[SECURITY] fix: Adjust the toolchain version (#36537 ) (#36542 )

Backport #36537 by @ZPascal # Summary: - Adjust the toolchain version to fix the security issues ```log Vulnerability #1: GO-2026-4337 Unexpected session resumption in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4337 Standard library Found in: crypto/tls@go1.25.6 Fixed in: crypto/tls@go1.25.7 Example traces found: ``` Signed-off-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com> Co-authored-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com>
fix(packages/container): data race when uploading container blobs concurrently (#36524 ) (#36526 )
2026-02-06 18:53:01 +00:00 · 2026-02-06 23:00:52 +08:00 · 2026-02-04 09:32:26 -08:00 · 2026-02-01 09:33:23 -08:00 · 2026-01-30 05:47:46 +00:00 · 2026-01-29 21:18:21 -08:00
10 changed files with 120 additions and 13 deletions
@@ -20,6 +20,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.com).
  * Add more routes to the "expensive" list (#36290)
  * Make "commit statuses" API accept slashes in "ref" (#36264) (#36275)
 * BUGFIXES
+  * Fix git http service handling #36396
  * Fix markdown newline handling during IME composition (#36421) #36424
  * Fix missing repository id when migrating release attachments (#36389)
  * Fix bug when compare in the pull request (#36363) (#36372)
@@ -2,7 +2,7 @@ module code.gitea.io/gitea

 go 1.25.0

-toolchain go1.25.5
+toolchain go1.25.7

 // rfc5280 said: "The serial number is an integer assigned by the CA to each certificate."
 // But some CAs use negative serial number, just relax the check. related:
@@ -43,13 +43,15 @@ func GetOrInsertBlob(ctx context.Context, pb *PackageBlob) (*PackageBlob, bool,

 	existing := &PackageBlob{}

-	has, err := e.Where(builder.Eq{
+	hashCond := builder.Eq{
 		"size":        pb.Size,
 		"hash_md5":    pb.HashMD5,
 		"hash_sha1":   pb.HashSHA1,
 		"hash_sha256": pb.HashSHA256,
 		"hash_sha512": pb.HashSHA512,
-	}).Get(existing)
+	}
+
+	has, err := e.Where(hashCond).Get(existing)
 	if err != nil {
 		return nil, false, err
 	}
@@ -57,6 +59,11 @@ func GetOrInsertBlob(ctx context.Context, pb *PackageBlob) (*PackageBlob, bool,
 		return existing, true, nil
 	}
 	if _, err = e.Insert(pb); err != nil {
+		// Handle race condition: another request may have inserted the same blob
+		// between our SELECT and INSERT. Retry the SELECT to get the existing blob.
+		if has, _ = e.Where(hashCond).Get(existing); has {
+			return existing, true, nil
+		}
 		return nil, false, err
 	}
 	return pb, false, nil
@@ -0,0 +1,51 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package packages
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sync/errgroup"
+)
+
+func TestGetOrInsertBlobConcurrent(t *testing.T) {
+	require.NoError(t, unittest.PrepareTestDatabase())
+
+	testBlob := PackageBlob{
+		Size:       123,
+		HashMD5:    "md5",
+		HashSHA1:   "sha1",
+		HashSHA256: "sha256",
+		HashSHA512: "sha512",
+	}
+
+	const numGoroutines = 3
+	var wg errgroup.Group
+	results := make([]*PackageBlob, numGoroutines)
+	existed := make([]bool, numGoroutines)
+	for idx := range numGoroutines {
+		wg.Go(func() error {
+			blob := testBlob // Create a copy of the test blob for each goroutine
+			var err error
+			results[idx], existed[idx], err = GetOrInsertBlob(t.Context(), &blob)
+			return err
+		})
+	}
+	require.NoError(t, wg.Wait())
+
+	// then: all GetOrInsertBlob succeeds with the same blob ID, and only one indicates it did not exist before
+	existedCount := 0
+	assert.NotNil(t, results[0])
+	for i := range numGoroutines {
+		assert.Equal(t, results[0].ID, results[i].ID)
+		if existed[i] {
+			existedCount++
+		}
+	}
+	assert.Equal(t, numGoroutines-1, existedCount)
+}
@@ -26,9 +26,18 @@ import (

