forgejo/routers/web
Gusted 5b3a82d621
[FEAT] Enable ambiguous character detection in configured contexts
- The ambiguous character detection is an important security feature to
combat against sourcebase attacks (https://trojansource.codes/).
- However there are a few problems with the feature as it stands
today (i) it's apparantly an big performance hitter, it's twice as slow
as syntax highlighting (ii) it contains false positives, because it's
reporting valid problems but not valid within the context of a
programming language (ambiguous charachters in code comments being a
prime example) that can lead to security issues (iii) charachters from
certain languages always being marked as ambiguous. It's a lot of effort
to fix the aforementioned issues.
- Therefore, make it configurable in which context the ambiguous
character detection should be run, this avoids running detection in all
contexts such as file views, but still enable it in commits and pull
requests diffs where it matters the most. Ideally this also becomes an
per-repository setting, but the code architecture doesn't allow for a
clean implementation of that.
- Adds unit test.
- Adds integration tests to ensure that the contexts and instance-wide
is respected (and that ambigious charachter detection actually work in
different places).
- Ref: https://codeberg.org/forgejo/forgejo/pulls/2395#issuecomment-1575547
- Ref: https://codeberg.org/forgejo/forgejo/issues/564
2024-02-23 13:12:17 +01:00
..
admin Auto-update the system status in admin dashboard (#29163) 2024-02-17 23:24:31 +01:00
auth Refactor more code in templates (#29236) 2024-02-19 22:58:32 +01:00
devtest Make "cancel" buttons have proper type in modal forms (#25618) 2023-07-03 14:04:50 +08:00
events Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
explore Allow to set explore page default sort (#27951) 2023-11-09 10:11:45 +00:00
feed Refactor locale&string&template related code (#29165) 2024-02-16 15:20:52 +01:00
healthcheck [BRANDING] cosmetic s/Gitea/Forgejo/ in logs, messages, etc. 2024-02-05 16:02:14 +01:00
misc [API] Forgejo API /api/forgejo/v1 2024-02-05 14:44:32 +01:00
org Refactor locale&string&template related code (#29165) 2024-02-16 15:20:52 +01:00
repo [FEAT] Enable ambiguous character detection in configured contexts 2024-02-23 13:12:17 +01:00
shared Refactor more code in templates (#29236) 2024-02-19 22:58:32 +01:00
user Fix missing template for follow button in organization (#29215) 2024-02-17 23:24:31 +01:00
base.go Fix panic in storageHandler (#27446) 2023-10-06 13:23:14 +00:00
githttp.go Add support for sha256 repositories (#23894) 2024-01-19 17:05:02 +01:00
goget.go Support SSH for go get (#24664) 2023-05-12 09:44:37 +00:00
home.go Enhanced auth token / remember me (#27606) 2023-10-14 00:56:41 +00:00
metrics.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
nodeinfo.go Implement FSFE REUSE for golang files (#21840) 2022-11-27 18:20:29 +00:00
swagger_json.go Refactor more code in templates (#29236) 2024-02-19 22:58:32 +01:00
web.go Auto-update the system status in admin dashboard (#29163) 2024-02-17 23:24:31 +01:00
webfinger.go Add a link to OpenID Issuer URL in WebFinger response (#26000) 2023-07-20 16:02:45 +08:00