Version 1.8.4

CHANGELOG

@@ -174,3 +174,57 @@
   * Emoji Autocomplete (#3433)
   * Implements generator cli for secrets (#3531)
 
+[1.6.1]
+* Update Gitea to 1.5.1
+* Security
+  * Don't disclose emails of all users when sending out emails (#4784)
+  * Improve URL validation for external wiki and external issues (#4710) (#4740)
+  * Make cookies HttpOnly and obey COOKIE_SECURE flag (#4706) (#4707)
+* Bugfixes
+  * Fix missing release title in webhook (#4783) (#4800)
+  * Make sure to reset commit count in the cache on mirror syncing (#4770)
+  * Fixed bug where team with admin privelege type doesn't get any unit (#4759)
+  * Fix failure on creating pull request with assignees (#4583) (#4727)
+  * Hide org/create menu item in Dashboard if user has no rights (#4678) (#4686)
+
+[1.7.0]
+* Update base image
+
+[1.7.1]
+* Update Gitea to 1.5.2
+
+[1.7.2]
+* Update Gitea to 1.5.3
+* Security
+  * Fix remote command execution vulnerability in upstream library (#5177) (#5196)
+
+[1.8.0]
+* Update Gitea to 1.6.0
+
+[1.8.1]
+* Update Gitea to 1.6.1
+
+[1.8.2]
+* Update Gitea to 1.6.2
+* SECURITY
+  * Sanitize uploaded file names (#5571) (#5573)
+  * HTMLEncode user added text (#5570) (#5575)
+* BUGFIXES
+  * Fix indexer reindex bug when gitea restart (#5563) (#5564)
+  * Fix bug when a read perm user to edit his issue (#5516) (#5534)
+  * Detect force push failure on deletion of protected branches (#5522) (#5531)
+  * Fix forgot deletion of notification when delete repository (#5506) (#5514)
+  * Fix undeleted content when deleting user (#5429) (#5509)
+  * Fix empty wiki (#5504) (#5508)
+
+[1.8.3]
+* Update Gitea to 1.6.3
+* SECURITY: Prevent DeleteFilePost doing arbitrary deletion (#5631)
+* BUGFIX: Fix wrong text getting saved on editing second comment on an issue (#5608)
+
+[1.8.4]
+* Update Gitea to 1.6.4
+* Fix SSH key now can be reused as public key after deleting as deploy key (#5671) (#5685)
+* When redirecting clean the path to avoid redirecting to external site (#5669) (#5703)
+* Fix to use correct value for "MSpan Structures Obtained" (#5706) (#5715)
+

CloudronManifest.json

@@ -4,7 +4,7 @@
   "author": "Gitea developers",
   "description": "file://DESCRIPTION.md",
   "tagline": "A painless self-hosted Git Service",
-  "version": "1.6.0",
+  "version": "1.8.4",
   "healthCheckPath": "/healthcheck",
   "httpPort": 3000,
   "addons": {

DESCRIPTION.md

@@ -1,4 +1,4 @@
-This app packages Gitea <upstream>1.5.0</upstream>
+This app packages Gitea <upstream>1.6.4</upstream>
 
 Gitea is a painless self-hosted Git service. It is similar to GitHub, Bitbucket or Gitlab.
 

Dockerfile

@@ -1,6 +1,4 @@
-FROM cloudron/base:0.10.0
-
-ENV VERSION 1.5.0
+FROM cloudron/base:1.0.0@sha256:147a648a068a2e746644746bbfb42eb7a50d682437cead3c67c933c546357617
 
 RUN apt-get update && \
     apt-get install -y openssh-server git && \
@@ -15,8 +13,7 @@ RUN adduser --disabled-login --gecos 'Gitea' git
 RUN passwd -d git
 
 RUN mkdir -p /home/git/gitea
-## TODO: use redis as well
-RUN curl -L https://dl.gitea.io/gitea/${VERSION}/gitea-${VERSION}-linux-amd64 -o /home/git/gitea/gitea \
+RUN curl -L https://dl.gitea.io/gitea/1.6.4/gitea-1.6.4-linux-amd64 -o /home/git/gitea/gitea \
     && chmod +x /home/git/gitea/gitea
 
 # setup config paths
@@ -31,9 +28,7 @@ RUN ln -s /app/data/gitconfig /home/git/.gitconfig
 
 ADD start.sh /home/git/start.sh
 
-# disable pam authentication for sshd
-RUN sed -e 's/UsePAM yes/UsePAM no/' -e 's/UsePrivilegeSeparation yes/UsePrivilegeSeparation no/' -i /etc/ssh/sshd_config
-RUN echo "UseDNS no" >> /etc/ssh/sshd_config
+COPY sshd_config /etc/ssh/sshd_config
 
