Note: It is important to map the Gogs ssh service from the container to the host and set the appropriate SSH Port and URI settings when setting up Gogs for the first time. To access and clone Gogs Git repositories with the above configuration you would use: `git clone ssh://git@hostname:10022/username/myrepo.git` for example.
+Note: It is important to map the SSH service from the container to the host and set the appropriate SSH Port and URI settings when setting up Gogs for the first time. To access and clone Git repositories with the above configuration you would use: `git clone ssh://git@hostname:10022/username/myrepo.git` for example.
 
 Files will be store in local path `/var/gogs` in my case.
 
@@ -40,50 +40,38 @@ Directory `/var/gogs` keeps Git repositories and Gogs data:
         |-- data
         |-- log
 
-#### Custom Directory
+#### Custom directory
 
 The "custom" directory may not be obvious in Docker environment. The `/var/gogs/gogs` (in the host) and `/data/gogs` (in the container) is already the "custom" directory and you do not need to create another layer but directly edit corresponding files under this directory.
 
-### Volume With Data Container
-
-If you're more comfortable with mounting data to a data container, the commands you execute at the first time will look like as follows:
-
-```sh
-# Create data container
-docker run --name=gogs-data --entrypoint /bin/true gogs/gogs
-
-# Use `docker run` for the first time.
-docker run --name=gogs --volumes-from gogs-data -p 10022:22 -p 10080:3000 gogs/gogs
-```
-
-#### Using Docker 1.9 Volume Command
+#### Using Docker volumes
 
 ```sh
 # Create docker volume.
 $ docker volume create --name gogs-data
 
 # Use `docker run` for the first time.
-$ docker run --name=gogs -p 10022:22 -p 10080:3000 -v gogs-data:/data gogs/gogs
+$ docker run --name=gogs -p 10022:22 -p 10880:3000 -v gogs-data:/data gogs/gogs
 ```
 
 ## Settings
 
 ### Application
 
-Most of settings are obvious and easy to understand, but there are some settings can be confusing by running Gogs inside Docker:
+Most of the settings are obvious and easy to understand, but there are some settings can be confusing by running Gogs inside Docker:
 
 - **Repository Root Path**: keep it as default value `/home/git/gogs-repositories` because `start.sh` already made a symbolic link for you.
 - **Run User**: keep it as default value `git` because `finalize.sh` already setup a user with name `git`.
 - **Domain**: fill in with Docker container IP (e.g. `192.168.99.100`). But if you want to access your Gogs instance from a different physical machine, please fill in with the hostname or IP address of the Docker host machine.
 - **SSH Port**: Use the exposed port from Docker container. For example, your SSH server listens on `22` inside Docker, **but** you expose it by `10022:22`, then use `10022` for this value. **Builtin SSH server is not recommended inside Docker Container**
-- **HTTP Port**: Use port you want Gogs to listen on inside Docker container. For example, your Gogs listens on `3000` inside Docker, **and** you expose it by `10080:3000`, but you still use `3000` for this value.
-- **Application URL**: Use combination of **Domain** and **exposed HTTP Port** values (e.g. `http://192.168.99.100:10080/`).
+- **HTTP Port**: Use port you want Gogs to listen on inside Docker container. For example, your Gogs listens on `3000` inside Docker, **and** you expose it by `10880:3000`, but you still use `3000` for this value.
+- **Application URL**: Use combination of **Domain** and **exposed HTTP Port** values (e.g. `http://192.168.99.100:10880/`).
 
-Full documentation of application settings can be found [here](https://github.com/gogs/gogs/blob/master/conf/app.ini).
+Full documentation of application settings can be found [here](https://github.com/gogs/gogs/blob/main/conf/app.ini).
 
-### Container Options
+### Container options
 
-This container have some options available via environment variables, these options are opt-in features that can help the administration of this container:
+This container has some options available via environment variables, these options are opt-in features that can help the administration of this container:
 
 - **SOCAT_LINK**:
   - <u>Possible value:</u>
@@ -135,7 +123,8 @@ This container have some options available via environment variables, these opti
       Used by backup system. If defined, supplies `--exclude-repos` argument to `gogs backup`.\
       See: [Backup System](#backup-system)
 
-## Backup System
+## Backup system
+
 Automated backups with retention policy:
 
 - `BACKUP_INTERVAL` controls how often the backup job runs and supports interval in hours (h), days (d), and months (M), eg. `3h`, `7d`, `3M`. The lowest possible value is one hour (`1h`).
@@ -152,10 +141,10 @@ Steps to upgrade Gogs with Docker:
 - `docker rm gogs`
 - Finally, create a container for the first time and don't forget to do the same for the volume and port mapping.
 
-## Known Issues
+## Known issues
 
 - The docker container cannot currently be built on Raspberry 1 (armv6l) as our base image `alpine` does not have a `go` package available for this platform.
 
-## Useful Links
+## Useful links
 
 - [Share port 22 between Gogs inside Docker & the local system](http://www.ateijelo.com/blog/2016/07/09/share-port-22-between-docker-gogs-ssh-and-local-system)

docker/runtime/backup-init.sh

@@ -30,7 +30,9 @@ parse_generate_cron_expression() {
 	CRON_EXPR_DAYS="*"
 	CRON_EXPR_MONTHS="*"
 
+    # shellcheck disable=SC2001
 	TIME_INTERVAL=$(echo "${BACKUP_INTERVAL}" | sed -e 's/[hdM]$//')
+    # shellcheck disable=SC2001
 	TIME_UNIT=$(echo "${BACKUP_INTERVAL}" | sed -e 's/^[0-9]\+//')
 
 	if [ "${TIME_UNIT}" = "h" ]; then
@@ -74,7 +76,9 @@ parse_generate_cron_expression() {
 parse_generate_retention_expression() {
 	FIND_TIME_EXPR='mtime'
 
+	# shellcheck disable=SC2001
 	TIME_INTERVAL=$(echo "${BACKUP_RETENTION}" | sed -e 's/[mhdM]$//')
+	# shellcheck disable=SC2001
 	TIME_UNIT=$(echo "${BACKUP_RETENTION}" | sed -e 's/^[0-9]\+//')
 
 	if [ "${TIME_UNIT}" = "m" ]; then

docker/runtime/backup-rotator.sh

@@ -17,10 +17,11 @@ main() {
 	fi
 
 	if [ ! -d "${BACKUP_PATH}" ]; then
-	  echo "Error: BACKUP_PATH does't exist or is not a directory" 1>&2
+	  echo "Error: BACKUP_PATH doesn't exist or is not a directory" 1>&2
 		exit 1
 	fi
 
