fix: validate input for default_{merge,update}_style (go-gitea#7395)

- Add `binding:"In(...)"` to the `default_merge_style` and `default_update_style` fields to only accept recognized merge and update styles.
- Resolves https://codeberg.org/forgejo/forgejo/issues/7389
- Added integration test for the API (`binding` works in the exact same way for the API and web routes).

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7395
Reviewed-by: 0ko <[email protected]>
Co-authored-by: Gusted <[email protected]>
Co-committed-by: Gusted <[email protected]>

Author: Gusted

modules/structs/repo.go

@@ -224,10 +224,10 @@ type EditRepoOption struct {
 	AllowRebaseUpdate *bool `json:"allow_rebase_update,omitempty"`
 	// set to `true` to delete pr branch after merge by default
 	DefaultDeleteBranchAfterMerge *bool `json:"default_delete_branch_after_merge,omitempty"`
-	// set to a merge style to be used by this repository: "merge", "rebase", "rebase-merge", "squash", or "fast-forward-only".
-	DefaultMergeStyle *string `json:"default_merge_style,omitempty"`
+	// set to a merge style to be used by this repository: "merge", "rebase", "rebase-merge", "squash", "fast-forward-only", "manually-merged", or "rebase-update-only".
+	DefaultMergeStyle *string `json:"default_merge_style,omitempty" binding:"In(merge,rebase,rebase-merge,squash,fast-forward-only,manually-merged,rebase-update-only)"`
 	// set to a update style to be used by this repository: "rebase" or "merge"
-	DefaultUpdateStyle *string `json:"default_update_style,omitempty"`
+	DefaultUpdateStyle *string `json:"default_update_style,omitempty" binding:"In(merge,rebase)"`
 	// set to `true` to allow edits from maintainers by default
 	DefaultAllowMaintainerEdit *bool `json:"default_allow_maintainer_edit,omitempty"`
 	// set to `true` to archive this repository.

routers/web/repo/setting/setting.go

@@ -105,6 +105,10 @@ func Units(ctx *context.Context) {
 
 func UnitsPost(ctx *context.Context) {
 	form := web.GetForm(ctx).(*forms.RepoUnitSettingForm)
+	if ctx.HasError() {
+		ctx.Redirect(ctx.Repo.Repository.Link() + "/settings/units")
+		return
+	}
 
 	repo := ctx.Repo.Repository
 

services/forms/repo_form.go

@@ -188,8 +188,8 @@ type RepoUnitSettingForm struct {
 	PullsAllowSquash                      bool
 	PullsAllowFastForwardOnly             bool
 	PullsAllowManualMerge                 bool
-	PullsDefaultMergeStyle                string
-	PullsDefaultUpdateStyle               string
+	PullsDefaultMergeStyle                string `binding:"In(merge,rebase,rebase-merge,squash,fast-forward-only,manually-merged,rebase-update-only)"`
+	PullsDefaultUpdateStyle               string `binding:"In(merge,rebase)"`
 	EnableAutodetectManualMerge           bool
 	PullsAllowRebaseUpdate                bool
 	DefaultDeleteBranchAfterMerge         bool