Merge branch 'bvl-10-2-email-disclosure' into 'security-10-2'

(10.2) Avoid partial partial email adresses for matching See merge request gitlab/gitlabhq!2232 (cherry picked from commit 081aa1e91a777c9acb31be4a1e76b3dd7032fa9a) There are unresolved conflicts in app/models/user.rb. fa85a3fd Don't allow searching for partial user emails
author: Douwe Maan <douwe@gitlab.com> 2017-11-24 09:42:12 +0000
committer: Michael Kozono <mkozono@gmail.com> 2017-12-08 13:47:18 -0800
commit: 8c0aa7d4a791cd05eddd9163fdc8270b933ffc6b (patch)
tree: 0cc73919b28af20c998612fb4b64c1075bb6e3af /app/models/user.rb
parent: d332c8c78a77ee400e01f91fd2c573f12caef21d (diff)
download: gitlab-ce-8c0aa7d4a791cd05eddd9163fdc8270b933ffc6b.tar.gz
1 files changed, 27 insertions, 0 deletions
diff --git a/app/models/user.rb b/app/models/user.rb
index af1c36d9c93..7dc18c351e6 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -315,6 +315,13 @@ class User < ActiveRecord::Base
     #
     # Returns an ActiveRecord::Relation.
     def search(query)
+<<<<<<< HEAD
+=======
+      table = arel_table
+      query = query.downcase
+      pattern = User.to_pattern(query)
+
+>>>>>>> f45fc58d84... Merge branch 'bvl-10-2-email-disclosure' into 'security-10-2'
       order = <<~SQL
         CASE
           WHEN users.name = %{query} THEN 0
@@ -324,8 +331,16 @@ class User < ActiveRecord::Base
         END
       SQL
 
+<<<<<<< HEAD
       fuzzy_search(query, [:name, :email, :username])
         .reorder(order % { query: ActiveRecord::Base.connection.quote(query) }, :name)
+=======
+      where(
+        table[:name].matches(pattern)
+          .or(table[:email].eq(query))
+          .or(table[:username].matches(pattern))
+      ).reorder(order % { query: ActiveRecord::Base.connection.quote(query) }, :name)
+>>>>>>> f45fc58d84... Merge branch 'bvl-10-2-email-disclosure' into 'security-10-2'
     end
 
     # searches user by given pattern
@@ -334,6 +349,7 @@ class User < ActiveRecord::Base
 
     def search_with_secondary_emails(query)
       email_table = Email.arel_table
+<<<<<<< HEAD
       matched_by_emails_user_ids = email_table
         .project(email_table[:user_id])
         .where(Email.fuzzy_arel_match(:email, query))
@@ -343,6 +359,17 @@ class User < ActiveRecord::Base
           .or(fuzzy_arel_match(:email, query))
           .or(fuzzy_arel_match(:username, query))
           .or(arel_table[:id].in(matched_by_emails_user_ids))
+=======
+      query = query.downcase
+      pattern = User.to_pattern(query)
+      matched_by_emails_user_ids = email_table.project(email_table[:user_id]).where(email_table[:email].eq(query))
+
+      where(
+        table[:name].matches(pattern)
+          .or(table[:email].eq(query))
+          .or(table[:username].matches(pattern))
+          .or(table[:id].in(matched_by_emails_user_ids))
+>>>>>>> f45fc58d84... Merge branch 'bvl-10-2-email-disclosure' into 'security-10-2'
       )
     end
author	Douwe Maan <douwe@gitlab.com>	2017-11-24 09:42:12 +0000
committer	Michael Kozono <mkozono@gmail.com>	2017-12-08 13:47:18 -0800
commit	8c0aa7d4a791cd05eddd9163fdc8270b933ffc6b (patch)
tree	0cc73919b28af20c998612fb4b64c1075bb6e3af /app/models/user.rb
parent	d332c8c78a77ee400e01f91fd2c573f12caef21d (diff)
download	gitlab-ce-8c0aa7d4a791cd05eddd9163fdc8270b933ffc6b.tar.gz