+	# shellcheck disable=SC2086
 	find "${BACKUP_PATH}/" -type f -name "gogs-backup-*.zip" -${FIND_EXPRESSION} -print -exec rm "{}" +
 }
 

docker/s6/.s6-svscan/finish

@@ -1,5 +1,5 @@
 #!/bin/sh
 
 # Cleanup SOCAT services and s6 event folder
-rm -rf $(find /app/gogs/docker/s6/ -name 'event')
+rm -rf "$(find /app/gogs/docker/s6/ -name 'event')"
 rm -rf /app/gogs/docker/s6/SOCAT_*

docker/s6/crond/run

@@ -3,6 +3,7 @@
 # The default configuration is also calling all the scripts in /etc/periodic/${period}
 
 if test -f ./setup; then
+    # shellcheck disable=SC2039,SC1091,SC3046
     source ./setup
 fi
 

docker/s6/gogs/run

@@ -1,7 +1,8 @@
 #!/bin/sh
 
 if test -f ./setup; then
+    # shellcheck disable=SC2039,SC1091,SC3046
     source ./setup
 fi
 
-exec gosu $USER /app/gogs/gogs web
+exec gosu "$USER" /app/gogs/gogs web

docker/s6/gogs/setup

@@ -1,16 +1,16 @@
 #!/bin/sh
 
 if ! test -d ~git/.ssh; then
-    gosu $USER mkdir -p ~git/.ssh
+    gosu "$USER" mkdir -p ~git/.ssh
     chmod 700 ~git/.ssh
 fi
 
 if ! test -f ~git/.ssh/environment; then
-    gosu $USER echo "GOGS_CUSTOM=${GOGS_CUSTOM}" > ~git/.ssh/environment
+    gosu "$USER" echo "GOGS_CUSTOM=${GOGS_CUSTOM}" > ~git/.ssh/environment
     chmod 600 ~git/.ssh/environment
 fi
 
-cd /app/gogs
+cd /app/gogs || exit 1
 
 # Link volumed data with app data
 ln -sfn /data/gogs/log  ./log

docker/s6/openssh/run

@@ -1,6 +1,7 @@
 #!/bin/sh
 
 if test -f ./setup; then
+    # shellcheck disable=SC2039,SC1091,SC3046
     source ./setup
 fi
 

docker/s6/openssh/setup

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-# Check if host keys are present, else create them
+# Check if host keys are present, else create them
 if ! test -f /data/ssh/ssh_host_rsa_key; then
     ssh-keygen -q -f /data/ssh/ssh_host_rsa_key -N '' -t rsa
 fi
@@ -17,7 +17,7 @@ if ! test -f /data/ssh/ssh_host_ed25519_key; then
     ssh-keygen -q -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519
 fi
 
-# Set correct right to ssh keys
+# Set correct right to ssh keys
 chown -R root:root /data/ssh/*
 chmod 0700 /data/ssh
 chmod 0600 /data/ssh/*

docker/s6/syslogd/run

@@ -1,6 +1,7 @@
 #!/bin/sh
 
 if test -f ./setup; then
+    # shellcheck disable=SC2039,SC1091,SC3046
     source ./setup
 fi
 

docker/start.sh

@@ -3,17 +3,18 @@
 create_socat_links() {
     # Bind linked docker container to localhost socket using socat
     USED_PORT="3000:22"
-    while read NAME ADDR PORT; do
+    while read -r NAME ADDR PORT; do
         if test -z "$NAME$ADDR$PORT"; then
             continue
         elif echo $USED_PORT | grep -E "(^|:)$PORT($|:)" > /dev/null; then
             echo "init:socat  | Can't bind linked container ${NAME} to localhost, port ${PORT} already in use" 1>&2
         else
             SERV_FOLDER=/app/gogs/docker/s6/SOCAT_${NAME}_${PORT}
-            mkdir -p ${SERV_FOLDER}
+            mkdir -p "${SERV_FOLDER}"
             CMD="socat -ls TCP4-LISTEN:${PORT},fork,reuseaddr TCP4:${ADDR}:${PORT}"
-            echo -e "#!/bin/sh\nexec $CMD" > ${SERV_FOLDER}/run
-            chmod +x ${SERV_FOLDER}/run
+            # shellcheck disable=SC2039,SC3037
+            echo -e "#!/bin/sh\nexec $CMD" > "${SERV_FOLDER}"/run
+            chmod +x "${SERV_FOLDER}"/run
             USED_PORT="${USED_PORT}:${PORT}"
             echo "init:socat  | Linked container ${NAME} will be binded to localhost on port ${PORT}" 1>&2
         fi
@@ -23,20 +24,24 @@ EOT
 }
 
 cleanup() {
-    # Cleanup SOCAT services and s6 event folder
+    # Cleanup SOCAT services and s6 event folder
     # On start and on shutdown in case container has been killed
-    rm -rf $(find /app/gogs/docker/s6/ -name 'event')
+    rm -rf "$(find /app/gogs/docker/s6/ -name 'event')"
     rm -rf /app/gogs/docker/s6/SOCAT_*
 }
 
 create_volume_subfolder() {
-    # Modify the owner of /data dir, make $USER(git) user have permission to create sub-dir in /data.
-    chown -R $USER:$USER /data
+    # only change ownership if needed, if using an nfs mount this could be expensive
+    if [ "$USER:$USER" != "$(stat /data -c '%U:%G')" ]
+    then
+        # Modify the owner of /data dir, make $USER(git) user have permission to create sub-dir in /data.
+        chown -R "$USER:$USER" /data
+    fi
 
     # Create VOLUME subfolder
     for f in /data/gogs/data /data/gogs/conf /data/gogs/log /data/git /data/ssh; do
         if ! test -d $f; then
-            gosu $USER mkdir -p $f
+            gosu "$USER" mkdir -p $f
         fi
     done
 }
@@ -54,19 +59,19 @@ cleanup
 create_volume_subfolder
 
 LINK=$(echo "$SOCAT_LINK" | tr '[:upper:]' '[:lower:]')
-if [ "$LINK" = "false" -o "$LINK" = "0" ]; then
+if [ "$LINK" = "false" ] || [ "$LINK" = "0" ]; then
     echo "init:socat  | Will not try to create socat links as requested" 1>&2
 else
     create_socat_links
 fi
 
 CROND=$(echo "$RUN_CROND" | tr '[:upper:]' '[:lower:]')
-if [ "$CROND" = "true" -o "$CROND" = "1" ]; then
+if [ "$CROND" = "true" ] || [ "$CROND" = "1" ]; then
     echo "init:crond  | Cron Daemon (crond) will be run as requested by s6" 1>&2
     rm -f /app/gogs/docker/s6/crond/down
     /bin/sh /app/gogs/docker/runtime/backup-init.sh "${PUID}"
 else
-    # Tell s6 not to run the crond service
+    # Tell s6 not to run the crond service
     touch /app/gogs/docker/s6/crond/down
 fi
 

docs/dev/local_development.md

@@ -153,6 +153,8 @@ You would have to re-run this command after changing Go files, or any file under
 When you are actively working on HTML templates and static files during development, you may want to enable the following configuration to avoid recompiling and restarting Gogs every time you make a change to files under `template/` and `public/` directories:
 
 ```ini
+RUN_MODE = dev
+
 [server]
 LOAD_ASSETS_FROM_DISK = true
 ```

