summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYorick Peterse <yorickpeterse@gmail.com>2019-01-24 15:24:04 +0000
committerYorick Peterse <yorickpeterse@gmail.com>2019-01-24 15:24:07 +0000
commitdf28ee36a60d759ff632bc6aa44cdc133ee8d370 (patch)
treee7c13592d8a17cb412974c47fa1802ad9081f8c9
parente75d83d8544327168116a8bb47379e84885f8258 (diff)
downloadgitlab-ce-df28ee36a60d759ff632bc6aa44cdc133ee8d370.tar.gz
Merge branch 'security-fix-user-email-tag-push-leak-11-7' into 'security-11-7'
[11.7] Security fix user email tag push leak See merge request gitlab/gitlabhq!2809 (cherry picked from commit f59786036d65a881370073d55f8ab531405d3093) cbfa6282 Prefer build() rather than create() d34ea609 Fix private user email being visible in tag webhooks
-rw-r--r--changelogs/unreleased/security-fix-user-email-tag-push-leak.yml5
-rw-r--r--lib/gitlab/data_builder/push.rb2
-rw-r--r--spec/lib/gitlab/data_builder/push_spec.rb4
3 files changed, 8 insertions, 3 deletions
diff --git a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml
new file mode 100644
index 00000000000..915ea7b5216
--- /dev/null
+++ b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml
@@ -0,0 +1,5 @@
+---
+title: Fix private user email being visible in push (and tag push) webhooks
+merge_request:
+author:
+type: security
diff --git a/lib/gitlab/data_builder/push.rb b/lib/gitlab/data_builder/push.rb
index 862127110b9..ea08b5f7eae 100644
--- a/lib/gitlab/data_builder/push.rb
+++ b/lib/gitlab/data_builder/push.rb
@@ -93,7 +93,7 @@ module Gitlab
user_id: user.id,
user_name: user.name,
user_username: user.username,
- user_email: user.email,
+ user_email: user.public_email,
user_avatar: user.avatar_url(only_path: false),
project_id: project.id,
project: project.hook_attrs,
diff --git a/spec/lib/gitlab/data_builder/push_spec.rb b/spec/lib/gitlab/data_builder/push_spec.rb
index befdc18d1aa..0c4decc6518 100644
--- a/spec/lib/gitlab/data_builder/push_spec.rb
+++ b/spec/lib/gitlab/data_builder/push_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
describe Gitlab::DataBuilder::Push do
let(:project) { create(:project, :repository) }
- let(:user) { create(:user) }
+ let(:user) { build(:user, public_email: 'public-email@example.com') }
describe '.build_sample' do
let(:data) { described_class.build_sample(project, user) }
@@ -36,7 +36,7 @@ describe Gitlab::DataBuilder::Push do
it { expect(data[:user_id]).to eq(user.id) }
it { expect(data[:user_name]).to eq(user.name) }
it { expect(data[:user_username]).to eq(user.username) }
- it { expect(data[:user_email]).to eq(user.email) }
+ it { expect(data[:user_email]).to eq(user.public_email) }
it { expect(data[:user_avatar]).to eq(user.avatar_url) }
it { expect(data[:project_id]).to eq(project.id) }
it { expect(data[:project]).to be_a(Hash) }