Gitea: security: prevent private keys from being committed

Perhaps this could be enabled by default and the way of opting out for a repo is to create some file in the repo that indicates that you're opting out? e.g. a file named THIS_REPO_CONTAINS_SECRETS

OpenSSL has very standardised formats for private keys so I think it should be pretty easy to detect. We obviously can't detect all kinds of secrets but I would say that this is good to include by default.

@clarcharr I think it would be better to have a settings button inside the Gitea repo settings to change this behavior. Having to commit a file to turn it off feels wrong to me. And indeed since the OpenSSL Keys have a pretty standardized format detection should be possible.

In the interim, you could use githooks in Gitea, and https://github.com/awslabs/git-secrets to block secrets from being committed.

To complement @ntimo's comment, it seems to me like opt-out-by-file would make it possible for anyone with merge/commit abilities to sneak-in the file, which would be a major security issue, and would require adding checks for the addition of the file, which would require......
Repository settings are perfect that things like this opt-out.

I could be a good thing to be able to change the key-detection filter for a repo, in-case is creates false positives on clean files.

I'm strongly against gitea rejecting any content in the default configuration. There are valid use cases of commiting private keys like test fixtures or self-signed cert/key pairs.

git-secrets sounds like a good tool to use, if it can be applied in a server-side hook.

@silverwind
Although, that's an edge-case, and a switch in the settings of a repo is a minor hassle, at worse. Especially if the default is a security measure.

Unexpected behaviour from "opinionated" tools is the highlight of my day.

The default should be the expected behaviour and when deciding what _expected_ implies keep in mind that gitea is a self-hosted tool not a public SaaS service.