go.mod

@@ -28,7 +28,7 @@ require (
 	github.com/issue9/identicon v1.0.1
 	github.com/jaytaylor/html2text v0.0.0-20190408195923-01ec452cbe43
 	github.com/jinzhu/gorm v1.9.12
-	github.com/json-iterator/go v1.1.10
+	github.com/json-iterator/go v1.1.12
 	github.com/klauspost/compress v1.8.6 // indirect
 	github.com/klauspost/cpuid v1.2.1 // indirect
 	github.com/lib/pq v1.3.0 // indirect
@@ -58,6 +58,7 @@ require (
 	github.com/urfave/cli v1.22.4
 	golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975
 	golang.org/x/net v0.0.0-20191014212845-da9a3fd4c582
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
 	golang.org/x/text v0.3.3
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect

go.sum

@@ -17,6 +17,7 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
+github.com/bgentry/speakeasy v0.1.0 h1:ByYyxL9InA1OWqxJqqp2A5pYHUrCiAL6K3J+LKSsQkY=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
@@ -47,6 +48,7 @@ github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFP
 github.com/editorconfig/editorconfig-core-go/v2 v2.3.2 h1:j9GLz0kWF9+1T3IX0MOhhvzLtqhFOvIKLhZFxtY95Qc=
 github.com/editorconfig/editorconfig-core-go/v2 v2.3.2/go.mod h1:+u4rFiKVvlbukHyJM76GYXqQcnHScxvQCuKpMLRtJVw=
 github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
+github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0 h1:8xPHl4/q1VyqGIPif1F+1V3Y3lSmrq01EabUW3CoW5s=
@@ -78,6 +80,7 @@ github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a h1:9wScpmSP5A3Bk8V3XHWUcJmYTh+ZnlHVyc+A4oZYS3Y=
 github.com/go-xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a/go.mod h1:56xuuqnHyryaerycW3BfssRdxQstACi0Epw/yC5E2xM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -85,14 +88,13 @@ github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561 h1:aBzukfDxQlCTVS0NBU
 github.com/gogs/chardet v0.0.0-20150115103509-2404f7772561/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
 github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14 h1:yXtpJr/LV6PFu4nTLgfjQdcMdzjbqqXMEnHfq0Or6p8=
 github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14/go.mod h1:jPoNZLWDAqA5N3G5amEoiNbhVrmM+ZQEcnQvNQ2KaZk=
-github.com/gogs/git-module v1.1.1 h1:/taoHtOHLorlmQJ7zLBQvJGGgM9LRIoGGH1et4Upzvo=
-github.com/gogs/git-module v1.1.1/go.mod h1:oN37FFStFjdnTJXsSbhIHKJXh2YeDsEcXPATVz/oeuQ=
 github.com/gogs/git-module v1.1.2 h1:30jO+rKEmCDk/O6Mnl7MVrw6rI1qLDByXpkRB+bpYwM=
 github.com/gogs/git-module v1.1.2/go.mod h1:oN37FFStFjdnTJXsSbhIHKJXh2YeDsEcXPATVz/oeuQ=
 github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4 h1:C7NryI/RQhsIWwC2bHN601P1wJKeuQ6U/UCOYTn3Cic=
 github.com/gogs/go-gogs-client v0.0.0-20200128182646-c69cb7680fd4/go.mod h1:fR6z1Ie6rtF7kl/vBYMfgD5/G5B1blui7z426/sj2DU=
 github.com/gogs/go-libravatar v0.0.0-20191106065024-33a75213d0a0 h1:K02vod+sn3M1OOkdqi2tPxN2+xESK4qyITVQ3JkGEv4=
 github.com/gogs/go-libravatar v0.0.0-20191106065024-33a75213d0a0/go.mod h1:Zas3BtO88pk1cwUfEYlvnl/CRwh0ybDxRWSwRjG8I3w=
+github.com/gogs/minwinsvc v0.0.0-20170301035411-95be6356811a h1:8DZwxETOVWIinYxDK+i6L+rMb7eGATGaakD6ZucfHVk=
 github.com/gogs/minwinsvc v0.0.0-20170301035411-95be6356811a/go.mod h1:TUIZ+29jodWQ8Gk6Pvtg4E09aMsc3C/VLZiVYfUhWQU=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
@@ -114,6 +116,7 @@ github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Z
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
@@ -125,6 +128,7 @@ github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OI
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gopherjs/gopherjs v0.0.0-20190430165422-3e4dfb77656c h1:7lF+Vz0LqiRidnzC1Oq86fpX1q/iEv2KJdrCtttYjT4=
 github.com/gopherjs/gopherjs v0.0.0-20190430165422-3e4dfb77656c/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
@@ -132,6 +136,7 @@ github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl
 github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/issue9/assert v1.3.1 h1:L8pRpbnzMIPFJqrMKR/oG03uWrtVeZyYBpI2U2Jx1JE=
 github.com/issue9/assert v1.3.1/go.mod h1:9Ger+iz8X7r1zMYYwEhh++2wMGWcNN2oVI+zIQXxcio=
 github.com/issue9/identicon v1.0.1 h1:pCDfjMDM6xWK0Chxo8Lif+ST/nOEtmXgMITgV1YA9Og=
 github.com/issue9/identicon v1.0.1/go.mod h1:UKNVkUFI68RPz/RlLhsAr1aX6bBSaYEWRHVfdjrMUmk=
@@ -142,14 +147,15 @@ github.com/jinzhu/gorm v1.9.12 h1:Drgk1clyWT9t9ERbzHza6Mj/8FY/CqMyVzOiHviMo6Q=
 github.com/jinzhu/gorm v1.9.12/go.mod h1:vhTjlKSJUTWNtcbQtrMBFCxy7eXTzeCAzfL5fBZT/Qs=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
+github.com/jinzhu/now v1.0.1 h1:HjfetcXq097iXP0uoPCdnM4Efp5/9MsM0/M+XOTeR3M=
 github.com/jinzhu/now v1.0.1/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/json-iterator/go v1.1.9 h1:9yzud/Ht36ygwatGx56VwCZtlI/2AD15T1X2sjSuGns=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
-github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68=
-github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jtolds/gls v4.2.1+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
@@ -159,8 +165,10 @@ github.com/klauspost/cpuid v1.2.1 h1:vJi+O/nMdFt0vqm8NZBI6wzALWdA2X+egi0ogNyrC/w
 github.com/klauspost/cpuid v1.2.1/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.1/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@@ -188,16 +196,15 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5
 github.com/mcuadros/go-version v0.0.0-20190308113854-92cdf37c5b75/go.mod h1:76rfSfYPWj01Z85hUf/ituArm797mNKcvINh1OlsZKo=
 github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 h1:YocNLcTBdEdvY3iDK6jfWXvEaM5OCKkjxPKoJRdB3Gg=
 github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2/go.mod h1:76rfSfYPWj01Z85hUf/ituArm797mNKcvINh1OlsZKo=
-github.com/microcosm-cc/bluemonday v1.0.2 h1:5lPfLTTAvAbtS0VqT+94yOtFnGfUWYyx0+iToC3Os3s=
-github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc=
 github.com/microcosm-cc/bluemonday v1.0.4 h1:p0L+CTpo/PLFdkoPcJemLXG+fpMD7pYOoDEq1axMbGg=
 github.com/microcosm-cc/bluemonday v1.0.4/go.mod h1:8iwZnFn2CDDNZ0r6UXhF4xawGvzaqzCRa1n3/lO3W2w=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.1 h1:9f412s+6RmYXLWZSEzVVgPGK7C2PphHj5RJrvfx9AWI=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/msteinert/pam v0.0.0-20190215180659-f29b9f28d6f9 h1:ZivaaKmjs9q90zi6I4gTLW6tbVGtlBjellr3hMYaly0=
 github.com/msteinert/pam v0.0.0-20190215180659-f29b9f28d6f9/go.mod h1:np1wUFZ6tyoke22qDJZY40URn9Ae51gX7ljIWXN5TJs=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -247,6 +254,7 @@ github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNue
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca h1:NugYot0LIVPxTvN8n+Kvkn6TrbMyxQiuvKdEwFdR9vI=
 github.com/saintfish/chardet v0.0.0-20120816061221-3af4cd4741ca/go.mod h1:uugorj2VCxiV1x+LzaIdVa9b4S4qGAcH6cbhh4qVxOU=
 github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
@@ -262,22 +270,20 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/assertions v1.0.1 h1:voD4ITNjPL5jjBfgR/r8fPIIBrliWrWHeiJApdr3r4w=
 github.com/smartystreets/assertions v1.0.1/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c/go.mod h1:XDJAKZRPZ1CvBcN2aX5YOUTYGHki24fSF0Iv48Ibg0s=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/goconvey v0.0.0-20190731233626-505e41936337/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf/go.mod h1:RJID2RhlZKId02nZ62WenDCkgHFerpIOmW0iT7GKmXM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1 h1:2vfRuCMp5sSVIDSqO8oNnWJq7mPa6KVP3iPIwFBuy8A=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.6.0 h1:jlIyCplCJFULU/01vCkhKuTyc3OorI3bJFuw6obfgho=
-github.com/stretchr/testify v1.6.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
@@ -294,6 +300,7 @@ github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e h1:Qf3QQl/zmEbWD
 github.com/unknwon/paginater v0.0.0-20170405233947-45e5d631308e/go.mod h1:TBwoao3Q4Eb/cp+dHbXDfRTrZSsj/k7kLr2j1oWRWC0=
 github.com/urfave/cli v1.22.4 h1:u7tSpNPPswAFymm8IehJhy4uJMlUuU/GmqSkvJ1InXA=
 github.com/urfave/cli v1.22.4/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
+github.com/ziutek/mymysql v1.5.4 h1:GB0qdRGsTwQSBVYuVShFBKaXSnSnYYC2d9knnE1LHFs=
 github.com/ziutek/mymysql v1.5.4/go.mod h1:LMSpPZ6DbqWFxNCHW77HeMg9I646SAhApZ/wKdgO/C0=
 go.opencensus.io v0.20.1/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -334,6 +341,7 @@ golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -350,8 +358,9 @@ golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200106162015-b016eb3dc98e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f h1:gWF768j/LaZugp8dyS4UwsslYCYz9XgFxvlgsn0n9H8=
 golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 h1:XfKQ4OlFl8okEOr5UvAqFRVj8pY/4yfcXrddB8qAbU0=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
@@ -370,6 +379,7 @@ golang.org/x/tools v0.0.0-20190805222050-c5a2fd39b72a/go.mod h1:jcCCGcm9btYwXyDq
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
@@ -388,6 +398,7 @@ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miE
 google.golang.org/protobuf v1.21.0 h1:qdOKuR/EIArgaWNjetjgTzgVTAZ+S/WXVrq9HW9zimw=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d h1:TxyelI5cVkbREznMhfzycHdkp5cLA7DpE+GKjSslYhM=
 gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw=
@@ -395,6 +406,7 @@ gopkg.in/bufio.v1 v1.0.0-20140618132640-567b2bfa514e h1:wGA78yza6bu/mWcc4QfBuIEH
 gopkg.in/bufio.v1 v1.0.0-20140618132640-567b2bfa514e/go.mod h1:xsQCaysVCudhrYTfzYWe577fCe7Ceci+6qjO2Rdc0Z4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df h1:n7WqCuqOuCbNr617RXOY0AWRXxgwEyPp2z+p0+hgMuE=
@@ -416,6 +428,7 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 honnef.co/go/tools v0.0.0-20180728063816-88497007e858/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