 CMD [ "/home/git/start.sh" ]
 

sshd_config

@@ -0,0 +1,79 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 29418
+# Use these options to restrict which interfaces/protocols sshd will bind to
+ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /app/data/sshd/ssh_host_rsa_key
+HostKey /app/data/sshd/ssh_host_dsa_key
+HostKey /app/data/sshd/ssh_host_ecdsa_key
+HostKey /app/data/sshd/ssh_host_ed25519_key
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin prohibit-password
+StrictModes yes
+
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM no
+UseDNS no

start.sh

@@ -2,7 +2,7 @@
 
 set -eu -o pipefail
 
-mkdir -p /run/gitea/tmp/uploads
+mkdir -p /run/gitea/tmp/uploads /run/sshd
 
 setup_ldap_source() {
     set -eu
@@ -50,10 +50,7 @@ fi
 chmod 0600 /app/data/sshd/*_key
 chmod 0644 /app/data/sshd/*.pub
 
-sed -e "s/^Port .*/Port ${SSH_PORT}/" \
-    -e "s/^#ListenAddress .*/ListenAddress 0.0.0.0/" \
-    -e "s,^HostKey /etc/ssh/,HostKey /app/data/sshd/," \
-    /etc/ssh/sshd_config > /run/gitea/sshd_config
+sed -e "s/^Port .*/Port ${SSH_PORT}/" /etc/ssh/sshd_config > /run/gitea/sshd_config
 
 cp /home/git/app.ini.template "/run/gitea/app.ini"
 

test/test.js

@@ -31,6 +31,7 @@ describe('Application life cycle test', function () {
     this.timeout(0);
     var server, browser = new Builder().forBrowser('chrome').build();
     var LOCATION = 'test';
+    var SSH_PORT = 29420;
     var repodir = '/tmp/testrepo';
     var app, reponame = 'testrepo';
     var username = process.env.USERNAME;
@@ -210,7 +211,7 @@ return done();
         }).then(function () {
             return browser.findElement(by.id('repo-clone-url')).getAttribute('value');
         }).then(function (cloneUrl) {
-            expect(cloneUrl).to.be('ssh://git@' + app.fqdn + ':29418/' + username + '/' + reponame + '.git');
+            expect(cloneUrl).to.be(`ssh://git@${app.fqdn}:${SSH_PORT}/${username}/${reponame}.git`);
             done();
         });
     }
@@ -219,14 +220,14 @@ return done();
         rimraf.sync(repodir);
         var env = Object.create(process.env);
         env.GIT_SSH = __dirname + '/git_ssh_wrapper.sh';
-        execSync('git clone ssh://git@' + app.fqdn + ':29418/' + username + '/' + reponame + '.git ' + repodir, { env: env });
+        execSync(`git clone ssh://git@${app.fqdn}:${SSH_PORT}/${username}/${reponame}.git ${repodir}`, { env: env });
         done();
     }
 
     function pushFile(done) {
         var env = Object.create(process.env);
         env.GIT_SSH = __dirname + '/git_ssh_wrapper.sh';
-        execSync('touch newfile && git add newfile && git commit -a -mx && git push ssh://git@' + app.fqdn + ':29418/' + username + '/' + reponame + ' master',
+        execSync(`touch newfile && git add newfile && git commit -a -mx && git push ssh://git@${app.fqdn}:${SSH_PORT}/${username}/${reponame} master`,
                  { env: env, cwd: repodir });
         rimraf.sync('/tmp/testrepo');
         done();
@@ -234,8 +235,8 @@ return done();
 
     function addCustomFile(done) {
         fs.writeFileSync('/tmp/customfile.txt', 'GOGS TEST', 'utf8');
-        execSync('cloudron exec -- mkdir -p /app/data/custom/public');
-        execSync('cloudron push /tmp/customfile.txt /app/data/custom/public/customfile.txt');
+        execSync(`cloudron exec --app ${app.id} -- mkdir -p /app/data/custom/public`);
+        execSync(`cloudron push --app ${app.id} /tmp/customfile.txt /app/data/custom/public/customfile.txt`);
         fs.unlinkSync('/tmp/customfile.txt');
         done();
     }
@@ -254,7 +255,7 @@ return done();
     }
 
     function sendMail(done) {
-        browser.get('https://' + app.fqdn + '/admin/config').then(function () {
+        browser.get(`https://${app.fqdn}/admin/config`).then(function () {
             var button = browser.findElement(by.xpath('//button[@id="test-mail-btn"]'));
             return browser.executeScript('arguments[0].scrollIntoView(true)', button);
         }).then(function () {
@@ -275,7 +276,7 @@ return done();
     it('can login', function (done) {
         var inspect = JSON.parse(execSync('cloudron inspect'));
 
