You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docker image ls
...
gitea/gitea 1.16 3fccf68da11d
...
Database
PostgreSQL
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Description
Error
After upgrading our gitea server to version 1.16.1 we are encountering problems during merging of PRs to protected branches. The pre-receive-hook is denying the merge commits from the ui. In the logs the warning from line 288 of file hook_pre_receive.go ("Forbidden: User %d is not allowed to push to protected branch: %s in %-v") can be observed.
After debugging the code we found out that the pull request id cannot be parsed from the payload of the internal post-request to the pre-receive-hook and thus, a wrong code path is used.
The go-json library is throwing an error for the empty GitPushOptions for an input string of exactly this size.
theObj:=reflect.New(tp).Interface() // create a new form obj for every request but not use obj directly
binding.Bind(ctx.Req, theObj)
web.SetForm(ctx, theObj)
})
which results in the message above. The code should read:
return web.Wrap(func(ctx *context.PrivateContext) {
var theObj = reflect.New(tp).Interface() // create a new form obj for every request but not use obj directly
err := binding.Bind(ctx.Req, theObj)
if err != nil {
log.Error("Error %#v", err) // what else to do here panic()?
}
web.SetForm(ctx, theObj)
})
Workaround
Until this library is fixed, not much can be done, but shifting the place of the GitPushOptions in the type HookOptions struct circumvents the issue. See
@smainz Do you happen to have a stacktrace?, go-json isn't a directly a dependency, it seems that it's only incorporated by xorm, this is just to confirm where to update the dependency.
Gitea Version
Gitea Version: 1.16.1
Git Version
from official docker image
Operating System
Linux (docker image)
How are you running Gitea?
gitea is running with the official docker image
Database
PostgreSQL
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Description
Error
After upgrading our gitea server to version 1.16.1 we are encountering problems during merging of PRs to protected branches. The pre-receive-hook is denying the merge commits from the ui. In the logs the warning from line 288 of file hook_pre_receive.go ("Forbidden: User %d is not allowed to push to protected branch: %s in %-v") can be observed.
After debugging the code we found out that the pull request id cannot be parsed from the payload of the internal post-request to the pre-receive-hook and thus, a wrong code path is used.
The go-json library is throwing an error for the empty GitPushOptions for an input string of exactly this size.
The error of this library is not checked in
gitea/routers/private/internal.go
Lines 42 to 46 in 704bdf8
Workaround
Until this library is fixed, not much can be done, but shifting the place of the GitPushOptions in the
type HookOptions struct
circumvents the issue. Seegitea/modules/private/hook.go
Lines 48 to 61 in 704bdf8
Root Cause with example code
The json-Library used for binding the payload of a web request to a go-structure has issues as seen in the code example below.
An issue has been opend for the go-json library: goccy/go-json#337
Screenshots
No response
The text was updated successfully, but these errors were encountered: