diff --git a/cmd/hook.go b/cmd/hook.go index f07568dd8..9f547362d 100644 --- a/cmd/hook.go +++ b/cmd/hook.go @@ -16,6 +16,7 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/git" "code.gitea.io/gitea/modules/private" + "code.gitea.io/gitea/modules/setting" "github.com/urfave/cli" ) @@ -55,7 +56,13 @@ var ( func runHookPreReceive(c *cli.Context) error { if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { - return nil + if setting.OnlyAllowPushIfGiteaEnvironmentSet { + fail(`Rejecting changes as Gitea environment not set. +If you are pushing over SSH you must push with a key managed by +Gitea or set your environment appropriately.`, "") + } else { + return nil + } } setup("hooks/pre-receive.log") @@ -115,7 +122,13 @@ func runHookPreReceive(c *cli.Context) error { func runHookUpdate(c *cli.Context) error { if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { - return nil + if setting.OnlyAllowPushIfGiteaEnvironmentSet { + fail(`Rejecting changes as Gitea environment not set. +If you are pushing over SSH you must push with a key managed by +Gitea or set your environment appropriately.`, "") + } else { + return nil + } } setup("hooks/update.log") @@ -125,7 +138,13 @@ func runHookUpdate(c *cli.Context) error { func runHookPostReceive(c *cli.Context) error { if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 { - return nil + if setting.OnlyAllowPushIfGiteaEnvironmentSet { + fail(`Rejecting changes as Gitea environment not set. +If you are pushing over SSH you must push with a key managed by +Gitea or set your environment appropriately.`, "") + } else { + return nil + } } setup("hooks/post-receive.log") diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 68c33f710..ab353f9d5 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -244,6 +244,7 @@ relation to port exhaustion. authentication provided email. - `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom git hooks. +- `ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET`: **true**: Set to `false` to allow local users to push to gitea-repositories without setting up the Gitea environment. This is not recommended and if you want local users to push to gitea repositories you should set the environment appropriately. - `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server. - `INTERNAL_TOKEN`: **\**: Secret used to validate communication within Gitea binary. - `INTERNAL_TOKEN_URI`: ****: Instead of defining internal token in the configuration, this configuration option can be used to give Gitea a path to a file that contains the internal token (example value: `file:/etc/gitea/internal_token`) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index f3dd45d7b..c0b9b99e3 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -140,18 +140,19 @@ var ( } // Security settings - InstallLock bool - SecretKey string - LogInRememberDays int - CookieUserName string - CookieRememberName string - ReverseProxyAuthUser string - ReverseProxyAuthEmail string - MinPasswordLength int - ImportLocalPaths bool - DisableGitHooks bool - PasswordComplexity []string - PasswordHashAlgo string + InstallLock bool + SecretKey string + LogInRememberDays int + CookieUserName string + CookieRememberName string + ReverseProxyAuthUser string + ReverseProxyAuthEmail string + MinPasswordLength int + ImportLocalPaths bool + DisableGitHooks bool + OnlyAllowPushIfGiteaEnvironmentSet bool + PasswordComplexity []string + PasswordHashAlgo string // UI settings UI = struct { @@ -778,6 +779,7 @@ func NewContext() { MinPasswordLength = sec.Key("MIN_PASSWORD_LENGTH").MustInt(6) ImportLocalPaths = sec.Key("IMPORT_LOCAL_PATHS").MustBool(false) DisableGitHooks = sec.Key("DISABLE_GIT_HOOKS").MustBool(false) + OnlyAllowPushIfGiteaEnvironmentSet = sec.Key("ONLY_ALLOW_PUSH_IF_GITEA_ENVIRONMENT_SET").MustBool(true) PasswordHashAlgo = sec.Key("PASSWORD_HASH_ALGO").MustString("pbkdf2") CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)