-        superagent.post('https://' + inspect.apiEndpoint + '/api/v1/developer/login').send({
+        superagent.post(`https://${inspect.apiEndpoint}/api/v1/developer/login`).send({
             username: username,
             password: password
         }).end(function (error, result) {
@@ -284,7 +285,7 @@ return done();
 
             token = result.body.accessToken;
 
-            superagent.get('https://' + inspect.apiEndpoint + '/api/v1/profile')
+            superagent.get(`https://${inspect.apiEndpoint}/api/v1/profile`)
                 .query({ access_token: token }).end(function (error, result) {
                 if (error) return done(error);
                 if (result.statusCode !== 200) return done(new Error('Get profile failed with status ' + result.statusCode));
@@ -296,7 +297,7 @@ return done();
     });
 
     it('install app', function () {
-        execSync('cloudron install --new --wait --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+        execSync(`cloudron install --new --wait --location ${LOCATION} -p SSH_PORT=${SSH_PORT}`, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
     });
 
     it('can get app information', getAppInfo);
@@ -351,12 +352,17 @@ return done();
     it('can clone the url', cloneRepo);
     it('file exists in repo', function () { expect(fs.existsSync(repodir + '/newfile')).to.be(true); });
 
-    it('move to different location', function () {
+    it('move to different location', function (done) {
         //browser.manage().deleteAllCookies(); // commented because of error "'Network.deleteCookie' wasn't found"
-        execSync('cloudron configure --wait --location ' + LOCATION + '2 --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-        var inspect = JSON.parse(execSync('cloudron inspect'));
-        app = inspect.apps.filter(function (a) { return a.location === LOCATION + '2'; })[0];
-        expect(app).to.be.an('object');
+        // ensure we don't hit NXDOMAIN in the mean time
+        browser.get('about:blank').then(function () {
+            execSync('cloudron configure --wait --location ' + LOCATION + '2 --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+            var inspect = JSON.parse(execSync('cloudron inspect'));
+            app = inspect.apps.filter(function (a) { return a.location === LOCATION + '2'; })[0];
+            expect(app).to.be.an('object');
+
+            done();
+        });
     });
 
     it('can login', login);
@@ -365,13 +371,17 @@ return done();
     it('can clone the url', cloneRepo);
     it('file exists in repo', function () { expect(fs.existsSync(repodir + '/newfile')).to.be(true); });
 
-    it('uninstall app', function () {
-        execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+    it('uninstall app', function (done) {
+        // ensure we don't hit NXDOMAIN in the mean time
+        browser.get('about:blank').then(function () {
+            execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+            done();
+        });
     });
 
     // check if the _first_ login via email succeeds
     it('can login via email', function (done) {
-        execSync('cloudron install --new --wait --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+        execSync(`cloudron install --new --wait --location ${LOCATION} -p SSH_PORT=${SSH_PORT}`, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
         var inspect = JSON.parse(execSync('cloudron inspect'));
 
         app = inspect.apps.filter(function (a) { return a.location === LOCATION; })[0];
@@ -379,14 +389,18 @@ return done();
 
         login(function (error) {
             if (error) return done(error);
-            execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-            done();
+
+            // ensure we don't hit NXDOMAIN in the mean time
+            browser.get('about:blank').then(function () {
+                execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+                done();
+            });
         });
     });
 
     // test update
     it('can install app', function () {
-        execSync('cloudron install --new --wait --appstore-id ' + app.manifest.id + ' --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+        execSync(`cloudron install --new --wait --appstore-id ${app.manifest.id} --location ${LOCATION} -p SSH_PORT=${SSH_PORT}`, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
     });
 
     it('can get app information', getAppInfo);
@@ -408,7 +422,11 @@ return done();
     it('can clone the url', cloneRepo);
     it('file exists in cloned repo', fileExists);
 
-    it('uninstall app', function () {
-        execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+    it('uninstall app', function (done) {
+        // ensure we don't hit NXDOMAIN in the mean time
+        browser.get('about:blank').then(function () {
+            execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+            done();
+        });
     });
 });