500 Commits

Author SHA1 Message Date
Catherine cff4b4e41d [security] Forbid backslashes from occurring in project names.
This addresses an authorization bypass (which could occur only on
Windows).

A more principled way to do this would be to use `os.Root.OpenRoot`
and scope the actual filesystem operations per-domain. However, I
prototyped this and it was complicated enough that it wasn't clear
whether this would not introduce new issues.

V12-Ref: F-77209
v0.9.1
2026-05-31 14:28:06 +00:00
Catherine ad8359c89d [security] Actually check result of appendNewAuditRecord.
Backport of commit 16505f6054.
2026-05-31 14:27:44 +00:00
Catherine 55f87083e5 [security] Fix false positives on Caddy endpoint due to domain cache.
In commit bbdaae7280, a domain cache was
introduced to deal with misbehaving crawlers that forge `Host:` header
and may cause thousands of expensive S3 requests to be submitted.
This domain cache is implemented using a Bloom filter (which can
produce false positives but not false negatives) for S3 backend, and
using a function always returning true (which will be a false positive
in most cases) for the FS backend.

Both of these behaviors are unacceptable for the Caddy endpoint, but
the FS backend case much more so. If you use git-pages with Caddy you
should upgrade to a build that includes this commit as soon as possible
or Let's Encrypt may rate-limit or restrict your account when you get
unlucky with a crawler.
v0.9.0
2026-05-11 10:26:53 +00:00
miyuko a9fc5780b1 Record git repo URL in the principal when forge auth is used.
Resolves: https://codeberg.org/git-pages/git-pages/issues/167
2026-05-11 03:40:46 +01:00
miyuko ad92847fa0 Record git repo URL in manifest for archive uploads with forge auth.
Resolves: https://codeberg.org/git-pages/git-pages/issues/165
2026-05-11 03:38:54 +01:00
Catherine 3311fb639d Fix incorrect example use case of _headers.
git-pages enables CORS automatically and unconditionally, but COOP/COEP
have to be configured manually.
2026-05-05 03:12:51 +00:00
Catherine 93ce4f9671 Bring authorization flow documentation up to date. 2026-05-05 02:56:08 +00:00
Catherine 73e47cd8d5 Significantly improve efficiency of tracing.
I thought I was being smart by using a trie to record blob existence
and sizes. I was not. The trie approach had at least ~5 times less
throughput and consumed entirely unreasonable amounts of RAM.

A hashmap works just fine here.
2026-05-05 01:57:41 +00:00
Catherine dd7268a657 Fix typo. 2026-05-03 12:30:17 +00:00
Catherine edae862551 Surface detached status of audit records in diagnostic output. 2026-05-03 12:01:33 +00:00
miyuko 5808e90e5a Allow detaching all audit records related to a site. 2026-05-03 11:53:01 +00:00
miyuko 684553ba72 Replace pelletier/go-toml with BurntSushi/toml.
Most of the code was borrowed from
https://codeberg.org/whitequark/ircv3-filehost-server.
2026-04-27 18:26:33 +01:00
miyuko 89f672beda Allow detaching audit records from their blobs for garbage collection.
Resolves: https://codeberg.org/git-pages/git-pages/issues/148
2026-04-27 17:29:16 +01:00
miyuko a233cdfbb8 Fix S3Backend.SearchAuditLog ignoring search options. 2026-04-27 16:48:36 +01:00
Catherine 4d8e620846 Account for manifest's own size for -size-histogram. 2026-04-27 01:16:16 +02:00
Catherine e8112c1abe Add a CLI command -audit-expire to purge old audit records.
This is particularly important with the FS backend, where there isn't
necessarily native tooling capable of handling this task correctly
(since not every filesystem supports file "birth times", and since
restoring data from a backup will reset the "birth time" of audit
records to the moment of restoration).
2026-04-26 23:10:22 +00:00
Catherine b0a674abf4 Fix incorrect start time in AuditID.CompareTime. 2026-04-26 22:59:36 +00:00
Catherine f001107056 Create audit records as read-only when using FS backend.
There is no reason to ever modify the records.
2026-04-26 22:55:30 +00:00
Catherine b7170e3077 Create a domain cache for CLI operations.
Fixes a regression (crash) in `-update-site` introduced in commit
  bbdaae7280
.
v0.8.1
2026-04-26 21:05:55 +00:00
whitequark 7f5e02081d Add links to support channels. 2026-04-25 22:52:06 +02:00
Catherine 59cf185143 Only log media type for PUT, PATCH, and POST requests.
There isn't much point in logging `Accept:` for GET requests and it
is very noisy.
2026-04-23 16:42:46 +00:00
Catherine c5c5306688 [breaking-change] Use a distinct scope for forge DNS allowlist authz.
Before this commit, a `_git-pages-repository.<host>` TXT record would
allow both forge DNS allowlist authorization, as well as normal DNS
allowlist authorization. This means that a site set up to have its
contents updated by a Forgejo Action could have its contents replaced
by the contents of the repository which contains the Forgejo Action,
which will effectively erase the site in most cases. This is a classic
confused deputy scenario.