gogs.go

@@ -1,3 +1,4 @@
+//go:build go1.14
 // +build go1.14
 
 // Copyright 2014 The Gogs Authors. All rights reserved.
@@ -18,7 +19,7 @@ import (
 )
 
 func init() {
-	conf.App.Version = "0.12.3"
+	conf.App.Version = "0.12.6"
 }
 
 func main() {

internal/auth/pam/pam.go

@@ -27,9 +27,9 @@ func PAMAuth(serviceName, userName, passwd string) error {
 		return err
 	}
 
-	if err = t.Authenticate(0); err != nil {
+	err = t.Authenticate(0)
+	if err != nil {
 		return err
 	}
-
-	return nil
+	return t.AcctMgmt(0)
 }

internal/auth/pam/pam_stub.go

@@ -1,3 +1,4 @@
+//go:build !pam
 // +build !pam
 
 // Copyright 2014 The Gogs Authors. All rights reserved.

internal/cmd/cert_stub.go

@@ -1,3 +1,4 @@
+//go:build !cert
 // +build !cert
 
 // Copyright 2009 The Go Authors. All rights reserved.

internal/conf/static.go

@@ -103,6 +103,7 @@ var (
 		CookieSecure            bool
 		EnableLoginStatusCookie bool
 		LoginStatusCookieName   string
+		LocalNetworkAllowlist   []string `delim:","`
 
 		// Deprecated: Use Auth.ReverseProxyAuthenticationHeader instead, will be removed in 0.13.
 		ReverseProxyAuthenticationUser string

internal/conf/testdata/TestInit.golden.ini

@@ -80,6 +80,7 @@ COOKIE_USERNAME=gogs_awesome
 COOKIE_SECURE=false
 ENABLE_LOGIN_STATUS_COOKIE=false
 LOGIN_STATUS_COOKIE_NAME=login_status
+LOCAL_NETWORK_ALLOWLIST=
 REVERSE_PROXY_AUTHENTICATION_USER=
 
 [email]

internal/context/context.go

@@ -290,6 +290,7 @@ func Contexter() macaron.Handler {
 		// 🚨 SECURITY: Prevent MIME type sniffing in some browsers,
 		// see https://github.com/gogs/gogs/issues/5397 for details.
 		c.Header().Set("X-Content-Type-Options", "nosniff")
+		c.Header().Set("X-Frame-Options", "DENY")
 
 		ctx.Map(c)
 	}

internal/cron/cron.go

@@ -11,8 +11,8 @@ import (
 
 	"github.com/gogs/cron"
 
