diff options
author | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:24:04 +0000 |
---|---|---|
committer | Yorick Peterse <yorickpeterse@gmail.com> | 2019-01-24 15:24:07 +0000 |
commit | df28ee36a60d759ff632bc6aa44cdc133ee8d370 (patch) | |
tree | e7c13592d8a17cb412974c47fa1802ad9081f8c9 | |
parent | e75d83d8544327168116a8bb47379e84885f8258 (diff) | |
download | gitlab-ce-df28ee36a60d759ff632bc6aa44cdc133ee8d370.tar.gz |
Merge branch 'security-fix-user-email-tag-push-leak-11-7' into 'security-11-7'
[11.7] Security fix user email tag push leak
See merge request gitlab/gitlabhq!2809
(cherry picked from commit f59786036d65a881370073d55f8ab531405d3093)
cbfa6282 Prefer build() rather than create()
d34ea609 Fix private user email being visible in tag webhooks
-rw-r--r-- | changelogs/unreleased/security-fix-user-email-tag-push-leak.yml | 5 | ||||
-rw-r--r-- | lib/gitlab/data_builder/push.rb | 2 | ||||
-rw-r--r-- | spec/lib/gitlab/data_builder/push_spec.rb | 4 |
3 files changed, 8 insertions, 3 deletions
diff --git a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml new file mode 100644 index 00000000000..915ea7b5216 --- /dev/null +++ b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml @@ -0,0 +1,5 @@ +--- +title: Fix private user email being visible in push (and tag push) webhooks +merge_request: +author: +type: security diff --git a/lib/gitlab/data_builder/push.rb b/lib/gitlab/data_builder/push.rb index 862127110b9..ea08b5f7eae 100644 --- a/lib/gitlab/data_builder/push.rb +++ b/lib/gitlab/data_builder/push.rb @@ -93,7 +93,7 @@ module Gitlab user_id: user.id, user_name: user.name, user_username: user.username, - user_email: user.email, + user_email: user.public_email, user_avatar: user.avatar_url(only_path: false), project_id: project.id, project: project.hook_attrs, diff --git a/spec/lib/gitlab/data_builder/push_spec.rb b/spec/lib/gitlab/data_builder/push_spec.rb index befdc18d1aa..0c4decc6518 100644 --- a/spec/lib/gitlab/data_builder/push_spec.rb +++ b/spec/lib/gitlab/data_builder/push_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' describe Gitlab::DataBuilder::Push do let(:project) { create(:project, :repository) } - let(:user) { create(:user) } + let(:user) { build(:user, public_email: 'public-email@example.com') } describe '.build_sample' do let(:data) { described_class.build_sample(project, user) } @@ -36,7 +36,7 @@ describe Gitlab::DataBuilder::Push do it { expect(data[:user_id]).to eq(user.id) } it { expect(data[:user_name]).to eq(user.name) } it { expect(data[:user_username]).to eq(user.username) } - it { expect(data[:user_email]).to eq(user.email) } + it { expect(data[:user_email]).to eq(user.public_email) } it { expect(data[:user_avatar]).to eq(user.avatar_url) } it { expect(data[:project_id]).to eq(project.id) } it { expect(data[:project]).to be_a(Hash) } |