To fix this, forge DNS allowlist authorization now uses a distinct
`_git-pages-forge-allowlist.<host>` TXT record, removing ambiguity
that allows this scenario to happen.

The issue was introduced in 27a6de792c
and existed in `main` for about a hour, so it is unlikely anybody
has been impacted by this.
v0.8.0
2026-04-23 15:20:32 +00:00
Catherine 27a6de792c Allow using forge authorization with non-wildcard domains.
The new authorization method combines DNS allowlist and existing forge
authorization methods: DNS records are used to determine the allowed
repository URL, and forge authorization is used to check for push
permissions to that URL.
2026-04-22 01:59:37 +00:00
Catherine 2c109a5e1e Factor out common authorization code. NFC
This commit unifies most of the implementation of `AuthorizeDeletion`
and `AuthorizeUpdateFromArchive`, with the latter additionally checking
that the repository URL in the authorization grant follows the limits.

This is done in preparation of adding a second forge authorization
sub-mechanism that can handle non-wildcard domains.
2026-04-22 01:59:37 +00:00
Catherine d17c645927 Improve forge authorization error message for invalid tokens.
Before:

    - not authorized by forge (wildcard)
      - cannot check repository permissions: GET https://codeberg.org/api/v1/repos/whitequark/whitequark.codeberg.page returned 401 Unauthorized

After:

    - not authorized by forge (wildcard)
      - no access to whitequark/whitequark.codeberg.page or invalid token
2026-04-22 01:59:37 +00:00
Catherine 57e9d05c7f Update default index branch name for codeberg-pages-compat quirk.
The actual Codeberg Pages v2 server uses the Forgejo default branch
for the index repository. The quirk previously used the `main` branch
unconditionally.

This is complex to implement, so per discussion with gusted we have
decided to change the default branch to `pages` so that it has parity
with non-Codeberg-specific behavior.
2026-04-22 00:47:49 +00:00
woodpecker-bot 1e6afe6570 [Renovate] Update docker.io/library/caddy:2.11.2-builder Docker digest to 10ed025 2026-04-20 02:41:04 +02:00
Andrew Cassidy b3692362d8 Allow loading secrets from an additional configuration file.
Adds the `-secrets` command line flag, which defaults to `$CREDENTIALS_DIRECTORY/secrets.toml` if it exists. The secrets.toml file will be loaded the same way as the main config.toml.