-	"gogs.io/gogs/internal/db"
 	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/db"
 )
 
 var c = cron.New()

internal/db/action.go

@@ -11,7 +11,7 @@ import (
 	"time"
 	"unicode"
 
-	"github.com/json-iterator/go"
+	jsoniter "github.com/json-iterator/go"
 	"github.com/unknwon/com"
 	log "unknwon.dev/clog/v2"
 	"xorm.io/xorm"

internal/db/backup.go

@@ -87,7 +87,7 @@ func dumpTable(db *gorm.DB, table interface{}, w io.Writer) error {
 			return errors.Wrap(err, "encode JSON")
 		}
 	}
-	return nil
+	return rows.Err()
 }
 
 func dumpLegacyTables(dirPath string, verbose bool) error {

internal/db/migrations/v13.go

@@ -8,9 +8,9 @@ import (
 	"fmt"
 	"strings"
 
+	jsoniter "github.com/json-iterator/go"
 	"github.com/unknwon/com"
 	"xorm.io/xorm"
-	"github.com/json-iterator/go"
 )
 
 func ldapUseSSLToSecurityProtocol(x *xorm.Engine) error {

internal/db/migrations/v18.go

@@ -20,15 +20,15 @@ func updateRepositoryDescriptionField(x *xorm.Engine) error {
 		return nil
 	}
 	switch {
-		case conf.UseMySQL:
-			_, err = x.Exec("ALTER TABLE `repository` MODIFY `description` VARCHAR(512);")
-		case conf.UseMSSQL:
-			_, err = x.Exec("ALTER TABLE `repository` ALTER COLUMN `description` VARCHAR(512);")
-		case conf.UsePostgreSQL:
-			_, err = x.Exec("ALTER TABLE `repository` ALTER COLUMN `description` TYPE VARCHAR(512);")
-		case conf.UseSQLite3:
-			// Sqlite3 uses TEXT type by default for any string type field.
-			// Keep this comment to mention that we don't missed any option.
+	case conf.UseMySQL:
+		_, err = x.Exec("ALTER TABLE `repository` MODIFY `description` VARCHAR(512);")
+	case conf.UseMSSQL:
+		_, err = x.Exec("ALTER TABLE `repository` ALTER COLUMN `description` VARCHAR(512);")
+	case conf.UsePostgreSQL:
+		_, err = x.Exec("ALTER TABLE `repository` ALTER COLUMN `description` TYPE VARCHAR(512);")
+	case conf.UseSQLite3:
+		// Sqlite3 uses TEXT type by default for any string type field.
+		// Keep this comment to mention that we don't missed any option.
 	}
 	return err
 }

internal/db/models.go

@@ -224,7 +224,7 @@ func GetStatistic() (stats Statistic) {
 	stats.Counter.HookTask, _ = x.Count(new(HookTask))
 	stats.Counter.Team, _ = x.Count(new(Team))
 	stats.Counter.Attachment, _ = x.Count(new(Attachment))
-	return
+	return stats
 }
 
 func Ping() error {

internal/db/perms.go

@@ -6,7 +6,7 @@ package db
 
 import (
 	"github.com/jinzhu/gorm"
-	"github.com/t-tiger/gorm-bulk-insert"
+	gormbulk "github.com/t-tiger/gorm-bulk-insert"
 	log "unknwon.dev/clog/v2"
 )
 

internal/db/repo_editor.go

@@ -16,6 +16,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/pkg/errors"
 	gouuid "github.com/satori/go.uuid"
 	"github.com/unknwon/com"
 
@@ -23,9 +24,10 @@ import (
 
 	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/cryptoutil"
-	"gogs.io/gogs/internal/db/errors"
+	dberrors "gogs.io/gogs/internal/db/errors"
 	"gogs.io/gogs/internal/gitutil"
 	"gogs.io/gogs/internal/osutil"
+	"gogs.io/gogs/internal/pathutil"
 	"gogs.io/gogs/internal/process"
 	"gogs.io/gogs/internal/tool"
 )
@@ -134,7 +136,7 @@ func (repo *Repository) UpdateRepoFile(doer *User, opts UpdateRepoFileOptions) (
 	if opts.OldBranch != opts.NewBranch {
 		// Directly return error if new branch already exists in the server
 		if git.RepoHasBranch(repoPath, opts.NewBranch) {
-			return errors.BranchAlreadyExists{Name: opts.NewBranch}
+			return dberrors.BranchAlreadyExists{Name: opts.NewBranch}
 		}
 
 		// Otherwise, delete branch from local copy in case out of sync
@@ -449,11 +451,16 @@ func isRepositoryGitPath(path string) bool {
 	return strings.HasSuffix(path, ".git") || strings.Contains(path, ".git"+string(os.PathSeparator))
 }
 
-func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) (err error) {
+func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions) error {
 	if len(opts.Files) == 0 {
 		return nil
 	}
 
+	// Prevent uploading files into the ".git" directory
+	if isRepositoryGitPath(opts.TreePath) {
+		return errors.Errorf("bad tree path %q", opts.TreePath)
+	}
+
 	uploads, err := GetUploadsByUUIDs(opts.Files)
 	if err != nil {
 		return fmt.Errorf("get uploads by UUIDs[%v]: %v", opts.Files, err)
@@ -487,7 +494,9 @@ func (repo *Repository) UploadRepoFiles(doer *User, opts UploadRepoFileOptions)
 			continue
 		}
 
-		// Prevent copying files into .git directory, see https://gogs.io/gogs/issues/5558.
+		upload.Name = pathutil.Clean(upload.Name)
+
+		// Prevent uploading files into the ".git" directory
 		if isRepositoryGitPath(upload.Name) {
 			continue
 		}

internal/db/ssh_key.go

@@ -221,7 +221,7 @@ func SSHKeyGenParsePublicKey(key string) (string, int, error) {
 func SSHNativeParsePublicKey(keyLine string) (string, int, error) {
 	fields := strings.Fields(keyLine)
 	if len(fields) < 2 {
-		return "", 0, fmt.Errorf("not enough fields in public key line: %s", string(keyLine))
+		return "", 0, fmt.Errorf("not enough fields in public key line: %s", keyLine)
 	}
 
 	raw, err := base64.StdEncoding.DecodeString(fields[1])

internal/db/two_factors.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/jinzhu/gorm"
 	"github.com/pkg/errors"
-	"github.com/t-tiger/gorm-bulk-insert"
+	gormbulk "github.com/t-tiger/gorm-bulk-insert"
 	log "unknwon.dev/clog/v2"
 
 	"gogs.io/gogs/internal/cryptoutil"

internal/db/webhook.go

@@ -14,7 +14,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/json-iterator/go"
+	jsoniter "github.com/json-iterator/go"
 	gouuid "github.com/satori/go.uuid"
 	log "unknwon.dev/clog/v2"
 	"xorm.io/xorm"

internal/db/webhook_dingtalk.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/json-iterator/go"
+	jsoniter "github.com/json-iterator/go"
 
 	"github.com/gogs/git-module"
 	api "github.com/gogs/go-gogs-client"
@@ -18,7 +18,7 @@ const (
 	DingtalkNotificationTitle = "Gogs Notification"
 )
 
