Add disable_git_hooks config option to security

README.md

@@ -73,11 +73,14 @@ The following code has been tested with Debian 8, it should work on Ubuntu as we
 * `gitea_show_registration_button`: Do you want to show the registration button? (true/false)
 * `gitea_require_signin`: Do you require a signin to see repo's (even public ones) ? (true/false)
 * `gitea_enable_captcha`: Do you want to enable captcha's ? (true/false)
-* `gitea_secret_key`: Cookie secret key
-* `gitea_internal_token`: Internal API token
 * `gitea_themes`: List of enabled themes
 * `gitea_theme_default`: Default theme
 
+### Security
+* `gitea_secret_key`: Cookie secret key
+* `gitea_internal_token`: Internal API token
+* `gitea_disable_git_hooks`: Do you want to disable the interface to add git hooks? If enabled it could be a security bug as it can be used for RCE. Defaults to true (true/false)
+
 ### Limits
 
 * `gitea_user_repo_limit`: Limit how many repos a user can have (-1 for unlimited)

defaults/main.yml

@@ -38,6 +38,7 @@ gitea_ssh_port: 2222
 
 gitea_secret_key: T0pS3cr31
 gitea_internal_token: SomethingVeryLong
+gitea_disable_git_hooks: true
 
 gitea_show_user_email: false
 gitea_disable_gravatar: true

templates/gitea.ini.j2

@@ -99,6 +99,7 @@ SECRET_KEY              = {{ gitea_secret_key }}
 INTERNAL_TOKEN          = {{ gitea_internal_token }}
 ; How long to remember that an user is logged in before requiring relogin (in days)
 LOGIN_REMEMBER_DAYS = 7
+DISABLE_GIT_HOOKS       = {{ gitea_disable_git_hooks }}
 
 [service]
 ; Disallow registration, only allow admins to create accounts.