Reviewed-on: https://codeberg.org/git-pages/git-pages/pulls/137
Reviewed-by: Catherine <whitequark@whitequark.org>
Co-authored-by: Andrew Cassidy <drewcassidy@me.com>
Co-committed-by: Andrew Cassidy <drewcassidy@me.com>
2026-04-20 02:40:34 +02:00
David Leadbeater 021c493daa Revert "Revert "[Renovate] Update all dependencies""
This reverts commit 57dc8f8520.
2026-04-18 23:12:49 +10:00
David Leadbeater b54664258b Update go-git API to v6.0.0-alpha.2 2026-04-18 23:12:18 +10:00
Catherine 57dc8f8520 Revert "[Renovate] Update all dependencies"
This reverts commit 2b35996f62.
2026-04-18 12:08:07 +00:00
woodpecker-bot 2b35996f62 [Renovate] Update all dependencies 2026-04-18 11:59:05 +00:00
Catherine cf050f505b Improve performance of -trace-garbage. 2026-04-14 05:01:37 +00:00
Catherine 6097a9abb8 Add a Server: header unconditionally.
Previously we wouldn't do it if hostname could not be determined, which
would break git-pages-cli based uploads on those machines.
2026-04-14 03:39:52 +00:00
Catherine fe329d748d [breaking-change] Drop Fly.io-specific behavior.
Fly.io is led by AI boosterism, and we don't want to encourage that
kind of behavior.
2026-04-14 03:39:52 +00:00
miyuko bbdaae7280 Add a domain cache to quickly reject non-existent domains. 2026-04-13 13:45:16 +00:00
miyuko f400f8d246 Enable all S3 features when initializing the store. 2026-04-13 13:13:14 +00:00
bin 86259acf9c nix: fix building on non-linux platforms 2026-04-12 10:56:44 +00:00
woodpecker-bot af7657a787 [Renovate] Update all dependencies 2026-04-12 01:06:02 +00:00
miyuko ed24f08d5f Constrain the parallelism of fetching audit log records. 2026-04-11 19:43:13 +00:00
Catherine d7651941c0 Fetch manifests from S3 in parallel for histogram and tracing.
This is mainly done to speed up histogram collection, as waiting some
minutes defeats the purpose of having a quick overview function.

This commit does speed up GC tracing as well, but not as much because
audit records are still retrieved one at a time. A similar mechanism
could be added in the future there.

Filesystem logic is functionally identical since it was fine already.
2026-04-04 21:10:05 +00:00
Catherine bcd628fa6b Allow Chmod() in PutBlob() to fail with -EPERM.
This can happen on an NFSv4 filesystem with POSIX permissions disabled.

Fixes #131.
2026-04-04 01:17:32 +00:00
woodpecker-bot 6a3372a36a [Renovate] Update all dependencies 2026-04-04 00:13:10 +00:00
miyuko 8d4ea36dec Re-throw http.ErrAbortHandler from our panic handler.
This aborts the response to the client and doesn't log an error.

httputil.ReverseProxy commonly panics with this error.

This results in different behavior from simply swallowing the panic.
Panicking prevents flushing the response to the client, and in the case
of a panic from httputil.ReverseProxy it results in clients potentially
receiving an empty response instead of what was already written to
http.ResponseWriter. This behavior is the same as if the panic handler
hadn't been installed.
2026-04-03 00:29:45 +00:00
Catherine 6509a8e1d2 Add -size-histogram option for summarizing resource use.
Useful to evaluate who consumes the most storage (or the most size
quota) visually at a glance.
2026-04-01 23:52:24 +00:00
Catherine 6775f4aab5 Fix incorrect frozen domain check for S3 backend. 2026-04-01 22:50:40 +00:00
Catherine 1df1402f6b CI: fetch tags when building release artifacts. 2026-03-31 09:22:03 +00:00
Catherine 8dffd9cf11 CI: fix embedding of version information. 2026-03-31 09:05:37 +00:00
Catherine 5258bf756b Add support for Netlify Basic-Auth: mechanism. 2026-03-29 12:11:56 +00:00
woodpecker-bot 38eb8afd0e [Renovate] Update all dependencies 2026-03-29 12:06:56 +00:00