fix(security): cherry-pick upstream v1.26.2 security and bug fixes #225

New Issue

2026-05-26T21:21:06Z

jmiller commented

2026-05-26 21:21:06 +00:00

Summary

Upstream Gitea v1.26.2 contains 12 security fixes and several high-impact bug fixes that need to be cherry-picked into MokoGitea. We are diverged from upstream so a full merge is not viable -- individual cherry-picks are required.

Security Fixes (Priority: Critical)

These address token theft, privilege escalation, and access control bypass:

5038561235 fix(oauth): strengthen PKCE validation and refresh token replay protection (#37706)
86cc3e8783 fix(oauth): bind token exchanges to the original client request (#37704)
519b8d6d88 fix(security): enforce wiki git writes and LFS token access at request time (#37695)
9c0ad8291b fix: Add missed token scope checking (#37735)
2965b0c08a fix(web): enforce token scopes on raw, media, and attachment downloads (#37698)
a34eac5ef4 fix: Unify public-only token filtering in API queries and repo access checks (#37118)
6d2b02dac1 fix(permissions): Fix reading permission (#37769)
4ee74d7699 FIX: URL sanitization to handle schemeless credentials (#37440)
78899832eb Fix attachment Content-Security-Policy (#37455)
b88bad2a01 Fix basic auth bug (#37503)
5636219dbc chore(deps): bump go-git/go-git/v5 to 5.19.0 (security)
57dd9f5bab fix(deps): update dependency mermaid to v11.15.0 [security]

Bug Fixes (Priority: High)

1c2d5e9b03 fix(actions): make artifact signature payloads unambiguous (#37707)
1d7b84922f fix(actions): wrong assumption that run id always >= job id (#37737)
b586d80f97 fix(actions): prevent panic when workflow contains null jobs (#37570)
356a119f30 fix(actions): validate workflow param to prevent 500 error (#37546)
677ab982bf fix(git): Fix smart http request scope bug (#37583)
dd78d87dcd fix: merge autodetect cannot close other PRs (#37512)
74e515623b Fix allow maintainer edit permission check (#37479)
e2b211f291 Fix update branch protection order (#37508)
ab0d52b4c7 fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564)

Bug Fixes (Priority: Medium)

5eaa0bc603 fix(packages): Add label for private and internal package and fix composer package source permission check (#37610)
edfba678ec fix!: add DEFAULT_TITLE_SOURCE setting for pull request title default behavior (#37465)
5632abff9e Fix review submission from single-commit PR view (#37475)
a859221a62 fix(pull): handle empty pull request files view to allow reviews (#37783)
631a9b5d16 fix: make clone URL respect public URL detection setting (#37615)
fb159eae8f fix: run as root check (#37622)

Already Cherry-Picked

7b82ded82a fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692)
c4a1ff7d16 Fix scheduled action panic with null event payload (#37459)
b79529015e Do not unblock run-level-concurrency-blocked runs in the resolver (#37461)
3004c45607 fix: Invalid UTF-8 commit messages in JSON API responses (#37542)

Approach

Cherry-pick security fixes first into a single branch
Resolve conflicts against MokoGitea namespace changes
Test build + lint
PR to dev, then RC to main