 // saveAsPackageBlob creates a package blob from an upload
 // The uploaded blob gets stored in a special upload version to link them to the package/image
-func saveAsPackageBlob(ctx context.Context, hsr packages_module.HashedSizeReader, pci *packages_service.PackageCreationInfo) (*packages_model.PackageBlob, error) { //nolint:unparam // PackageBlob is never used
+// There will be concurrent uploading for the same blob, so it needs a global lock per blob hash
+func saveAsPackageBlob(ctx context.Context, hsr packages_module.HashedSizeReader, pci *packages_service.PackageCreationInfo) (*packages_model.PackageBlob, error) { //nolint:unparam //returned PackageBlob is never used
 	pb := packages_service.NewPackageBlob(hsr)
+	err := globallock.LockAndDo(ctx, "container-blob:"+pb.HashSHA256, func(ctx context.Context) error {
+		var err error
+		pb, err = saveAsPackageBlobInternal(ctx, hsr, pci, pb)
+		return err
+	})
+	return pb, err
+}

+func saveAsPackageBlobInternal(ctx context.Context, hsr packages_module.HashedSizeReader, pci *packages_service.PackageCreationInfo, pb *packages_model.PackageBlob) (*packages_model.PackageBlob, error) {
 	exists := false

 	contentStore := packages_module.NewContentStore()
@@ -67,7 +76,7 @@ func saveAsPackageBlob(ctx context.Context, hsr packages_module.HashedSizeReader
 		return createFileForBlob(ctx, uploadVersion, pb)
 	})
 	if err != nil {
-		if !exists {
+		if !exists && pb != nil { // pb can be nil if GetOrInsertBlob failed
 			if err := contentStore.Delete(packages_module.BlobHash256Key(pb.HashSHA256)); err != nil {
 				log.Error("Error deleting package blob from content store: %v", err)
 			}
@@ -230,8 +230,7 @@ func AuthorizeOAuth(ctx *context.Context) {

 	// pkce support
 	switch form.CodeChallengeMethod {
-	case "S256":
-	case "plain":
+	case "S256", "plain":
 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {
 			handleAuthorizeError(ctx, AuthorizeError{
 				ErrorCode:        ErrorCodeServerError,
@@ -63,10 +63,10 @@ func NewBlobUploader(ctx context.Context, id string) (*BlobUploader, error) {
 	}

 	return &BlobUploader{
-		model,
-		hash,
-		f,
-		false,
+		PackageBlobUpload: model,
+		MultiHasher:       hash,
+		file:              f,
+		reading:           false,
 	}, nil
 }

@@ -1 +1 @@
-<a class="author text black tw-font-semibold muted"{{if gt .ID 0}} href="{{.HomeLink}}"{{end}}>{{.GetDisplayName}}</a>{{if .IsTypeBot}}<span class="ui basic label tw-p-1 tw-align-baseline">bot</span>{{end}}
+<a class="author text black tw-font-semibold muted"{{if gt .ID 0}} href="{{.HomeLink}}"{{end}}>{{.GetDisplayName}}</a>{{if .IsTypeBot}}&nbsp;<span class="ui basic label tw-p-1 tw-align-baseline">bot</span>{{end}}
@@ -10,6 +10,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"strings"
 	"testing"