-//Refer: https://open-doc.dingtalk.com/docs/doc.htm?treeId=257&articleId=105735&docType=1
+// Refer: https://open-doc.dingtalk.com/docs/doc.htm?treeId=257&articleId=105735&docType=1
 type DingtalkActionCard struct {
 	Title          string `json:"title"`
 	Text           string `json:"text"`
@@ -28,13 +28,13 @@ type DingtalkActionCard struct {
 	SingleURL      string `json:"singleURL"`
 }
 
-//Refer: https://open-doc.dingtalk.com/docs/doc.htm?treeId=257&articleId=105735&docType=1
+// Refer: https://open-doc.dingtalk.com/docs/doc.htm?treeId=257&articleId=105735&docType=1
 type DingtalkAtObject struct {
 	AtMobiles []string `json:"atMobiles"`
 	IsAtAll   bool     `json:"isAtAll"`
 }
 
-//Refer: https://open-doc.dingtalk.com/docs/doc.htm?treeId=257&articleId=105735&docType=1
+// Refer: https://open-doc.dingtalk.com/docs/doc.htm?treeId=257&articleId=105735&docType=1
 type DingtalkPayload struct {
 	MsgType    string             `json:"msgtype"`
 	At         DingtalkAtObject   `json:"at"`
@@ -57,7 +57,7 @@ func NewDingtalkActionCard(singleTitle, singleURL string) DingtalkActionCard {
 	}
 }
 
-//TODO: add content
+// TODO: add content
 func GetDingtalkPayload(p api.Payloader, event HookEventType) (payload *DingtalkPayload, err error) {
 	switch event {
 	case HOOK_EVENT_CREATE:
@@ -255,7 +255,7 @@ func getDingtalkReleasePayload(p *api.ReleasePayload) (*DingtalkPayload, error)
 	return &DingtalkPayload{MsgType: "actionCard", ActionCard: actionCard}, nil
 }
 
-//Format link addr and title into markdown style
+// Format link addr and title into markdown style
 func MarkdownLinkFormatter(link, text string) string {
 	return "[" + text + "](" + link + ")"
 }

internal/db/webhook_discord.go

@@ -9,7 +9,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/json-iterator/go"
+	jsoniter "github.com/json-iterator/go"
 
 	"github.com/gogs/git-module"
 	api "github.com/gogs/go-gogs-client"

internal/db/webhook_slack.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/json-iterator/go"
+	jsoniter "github.com/json-iterator/go"
 
 	"github.com/gogs/git-module"
 	api "github.com/gogs/go-gogs-client"

internal/form/repo.go

@@ -12,7 +12,9 @@ import (
 	"github.com/unknwon/com"
 	"gopkg.in/macaron.v1"
 
+	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/db"
+	"gogs.io/gogs/internal/netutil"
 )
 
 // _______________________________________    _________.______________________ _______________.___.
@@ -67,9 +69,18 @@ func (f MigrateRepo) ParseRemoteAddr(user *db.User) (string, error) {
 		if err != nil {
 			return "", db.ErrInvalidCloneAddr{IsURLError: true}
 		}
+
+		if netutil.IsLocalHostname(u.Hostname(), conf.Security.LocalNetworkAllowlist) {
+			return "", db.ErrInvalidCloneAddr{IsURLError: true}
+		}
+
 		if len(f.AuthUsername)+len(f.AuthPassword) > 0 {
 			u.User = url.UserPassword(f.AuthUsername, f.AuthPassword)
 		}
+		// To prevent CRLF injection in git protocol, see https://github.com/gogs/gogs/issues/6413
+		if u.Scheme == "git" && (strings.Contains(remoteAddr, "%0d") || strings.Contains(remoteAddr, "%0a")) {
+			return "", db.ErrInvalidCloneAddr{IsURLError: true}
+		}
 		remoteAddr = u.String()
 	} else if !user.CanImportLocal() {
 		return "", db.ErrInvalidCloneAddr{IsPermissionDenied: true}

internal/httplib/httplib.go

@@ -24,7 +24,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/json-iterator/go"
+	jsoniter "github.com/json-iterator/go"
 )
 
 var defaultSetting = Settings{false, "GogsServer", 60 * time.Second, 60 * time.Second, nil, nil, nil, false}
@@ -270,7 +270,7 @@ func (r *Request) getResponse() (*http.Response, error) {
 					if err != nil {
 						log.Fatal(err)
 					}
-					//iocopy
+					// iocopy
 					_, err = io.Copy(fileWriter, fh)
 					_ = fh.Close()
 					if err != nil {

internal/markup/markup.go

@@ -101,7 +101,7 @@ func RenderIssueIndexPattern(rawBytes []byte, urlPrefix string, metas map[string
 			m = m[1:]
 		}
 		var link string
-		if metas == nil {
+		if metas == nil || metas["format"] == "" {
 			link = fmt.Sprintf(`<a href="%s/issues/%s">%s</a>`, urlPrefix, m[1:], m)
 		} else {
 			// Support for external issue tracker
@@ -216,7 +216,7 @@ func wrapImgWithLink(urlPrefix string, buf *bytes.Buffer, token html.Token) {
 	buf.WriteString(`">`)
 
 	if needPrepend {
-		src = strings.Replace(urlPrefix+string(src), " ", "%20", -1)
+		src = strings.Replace(urlPrefix+src, " ", "%20", -1)
 		buf.WriteString(`<img src="`)
 		buf.WriteString(src)
 		buf.WriteString(`"`)

internal/markup/sanitizer.go

@@ -9,8 +9,8 @@ import (
 
 	"github.com/microcosm-cc/bluemonday"
 
-	"gogs.io/gogs/internal/lazyregexp"
 	"gogs.io/gogs/internal/conf"
+	"gogs.io/gogs/internal/lazyregexp"
 )
 
