gitforge/release-notes/13129.md
Mathieu Fenniak 84ae61f2ce fix: compliance with [migrations].ALLOWED_DOMAINS, ...BLOCKED_DOMAINS, and ....ALLOW_LOCALNETWORKS for git & LFS ops (#13129)
System administrators can determine which hosts can be accessed by Forgejo for git mirroring via the config settings `[migrations].ALLOWED_DOMAINS`, `...BLOCKED_DOMAINS`, and `....ALLOW_LOCALNETWORKS`.  However, there were edge cases where these settings were ineffective:

- Config entries were only checked when mirrors were initially configured, and not later when a mirror pull/push occurred.  DNS changes, or server configuration changes, could cause a previously safe URL to no longer be safe.  These settings are now re-checked on every mirror pull/push.
- When accessing a git repository over http, git would follow HTTP redirects, allowing a violation of the `[migrations]` config entries.  The git option `http.followRedirects=false` is now set to prevent git from following these redirects.
- When performing Git LFS synchronization, it was assumed that the git URL passing migration URL checks was sufficient protection.  Specifically for pull mirrors which allow the usage of "Advanced settings" -> "LFS endpoint" to configure a separate LFS endpoint, these settings were never enforced, and for all mirrors they would have been subject to not being rechecked if the DNS had changed since configured.  LFS mirroring now uses an HTTP client that enforces the `[migrations]` config settings.

**Breaking:** If a repository mirror that depends on HTTP redirects will no longer work.

For example, if you've mirrored a repository from a Forgejo instance at `https://example.com/OWNER/REPO.git` and the repository or owner are renamed, Forgejo will provide an HTTP redirect that continues to allow git operations to work at the old URL.  Due to this redirect prohibition, this mirror will no longer work.

### Tests for Go changes

- I added test coverage for Go changes...
  - [x] in their respective `*_test.go` for unit tests.
  - [x] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
- I ran...
  - [x] `make pr-go` before pushing

### Documentation

- [x] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
    - It is not currently documented that the `[migrations]` settings are used to control access to mirrors.  Forgejo advises it when an error occurs, but it could be added: https://codeberg.org/forgejo/docs/pulls/2023
- [ ] I did not document these changes and I do not expect someone else to do it.

### Release notes

- [x] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [ ] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13129
Reviewed-by: Andreas Ahlenstorf <aahlenst@noreply.codeberg.org>
2026-06-23 23:40:25 +02:00

529 B

Improved compliance with the config settings [migrations].ALLOWED_DOMAINS, [migrations].BLOCKED_DOMAINS, and [migrations].ALLOW_LOCALNETWORKS, which control the remotes that Forgejo can access for git & LFS migration and mirroring operations, fixing time-of-check vs. time-of-use issue and missing checks in LFS. git mirror HTTP operations have been adjusted to never follow HTTP redirects in order to ensure that these settings are followed, which will break HTTP mirroring if a redirect is served by the git HTTP remote.