upstream/forgejo
1
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-04-22 22:36:56 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
Forge Git auto-hébergée
24646 commits 33 branches 275 tags 253 MiB
Go 75.7%
go-html-template 10.4%
JavaScript 4.4%
Roff 4.1%
CSS 2.7%
Other 2.6%
Find a file
Mathieu Fenniak f93d2cb261 ci: detect and prevent empty case statements in Go code (#11593) 
One of the security patches released 2026-03-09 [fixed a vulnerability](d1c7b04d09) caused by a misapplication of Go `case` statements, where the implementation would have been correct if Go `case` statements automatically fall through to the next case block, but they do not.  This PR adds a semgrep rule which detects any empty `case` statement and raises an error, in order to prevent this coding mistake in the future.

For example, code like this will now trigger a build error:
```go
	switch setting.Protocol {
	case setting.HTTPUnix:
	case setting.FCGI:
	case setting.FCGIUnix:
	default:
		defaultLocalURL := string(setting.Protocol) + "://"
	}
```

Example error:
```
    cmd/web.go
   ❯❯❱ semgrep.config.forgejo-switch-empty-case
          switch has a case block with no content. This is treated as "break" by Go, but developers may
          confuse it for "fallthrough".  To fix this error, disambiguate by using "break" or
          "fallthrough".

          279┆ switch setting.Protocol {
          280┆ case setting.HTTPUnix:
          281┆ case setting.FCGI:
          282┆ case setting.FCGIUnix:
          283┆ default:
          284┆   defaultLocalURL := string(setting.Protocol) + "://"
          285┆   if setting.HTTPAddr == "0.0.0.0" {
          286┆           defaultLocalURL += "localhost"
          287┆   } else {
          288┆           defaultLocalURL += setting.HTTPAddr
```

As described in the error output, this error can be fixed by explicitly listing `break` (the real Go behaviour, to do nothing in the block), or by listing `fallthrough` (if the intent was to fall through).

All existing code triggering this detection has been changed to `break` (or, rarely, irrelevant cases have been removed), which should maintain the same code functionality.  While performing this fixup, a light analysis was performed on each case and they *appeared* correct, but with ~65 cases I haven't gone into extreme depth.

Tests are present for the semgrep rule in `.semgrep/tests/go.go`.

## Checklist

The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).

### Documentation

- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11593
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
2026-03-10 02:50:28 +01:00
.devcontainer Update Node.js to v24 (forgejo) (#10091) 2025-11-12 19:41:48 +01:00
.forgejo Update https://data.forgejo.org/actions/setup-forgejo action to v3.1.7 (forgejo) (#11559) 2026-03-08 02:52:17 +01:00
.semgrep ci: detect and prevent empty case statements in Go code (#11593) 2026-03-10 02:50:28 +01:00
assets chore(deps): upgrade xorm to v1.3.9-forgejo.7 (#11538) 2026-03-07 15:38:53 +01:00
build fix(ui): hardcode sort options in search syntax hint, improve look (#11381) 2026-02-23 06:03:23 +01:00
cmd ci: detect and prevent empty case statements in Go code (#11593) 2026-03-10 02:50:28 +01:00
contrib chore: rename 'forgejo_migrations' to 'forgejo_migrations_legacy' 2025-10-14 14:40:49 -06:00
custom/conf fix: replace reference to Monaco with CodeMirror in app.example.ini (#11507) 2026-03-05 21:32:13 +01:00
docker chore(Dockerfile.rootless): remove legacy config file support (#11098) 2026-03-02 06:03:39 +01:00
models ci: detect and prevent empty case statements in Go code (#11593) 2026-03-10 02:50:28 +01:00
modules ci: detect and prevent empty case statements in Go code (#11593) 2026-03-10 02:50:28 +01:00
options fix: Forgejo Security Patches, 2026-03-09 (#11513) 2026-03-09 05:54:05 +01:00
public chore(security): update security.txt with new expiration date (#10447) 2025-12-17 12:32:42 +01:00
release-notes chore: release notes from #11514 & #11515 backports 2026-03-08 20:07:52 -06:00
release-notes-published chore(release-notes): Forgejo v14.0.3 [skip ci] (#11583) 2026-03-09 07:00:32 +01:00
releases/images [DOCS] RELEASE-NOTES.md 2024-02-05 14:44:32 +01:00
routers ci: detect and prevent empty case statements in Go code (#11593) 2026-03-10 02:50:28 +01:00
services ci: detect and prevent empty case statements in Go code (#11593) 2026-03-10 02:50:28 +01:00
templates feat: add more filters to actions run and tasks api (#11584) 2026-03-10 01:20:00 +01:00
tests chore: rename AccessTokenError to AccessTokenErrorResponse (#11595) 2026-03-09 23:36:47 +01:00
tools chore: move backend-checks CI checks to Makefile: make pr-go (#11053) 2026-02-17 02:41:40 +01:00
web_src feat(ui): improve visibility of counters inside of switch items (#11472) 2026-03-08 18:09:13 +01:00
.air.toml chore: rename 'migrations' to 'gitea_migrations' 2025-10-14 14:40:49 -06:00
.deadcode-out feat: implement repo-specific access tokens broadly for universal API permission checks (#11437) 2026-02-28 19:47:06 +01:00
.dockerignore fix: Dockerfile should re-use bindata files when possible 2025-06-13 14:00:57 +02:00
.editorconfig i18n(next): convert indention style to tabs: en, editorconfig (#10661) 2026-01-02 05:56:48 +01:00
.envrc.example Make direnv optional to let developers use their own direnv configuration 2024-11-06 20:34:49 +01:00
.gitattributes Add interface{} to any replacement to make fmt, exclude *.pb.go (#30461) 2024-04-15 20:01:36 +02:00
.gitignore feat(build): improve lint-locale-usage further (#8736) 2025-08-27 23:47:34 +02:00
.gitmodules cleanup(tests): remove manual testing submodule 2024-04-21 10:13:51 +02:00
.gitpod.yml Remove sqlite-viewer and using database client (#31223) 2024-06-09 11:13:39 +02:00
.golangci.yml chore(lint): enable nilnil (#11235) 2026-02-11 19:08:24 +01:00
.ignore Add /options/license and /options/gitignore to .ignore (#30219) 2024-04-07 15:40:31 +02:00
.mailmap Add .mailmap with aliases for Unknwon (github.com/Unknwon) 2024-08-14 08:26:16 -04:00
.markdownlint.yaml Update JS dependencies (#28537) 2023-12-30 05:29:03 +00:00
.node-version Update Node.js to v24.13.1 (forgejo) (#11236) 2026-02-11 16:23:00 +01:00
.npmrc Upgrade to npm lockfile v3 and explicitely set it (#23561) 2023-03-18 19:38:10 +01:00
.release-notes-assistant.yaml chore(release-notes): teach release-notes-assistant that v11.0 is LTS (#10638) 2025-12-30 10:00:22 +01:00
.spectral.yaml
.yamllint.yaml fully replace drone with actions (#27556) 2023-10-11 06:39:32 +00:00
BSDmakefile feat: Makefile & BSDmakefile changes (#7455) 2025-04-27 10:04:32 +00:00
CODEOWNERS chore: add @0xllx0 to federation codeowners (#10716) 2026-01-09 23:53:06 +01:00
CONTRIBUTING.md docs: replace Developer Guide link with the new Contributor Guide one. 2024-08-26 13:22:39 +03:00
DCO Remove address from DCO (#22595) 2023-01-24 18:52:38 +00:00
Dockerfile Update data.forgejo.org/oci/alpine Docker tag to v3.23 (forgejo) (#10326) 2025-12-18 15:21:39 +01:00
Dockerfile.rootless chore(Dockerfile.rootless): remove legacy config file support (#11098) 2026-03-02 06:03:39 +01:00
eslint.config.mjs feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
flake.lock chore: bump nixpkgs in flake.lock (#10128) 2025-11-16 01:18:26 +01:00
flake.nix refactor: Simplify flake.nix (#9805) 2025-10-22 19:09:11 +02:00
go.mod Update module github.com/minio/minio-go/v7 to v7.0.99 (forgejo) (#11568) 2026-03-09 16:31:21 +01:00
go.sum Update module github.com/minio/minio-go/v7 to v7.0.99 (forgejo) (#11568) 2026-03-09 16:31:21 +01:00
LICENSE Forgejo v9.0 is GPLv3+ 2024-08-22 09:09:29 +02:00
main.go fix: do not mix urfave v2 with urfave v3 (#8168) 2025-06-12 15:38:03 +02:00
Makefile chore: cleanup Makefile (#11587) 2026-03-09 15:19:28 +01:00
manifest.scm Add a GNU Guix manifest (#8038) 2025-06-03 08:08:17 +02:00
package-lock.json Update dependency katex to v0.16.37 (forgejo) (#11599) 2026-03-10 02:04:22 +01:00
package.json Update dependency katex to v0.16.37 (forgejo) (#11599) 2026-03-10 02:04:22 +01:00
playwright.config.ts chore: remove webkit and mobile safari from playwright (#10103) 2025-11-13 17:23:08 +01:00
README.md chore: fix a few typos in the documentation (#9134) 2025-09-04 01:53:40 +02:00
release-notes-assistant.sh chore: improve the wording of the "not worth a release note" category (#8542) 2025-07-18 07:19:15 +02:00
RELEASE-NOTES.md chore(release-notes): fix release notes of chroma update in v8.0.0 2025-10-05 17:10:38 +05:00
shell.nix chore: use interactive sqlite via nix (#10439) 2025-12-17 13:20:33 +01:00
stylelint.config.js Merge pull request 'Port "Enable declaration-block-no-redundant-longhand-properties (#30950)' (#3769) from beowulf/gitea-port-pull-30950 into forgejo 2024-05-14 22:23:54 +00:00
tailwind.config.js chore(ui): change /devtest to /-/demo (#11019) 2026-01-26 13:12:25 +01:00
tsconfig.json feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
vitest.config.ts feat(ui): replace Monaco with CodeMirror (#10559) 2026-01-04 23:52:33 +01:00
webpack.config.js chore(ui): change /devtest to /-/demo (#11019) 2026-01-26 13:12:25 +01:00

README.md

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of built-in functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

License

Forgejo is distributed under the terms of the GPL version 3.0 or any later version.

The agreement for this license was documented in June 2023 and implemented during the development of Forgejo v9.0. All Forgejo versions before v9.0 are distributed under the MIT license.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.