 // Sanitizer is a protection wrapper of *bluemonday.Policy which does not allow

internal/netutil/netutil.go

@@ -0,0 +1,71 @@
+// Copyright 2022 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package netutil
+
+import (
+	"fmt"
+	"net"
+)
+
+var localCIDRs []*net.IPNet
+
+func init() {
+	// Parsing hardcoded CIDR strings should never fail, if in case it does, let's
+	// fail it at start.
+	rawCIDRs := []string{
+		// https://datatracker.ietf.org/doc/html/rfc5735:
+		"127.0.0.0/8",        // Loopback
+		"0.0.0.0/8",          // "This" network
+		"100.64.0.0/10",      // Shared address space
+		"169.254.0.0/16",     // Link local
+		"172.16.0.0/12",      // Private-use networks
+		"192.0.0.0/24",       // IETF Protocol assignments
+		"192.0.2.0/24",       // TEST-NET-1
+		"192.88.99.0/24",     // 6to4 Relay anycast
+		"192.168.0.0/16",     // Private-use networks
+		"198.18.0.0/15",      // Network interconnect
+		"198.51.100.0/24",    // TEST-NET-2
+		"203.0.113.0/24",     // TEST-NET-3
+		"255.255.255.255/32", // Limited broadcast
+
+		// https://datatracker.ietf.org/doc/html/rfc1918:
+		"10.0.0.0/8", // Private-use networks
+
+		// https://datatracker.ietf.org/doc/html/rfc6890:
+		"::1/128",   // Loopback
+		"FC00::/7",  // Unique local address
+		"FE80::/10", // Multicast address
+	}
+	for _, raw := range rawCIDRs {
+		_, cidr, err := net.ParseCIDR(raw)
+		if err != nil {
+			panic(fmt.Sprintf("parse CIDR %q: %v", raw, err))
+		}
+		localCIDRs = append(localCIDRs, cidr)
+	}
+}
+
+// IsLocalHostname returns true if given hostname is resolved to local network
+// address, except exempted from the allowlist.
+func IsLocalHostname(hostname string, allowlist []string) bool {
+	for _, allow := range allowlist {
+		if hostname == allow {
+			return false
+		}
+	}
+
+	ips, err := net.LookupIP(hostname)
+	if err != nil {
+		return true
+	}
+	for _, ip := range ips {
+		for _, cidr := range localCIDRs {
+			if cidr.Contains(ip) {
+				return true
+			}
+		}
+	}
+	return false
+}

internal/netutil/netutil_test.go

@@ -0,0 +1,40 @@
+// Copyright 2022 The Gogs Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package netutil
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsLocalHostname(t *testing.T) {
+	tests := []struct {
+		hostname  string
+		allowlist []string
+		want      bool
+	}{
+		{hostname: "localhost", want: true},
+		{hostname: "127.0.0.1", want: true},
+		{hostname: "::1", want: true},
+		{hostname: "0:0:0:0:0:0:0:1", want: true},
+		{hostname: "fuf.me", want: true},
+		{hostname: "127.0.0.95", want: true},
+		{hostname: "0.0.0.0", want: true},
+		{hostname: "192.168.123.45", want: true},
+
+		{hostname: "gogs.io", want: false},
+		{hostname: "google.com", want: false},
+		{hostname: "165.232.140.255", want: false},
+
+		{hostname: "192.168.123.45", allowlist: []string{"10.0.0.17"}, want: true},
+		{hostname: "gogs.local", allowlist: []string{"gogs.local"}, want: false},
+	}
+	for _, test := range tests {
+		t.Run("", func(t *testing.T) {
+			assert.Equal(t, test.want, IsLocalHostname(test.hostname, test.allowlist))
+		})
+	}
+}

internal/route/admin/admin.go

@@ -10,7 +10,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/json-iterator/go"
+	jsoniter "github.com/json-iterator/go"
 
 	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/context"

internal/route/admin/notice.go

@@ -64,7 +64,7 @@ func DeleteNotices(c *context.Context) {
 
 func EmptyNotices(c *context.Context) {
 	if err := db.DeleteNotices(0, 0); err != nil {
-		c.Error(err,"delete notices")
+		c.Error(err, "delete notices")
 		return
 	}
 

internal/route/admin/orgs.go

@@ -5,10 +5,10 @@
 package admin
 
 import (
+	"gogs.io/gogs/internal/conf"
 	"gogs.io/gogs/internal/context"
 	"gogs.io/gogs/internal/db"
 	"gogs.io/gogs/internal/route"
-	"gogs.io/gogs/internal/conf"
 )
 
 const (

internal/route/api/v1/repo/branch.go

@@ -25,7 +25,7 @@ func GetBranch(c *context.APIContext) {
 		return
 	}
 
-	c.JSONSuccess( convert.ToBranch(branch, commit))
+	c.JSONSuccess(convert.ToBranch(branch, commit))
 }
 
 // https://github.com/gogs/go-gogs-client/wiki/Repositories#list-branches
@@ -46,5 +46,5 @@ func ListBranches(c *context.APIContext) {
 		apiBranches[i] = convert.ToBranch(branches[i], commit)
 	}
 
-	c.JSONSuccess( &apiBranches)
+	c.JSONSuccess(&apiBranches)
 }

internal/route/api/v1/repo/hook.go

@@ -8,7 +8,7 @@ import (
 	"net/http"
 
 	api "github.com/gogs/go-gogs-client"
-	"github.com/json-iterator/go"
+	jsoniter "github.com/json-iterator/go"
 	"github.com/pkg/errors"
 	"github.com/unknwon/com"
 

internal/route/repo/branch.go

@@ -91,7 +91,7 @@ func Branches(c *context.Context) {
 
 	c.Data["ActiveBranches"] = activeBranches
 	c.Data["StaleBranches"] = staleBranches
-	c.Success( BRANCHES_OVERVIEW)
+	c.Success(BRANCHES_OVERVIEW)
 }
 
 func AllBranches(c *context.Context) {
@@ -104,7 +104,7 @@ func AllBranches(c *context.Context) {
 	}
 	c.Data["Branches"] = branches
 
-	c.Success( BRANCHES_ALL)
+	c.Success(BRANCHES_ALL)
 }
 
 func DeleteBranchPost(c *context.Context) {

internal/route/repo/release.go

@@ -320,7 +320,7 @@ func DeleteRelease(c *context.Context) {
 		c.Flash.Success(c.Tr("repo.release.deletion_success"))
 	}
 
-	c.JSONSuccess( map[string]interface{}{
+	c.JSONSuccess(map[string]interface{}{
 		"redirect": c.Repo.RepoLink + "/releases",
 	})
 }

internal/route/repo/webhook.go

@@ -20,6 +20,7 @@ import (
 	"gogs.io/gogs/internal/db"
 	"gogs.io/gogs/internal/db/errors"
 	"gogs.io/gogs/internal/form"
+	"gogs.io/gogs/internal/netutil"
 )
 
 const (
@@ -118,24 +119,7 @@ func WebhooksNew(c *context.Context, orCtx *orgRepoContext) {
 	c.Success(orCtx.TmplNew)
 }
 
-var localHostnames = []string{
-	"localhost",
-	"127.0.0.1",
-	"::1",
-	"0:0:0:0:0:0:0:1",
-}
-
-// isLocalHostname returns true if given hostname is a known local address.
-func isLocalHostname(hostname string) bool {
-	for _, local := range localHostnames {
-		if hostname == local {
-			return true
-		}
-	}
-	return false
-}
-
-func validateWebhook(actor *db.User, l macaron.Locale, w *db.Webhook) (field string, msg string, ok bool) {
+func validateWebhook(actor *db.User, l macaron.Locale, w *db.Webhook) (field, msg string, ok bool) {
 	if !actor.IsAdmin {
 		// 🚨 SECURITY: Local addresses must not be allowed by non-admins to prevent SSRF,
 		// see https://github.com/gogs/gogs/issues/5366 for details.
@@ -144,7 +128,7 @@ func validateWebhook(actor *db.User, l macaron.Locale, w *db.Webhook) (field str
 			return "PayloadURL", l.Tr("repo.settings.webhook.err_cannot_parse_payload_url", err), false
 		}
 