@@ -95,6 +96,45 @@ func TestAuthorizeShow(t *testing.T) {
 	htmlDoc.GetCSRF()
 }

+func TestAuthorizeGrantS256RequiresVerifier(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	ctx := loginUser(t, "user4")
+	codeChallenge := "CjvyTLSdR47G5zYenDA-eDWW4lRrO8yvjcWwbD_deOg"
+	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=a&response_type=code&state=thestate&code_challenge_method=S256&code_challenge="+url.QueryEscape(codeChallenge))
+	resp := ctx.MakeRequest(t, req, http.StatusOK)
+
+	htmlDoc := NewHTMLParser(t, resp.Body)
+	AssertHTMLElement(t, htmlDoc, "#authorize-app", true)
+
+	grantReq := NewRequestWithValues(t, "POST", "/login/oauth/grant", map[string]string{
+		"client_id":    "da7da3ba-9a13-4167-856f-3899de0b0138",
+		"state":        "thestate",
+		"scope":        "",
+		"nonce":        "",
+		"redirect_uri": "a",
+		"granted":      "true",
+		"_csrf":        htmlDoc.GetCSRF(),
+	})
+	grantResp := ctx.MakeRequest(t, grantReq, http.StatusSeeOther)
+	u, err := grantResp.Result().Location()
+	assert.NoError(t, err)
+	code := u.Query().Get("code")
+	assert.NotEmpty(t, code)
+
+	accessReq := NewRequestWithValues(t, "POST", "/login/oauth/access_token", map[string]string{
+		"grant_type":    "authorization_code",
+		"client_id":     "da7da3ba-9a13-4167-856f-3899de0b0138",
+		"client_secret": "4MK8Na6R55smdCY0WuCCumZ6hjRPnGY5saWVRHHjJiA=",
+		"redirect_uri":  "a",
+		"code":          code,
+	})
+	accessResp := MakeRequest(t, accessReq, http.StatusBadRequest)
+	parsedError := new(oauth2_provider.AccessTokenError)
+	assert.NoError(t, json.Unmarshal(accessResp.Body.Bytes(), parsedError))
+	assert.Equal(t, "unauthorized_client", string(parsedError.ErrorCode))
+	assert.Equal(t, "failed PKCE code challenge", parsedError.ErrorDescription)
+}
+
 func TestAuthorizeRedirectWithExistingGrant(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 	req := NewRequest(t, "GET", "/login/oauth/authorize?client_id=da7da3ba-9a13-4167-856f-3899de0b0138&redirect_uri=https%3A%2F%2Fexample.com%2Fxyzzy&response_type=code&state=thestate")
@@ -35,7 +35,7 @@ const baseOptions: MonacoOpts = {
  renderLineHighlight: 'all',
  renderLineHighlightOnlyWhenFocus: true,
  rulers: [],
-  scrollbar: {horizontalScrollbarSize: 6, verticalScrollbarSize: 6},
+  scrollbar: {horizontalScrollbarSize: 6, verticalScrollbarSize: 6, alwaysConsumeMouseWheel: false},
  scrollBeyondLastLine: false,
  automaticLayout: true,
 };
Author	SHA1	Message	Date
Giteabot	dcce96c08d	[SECURITY] fix: Adjust the toolchain version (#36537 ) (#36542 ) Backport #36537 by @ZPascal # Summary: - Adjust the toolchain version to fix the security issues ```log Vulnerability #1: GO-2026-4337 Unexpected session resumption in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4337 Standard library Found in: crypto/tls@go1.25.6 Fixed in: crypto/tls@go1.25.7 Example traces found: ``` Signed-off-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com> Co-authored-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com>	2026-02-06 23:00:52 +08:00
Giteabot	885f2b89d6	fix(packages/container): data race when uploading container blobs concurrently (#36524 ) (#36526 ) Backport #36524 by @noeljackson Fix data race when uploading container blobs concurrently Co-authored-by: Noel Jackson <n@noeljackson.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2026-02-04 09:32:26 -08:00
Giteabot	57ce10c0ca	Allow scroll propagation outside code editor (#36502 ) (#36510 ) Backport #36502 by @lunny Fix #28479 When scrolling inside the editor and the editor has already reached the end of its scroll area, the browser does not continue scrolling. This is inconvenient because users must move the cursor out of the editor to scroll the page further. This PR enables automatic switching between the editor’s scroll and the browser’s scroll, allowing seamless continuous scrolling. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2026-02-01 09:33:23 -08:00
Sebastian Ertz	25785041e7	Correct spacing between username and bot label (#36473 ) (#36484 ) Backport #36473 Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2026-01-30 05:47:46 +00:00
Giteabot	ff3d11034d	[SECURITY] Toolchain Update to Go 1.25.6 (#36480 ) (#36487 ) Backport #36480 by @ZPascal ## Overview This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for the Gitea project. ## Changes ### Toolchain Update - Go Toolchain: Updated from `go1.25.5` to `go1.25.6` This is a minor toolchain version bump that ensures the project uses the latest patch release of Go 1.25. ## Security Improvements While this PR primarily addresses the toolchain update, the project maintains a strong security posture through: ### Current Security Measures ```log Vulnerability #1: GO-2026-4342 Excessive CPU consumption when building archive index in archive/zip More info: https://pkg.go.dev/vuln/GO-2026-4342 Standard library Found in: archive/zip@go1.25.5 Fixed in: archive/zip@go1.25.6 Example traces found: #1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open Vulnerability #2: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url More info: https://pkg.go.dev/vuln/GO-2026-4341 Standard library Found in: net/url@go1.25.5 Fixed in: net/url@go1.25.6 Example traces found: #1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery #2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query Vulnerability #3: GO-2026-4340 Handshake messages may be processed at the incorrect encryption level in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4340 Standard library Found in: crypto/tls@go1.25.5 Fixed in: crypto/tls@go1.25.6 Example traces found: #1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake #2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext #3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read #4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write #5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial #6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer #7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext ``` Co-authored-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com>	2026-01-29 21:18:21 -08:00
Giteabot	750649c1ef	Fix oauth2 s256 (#36462 ) (#36477 ) Backport #36462 by @lunny --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2026-01-28 12:37:39 -08:00
Lunny Xiao	eb95bbc1fd	Add missing changelog for v1.25.4 (#36433 )	2026-01-23 06:35:34 +01:00