Enforce Gitea environment for pushes (#8982)

* Enforce Gitea environment for pushes * Update custom/conf/app.ini.sample Co-Authored-By: Antoine GIRARD <sapk@users.noreply.github.com>
5 years ago · dd1beee2ef
parent 3621944c2d
commit dd1beee2ef
4 changed files with 42 additions and 18 deletions
--- a/cmd/hook.go
+++ b/cmd/hook.go
@ -16,6 +16,7 @@ import (
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/urfave/cli"
 )
@ -55,7 +56,13 @@ var (
 func runHookPreReceive(c *cli.Context) error {
 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
-		return nil
+		if setting.OnlyAllowPushIfGiteaEnvironmentSet {
 			fail(`Rejecting changes as Gitea environment not set.
 If you are pushing over SSH you must push with a key managed by
 Gitea or set your environment appropriately.`, "")
 		} else {
 			return nil
 		}
 	}
 	setup("hooks/pre-receive.log")
@ -115,7 +122,13 @@ func runHookPreReceive(c *cli.Context) error {
 func runHookUpdate(c *cli.Context) error {
 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
-		return nil
+		if setting.OnlyAllowPushIfGiteaEnvironmentSet {
 			fail(`Rejecting changes as Gitea environment not set.
 If you are pushing over SSH you must push with a key managed by
 Gitea or set your environment appropriately.`, "")
 		} else {
 			return nil
 		}
 	}
 	setup("hooks/update.log")
@ -125,7 +138,13 @@ func runHookUpdate(c *cli.Context) error {
 func runHookPostReceive(c *cli.Context) error {
 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
-		return nil
+		if setting.OnlyAllowPushIfGiteaEnvironmentSet {
 			fail(`Rejecting changes as Gitea environment not set.
 If you are pushing over SSH you must push with a key managed by
 Gitea or set your environment appropriately.`, "")
 		} else {
 			return nil
 		}
 	}
 	setup("hooks/post-receive.log")
--- a/custom/conf/app.ini.sample
+++ b/custom/conf/app.ini.sample
@ -383,6 +383,8 @@ MIN_PASSWORD_LENGTH = 6
 IMPORT_LOCAL_PATHS = false
 ; Set to true to prevent all users (including admin) from creating custom git hooks
 DISABLE_GIT_HOOKS = false
 ; Set to false to allow pushes to gitea repositories despite having an incomplete environment - NOT RECOMMENDED
 ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET = true
 ;Comma separated list of character classes required to pass minimum complexity.
 ;If left empty or no valid values are specified, the default values ("lower,upper,digit,spec") will be used.
 ;Use "off" to disable checking.
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@ -244,6 +244,7 @@ relation to port exhaustion.
   authentication provided email.
 - `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom
   git hooks.
 - `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to gitea repositories you should set the environment appropriately.
 - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.
 - `INTERNAL_TOKEN`: **\<random at every install if no uri set\>**: Secret used to validate communication within Gitea binary.
 - `INTERNAL_TOKEN_URI`: **<empty>**: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`)
--- a/modules/setting/setting.go
+++ b/modules/setting/setting.go
@ -140,18 +140,19 @@ var (
 	}
 	// Security settings
-	InstallLock           bool
+	InstallLock                        bool
-	SecretKey             string
+	SecretKey                          string
-	LogInRememberDays     int
+	LogInRememberDays                  int
-	CookieUserName        string
+	CookieUserName                     string
-	CookieRememberName    string
+	CookieRememberName                 string
-	ReverseProxyAuthUser  string
+	ReverseProxyAuthUser               string
-	ReverseProxyAuthEmail string
+	ReverseProxyAuthEmail              string
-	MinPasswordLength     int
+	MinPasswordLength                  int
-	ImportLocalPaths      bool
+	ImportLocalPaths                   bool
-	DisableGitHooks       bool
+	DisableGitHooks                    bool
-	PasswordComplexity    []string
+	OnlyAllowPushIfGiteaEnvironmentSet bool
-	PasswordHashAlgo      string
+	PasswordComplexity                 []string
 	PasswordHashAlgo                   string
 	// UI settings
 	UI = struct {
@ -778,6 +779,7 @@ func NewContext() {
 	MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6)
 	ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false)
 	DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false)
 	OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true)
 	PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2")
 	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)