-		if isLocalHostname(payloadURL.Hostname()) {
+		if netutil.IsLocalHostname(payloadURL.Hostname(), conf.Security.LocalNetworkAllowlist) {
 			return "PayloadURL", l.Tr("repo.settings.webhook.err_cannot_use_local_addresses"), false
 		}
 	}

internal/route/repo/webhook_test.go

@@ -13,25 +13,6 @@ import (
 	"gogs.io/gogs/internal/mocks"
 )
 
-func Test_isLocalHostname(t *testing.T) {
-	tests := []struct {
-		hostname string
-		want     bool
-	}{
-		{hostname: "localhost", want: true},
-		{hostname: "127.0.0.1", want: true},
-		{hostname: "::1", want: true},
-		{hostname: "0:0:0:0:0:0:0:1", want: true},
-
-		{hostname: "gogs.io", want: false},
-	}
-	for _, test := range tests {
-		t.Run("", func(t *testing.T) {
-			assert.Equal(t, test.want, isLocalHostname(test.hostname))
-		})
-	}
-}
-
 func Test_validateWebhook(t *testing.T) {
 	l := &mocks.Locale{
 		MockLang: "en",

scripts/autoboot.sh

@@ -1,2 +0,0 @@
-#!/bin/sh
-su git -c "/home/git/gogs/scripts/gogs_supervisord.sh restart"

scripts/build.sh

@@ -1,33 +0,0 @@
-#!/bin/bash
-
-outPath=./output
-
-rm -rf $outPath
-mkdir $outPath
-
-go build ../gogs.go
-PLATFORM=$(uname | cut -d _ -f 1)
-if [ "$PLATFORM" = "MINGW32" ] || [ "$PLATFORM" = "MINGW64" ] || [ "$PLATFORM" = "CYGWIN" ]; then
-	GOGS_EXE=gogs.exe
-else
-	GOGS_EXE=gogs
-fi
-chmod +x $GOGS_EXE
-mv $GOGS_EXE $outPath/
-
-cp -r ../conf/ $outPath/conf/
-cp -r ../custom/ $outPath/custom/
-cp -r dockerfiles/ $outPath/dockerfiles/
-cp -r ../public/ $outPath/public/
-cp -r ../templates/ $outPath/templates/
-cp ../cert.pem $outPath/
-cp ../CONTRIBUTING.md $outPath/
-cp gogs_supervisord.sh $outPath/
-cp ../key.pem $outPath/
-cp ../LICENSE $outPath/
-cp ../README.md $outPath/
-cp ../README_ZH.md $outPath/
-cp start.bat $outPath/
-cp start.sh $outPath/
-cp ../wercker.yml $outPath/
-cp mysql.sql $outPath/

scripts/build_freebsd.sh

@@ -1,27 +0,0 @@
-outPlattform=freebsd
-outArch=amd64
-outPath=./output_${outPlattform}_$outArch
-
-rm -rf $outPath
-mkdir $outPath
-
-CGO_ENABLED=0 GOOS=$outPlattform GOARCH=$outArch go build ../gogs.go
-chmod +x gogs
-mv gogs $outPath/
-
-cp -r ../conf/ $outPath/conf/
-cp -r ../custom/ $outPath/custom/
-cp -r dockerfiles/ $outPath/dockerfiles/
-cp -r ../public/ $outPath/public/
-cp -r ../templates/ $outPath/templates/
-cp ../cert.pem $outPath/
-cp ../CONTRIBUTING.md $outPath/
-cp gogs_supervisord.sh $outPath/
-cp ../key.pem $outPath/
-cp ../LICENSE $outPath/
-cp ../README.md $outPath/
-cp ../README_ZH.md $outPath/
-cp start.bat $outPath/
-cp start.sh $outPath/
-cp ../wercker.yml $outPath/
-cp mysql.sql $outPath/

scripts/build_linux64.sh

@@ -1,27 +0,0 @@
-outPlattform=linux
-outArch=amd64
-outPath=./output_${outPlattform}_$outArch
-
-rm -rf $outPath
-mkdir $outPath
-
-CGO_ENABLED=0 GOOS=$outPlattform GOARCH=$outArch go build -buildmode=pie ../gogs.go
-chmod +x gogs
-mv gogs $outPath/
-
-cp -r ../conf/ $outPath/conf/
-cp -r ../custom/ $outPath/custom/
-cp -r dockerfiles/ $outPath/dockerfiles/
-cp -r ../public/ $outPath/public/
-cp -r ../templates/ $outPath/templates/
-cp ../cert.pem $outPath/
-cp ../CONTRIBUTING.md $outPath/
-cp gogs_supervisord.sh $outPath/
-cp ../key.pem $outPath/
-cp ../LICENSE $outPath/
-cp ../README.md $outPath/
-cp ../README_ZH.md $outPath/
-cp start.bat $outPath/
-cp start.sh $outPath/
-cp ../wercker.yml $outPath/
-cp mysql.sql $outPath/

scripts/init/openbsd/gogs

@@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # $OpenBSD$
+# shellcheck disable=SC2034,SC1091,SC2154,SC2086
 
 daemon="/home/git/gogs/gogs"
 daemon_user="git"

scripts/mysql.sql

@@ -1,11 +1,10 @@
-SET @s = IF(version() < 8 OR version() LIKE '%MariaDB%', 
-            'SET GLOBAL innodb_file_per_table = ON, 
-                        innodb_file_format = Barracuda, 
-                        innodb_large_prefix = ON;', 
+SET @s = IF(version() < 8 OR (version() LIKE '%MariaDB%' AND version() < 10.3),
+            'SET GLOBAL innodb_file_per_table = ON,
+                        innodb_file_format = Barracuda,
+                        innodb_large_prefix = ON;',
             'SET GLOBAL innodb_file_per_table = ON;');
 PREPARE stmt1 FROM @s;
-EXECUTE stmt1; 
+EXECUTE stmt1;
 
 DROP DATABASE IF EXISTS gogs;
 CREATE DATABASE IF NOT EXISTS gogs CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
-

templates/admin/config.tmpl

@@ -206,6 +206,8 @@
 						<dd><i class="fa fa{{if .Security.EnableLoginStatusCookie}}-check{{end}}-square-o"></i></dd>
 						<dt>{{.i18n.Tr "admin.config.security.login_status_cookie_name"}}</dt>
 						<dd>{{.Security.LoginStatusCookieName}}</dd>
+						<dt>{{.i18n.Tr "admin.config.security.local_network_allowlist"}}</dt>
+						<dd><code>{{.Security.LocalNetworkAllowlist}}</code></dd>
 					</dl>
 				</div>
 

templates/org/member/members.tmpl

@@ -14,7 +14,7 @@
 			{{range .Members}}
 				<div class="item ui grid">
 					<div class="ui one wide column">
-						<img class="ui avatar" src="{{.RelAvatarLink}}?s=48">
+						<img class="ui avatar" src="{{AppendAvatarSize .RelAvatarLink 48}}">
 					</div>
 					<div class="ui three wide column">
 						<div class="meta"><a href="{{.HomeLink}}">{{.Name}}</a></div>