Opened by Claude Code on behalf of @jmiller

## Summary Upstream Gitea v1.26.2 contains 12 security fixes and several high-impact bug fixes that need to be cherry-picked into MokoGitea. We are diverged from upstream so a full merge is not viable -- individual cherry-picks are required. ## Security Fixes (Priority: Critical) These address token theft, privilege escalation, and access control bypass: - [ ] `5038561235` fix(oauth): strengthen PKCE validation and refresh token replay protection (#37706) - [ ] `86cc3e8783` fix(oauth): bind token exchanges to the original client request (#37704) - [ ] `519b8d6d88` fix(security): enforce wiki git writes and LFS token access at request time (#37695) - [ ] `9c0ad8291b` fix: Add missed token scope checking (#37735) - [ ] `2965b0c08a` fix(web): enforce token scopes on raw, media, and attachment downloads (#37698) - [ ] `a34eac5ef4` fix: Unify public-only token filtering in API queries and repo access checks (#37118) - [ ] `6d2b02dac1` fix(permissions): Fix reading permission (#37769) - [ ] `4ee74d7699` FIX: URL sanitization to handle schemeless credentials (#37440) - [ ] `78899832eb` Fix attachment Content-Security-Policy (#37455) - [ ] `b88bad2a01` Fix basic auth bug (#37503) - [ ] `5636219dbc` chore(deps): bump go-git/go-git/v5 to 5.19.0 (security) - [ ] `57dd9f5bab` fix(deps): update dependency mermaid to v11.15.0 [security] ## Bug Fixes (Priority: High) - [ ] `1c2d5e9b03` fix(actions): make artifact signature payloads unambiguous (#37707) - [ ] `1d7b84922f` fix(actions): wrong assumption that run id always >= job id (#37737) - [ ] `b586d80f97` fix(actions): prevent panic when workflow contains null jobs (#37570) - [ ] `356a119f30` fix(actions): validate workflow param to prevent 500 error (#37546) - [ ] `677ab982bf` fix(git): Fix smart http request scope bug (#37583) - [ ] `dd78d87dcd` fix: merge autodetect cannot close other PRs (#37512) - [ ] `74e515623b` Fix allow maintainer edit permission check (#37479) - [ ] `e2b211f291` Fix update branch protection order (#37508) - [ ] `ab0d52b4c7` fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564) ## Bug Fixes (Priority: Medium) - [ ] `5eaa0bc603` fix(packages): Add label for private and internal package and fix composer package source permission check (#37610) - [ ] `edfba678ec` fix!: add DEFAULT_TITLE_SOURCE setting for pull request title default behavior (#37465) - [ ] `5632abff9e` Fix review submission from single-commit PR view (#37475) - [ ] `a859221a62` fix(pull): handle empty pull request files view to allow reviews (#37783) - [ ] `631a9b5d16` fix: make clone URL respect public URL detection setting (#37615) - [ ] `fb159eae8f` fix: run as root check (#37622) ## Already Cherry-Picked - [x] `7b82ded82a` fix(actions): deadlock between PrepareRunAndInsert and UpdateTaskByState (#37692) - [x] `c4a1ff7d16` Fix scheduled action panic with null event payload (#37459) - [x] `b79529015e` Do not unblock run-level-concurrency-blocked runs in the resolver (#37461) - [x] `3004c45607` fix: Invalid UTF-8 commit messages in JSON API responses (#37542) ## Approach 1. Cherry-pick security fixes first into a single branch 2. Resolve conflicts against MokoGitea namespace changes 3. Test build + lint 4. PR to dev, then RC to main --- *Opened by Claude Code on behalf of @jmiller*

jmiller added the priority: high ci-cd labels 2026-05-26 21:21:06 +00:00

jmiller referenced this issue

2026-05-26 21:55:23 +00:00

fix(security): backport upstream v1.26.2 security fixes #226

jmiller referenced this issue

2026-05-26 22:31:43 +00:00

rc(v05.06.00): security backports, actions deadlock fix, dep bumps #228

Sign in to join this conversation.

Branches Tags

main

dev

version

4c4d2ac9562c3f623148a0cb7ddfead57a5e43f2

rc/05.06.00

fix/225-security-backports

fix/220-actions-deadlock-retry

rc/05.05.00

fix/wiki-slug-polish

fix/require2fa-import

fix/wiki-smart-filenames

feat/208-org-2fa-requirement

fix/207-http-content-render

rc/05.04.00

feat/login-notifications

rc/05.03.08

fix/help-footer-login-logo

fix/help-link-always-visible

rc/05.03.06

fix/missing-dashboard-icon

rc/05.03.05

fix/admin-nav-css

rc/05.03.04

fix/admin-nav-left-align

rc/05.03.03

fix/admin-nav-alignment

rc/05.03.02

fix/checksum-per-file

rc/05.03.01

rc/05.03.00

feat/rebrand-locale-mokogitea

rc/05.02.02

rc/05.02.01

rc/05.02.00

fix/183-org-sidebar

feat/181-admin-branding

rc/05.01.02

feat/auto-update-xml

rc/05.01.01

feat/deploy-maintenance-mode

rc/05.01.00

feat/release-sha-checksums

feat/update-checker-channels

feat/132-namespace-separation

feat/test-rc-workflow

rc/04.01.00

fix/security-backports

feat/upstream-bug-sync

fix/upstream-v1.26.2-backports

fix/136-actions-concurrency-nil-panic

feat/ntfy-integration

feat/badge-engine

feat/prometheus-metrics

feat/update-checker

alpha

beta

feature

feat/custom-logo

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea#225