Commit c6cbee84 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'remove-email-from-published-keys' into 'master'

Only publish ssh key-type and key

Now when requesting my keys; my emailadres is exposed. [My keys](https://gitlab.com/zj.keys)

To prevent harvesting only key-type and the key itself are displayed instead of all data supplied when uploaded.

See merge request !850
parents 4b3b286e 4ccd767a
...@@ -36,6 +36,7 @@ v 7.14.0 (unreleased) ...@@ -36,6 +36,7 @@ v 7.14.0 (unreleased)
- Add support for CI skipped status - Add support for CI skipped status
- Fetch code from forks to refs/merge-requests/:id/head when merge request created - Fetch code from forks to refs/merge-requests/:id/head when merge request created
- Remove satellites - Remove satellites
- Remove comments and email addresses when publicly exposing ssh keys (Zeger-Jan van de Weg)
v 7.13.2 v 7.13.2
- Fix randomly failed spec - Fix randomly failed spec
...@@ -61,6 +62,8 @@ v 7.13.1 ...@@ -61,6 +62,8 @@ v 7.13.1
v 7.13.0 v 7.13.0
- Remove repository graph log to fix slow cache updates after push event (Stan Hu) - Remove repository graph log to fix slow cache updates after push event (Stan Hu)
- Return comments in created order in merge request API (Stan Hu) - Return comments in created order in merge request API (Stan Hu)
v 7.13.0 (unreleased)
- Only enable HSTS header for HTTPS and port 443 (Stan Hu) - Only enable HSTS header for HTTPS and port 443 (Stan Hu)
- Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu) - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu)
- Fix redirection to home page URL for unauthorized users (Daniel Gerhardt) - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt)
...@@ -87,15 +90,15 @@ v 7.13.0 ...@@ -87,15 +90,15 @@ v 7.13.0
- Update ssl_ciphers in Nginx example to remove DHE settings. This will deny forward secrecy for Android 2.3.7, Java 6 and OpenSSL 0.9.8 - Update ssl_ciphers in Nginx example to remove DHE settings. This will deny forward secrecy for Android 2.3.7, Java 6 and OpenSSL 0.9.8
- Admin can edit and remove user identities - Admin can edit and remove user identities
- Convert CRLF newlines to LF when committing using the web editor. - Convert CRLF newlines to LF when committing using the web editor.
- API request /projects/:project_id/merge_requests?state=closed will return only closed merge requests without merged one. If you need ones that were merged - use state=merged. - API request /projects/:project_id/merge_requests?state=closed will return only closed merge requests without merged one. If you need ones that were merged - use state=merged.
- Allow Administrators to filter the user list by those with or without Two-factor Authentication enabled. - Allow Administrators to filter the user list by those with or without Two-factor Authentication enabled.
- Show a user's Two-factor Authentication status in the administration area. - Show a user's Two-factor Authentication status in the administration area.
- Explicit error when commit not found in the CI - Explicit error when commit not found in the CI
- Improve performance for issue and merge request pages - Improve performance for issue and merge request pages
- Users with guest access level can not set assignee, labels or milestones for issue and merge request - Users with guest access level can not set assignee, labels or milestones for issue and merge request
- Reporter role can manage issue tracker now: edit any issue, set assignee or milestone and manage labels - Reporter role can manage issue tracker now: edit any issue, set assignee or milestone and manage labels
- Better performance for pages with events list, issues list and commits list - Better performance for pages with events list, issues list and commits list
- Faster automerge check and merge itself when source and target branches are in same repository - Faster automerge check and merge itself when source and target branches are in same repository
- Correctly show anonymous authorized applications under Profile > Applications. - Correctly show anonymous authorized applications under Profile > Applications.
- Query Optimization in MySQL. - Query Optimization in MySQL.
- Allow users to be blocked and unblocked via the API - Allow users to be blocked and unblocked via the API
...@@ -103,7 +106,7 @@ v 7.13.0 ...@@ -103,7 +106,7 @@ v 7.13.0
- Redesign project page. Show README as default instead of activity. Move project activity to separate page - Redesign project page. Show README as default instead of activity. Move project activity to separate page
- Make left menu more hierarchical and less contextual by adding back item at top - Make left menu more hierarchical and less contextual by adding back item at top
- A fork can’t have a visibility level that is greater than the original project. - A fork can’t have a visibility level that is greater than the original project.
- Faster code search in repository and wiki. Fixes search page timeout for big repositories - Faster code search in repository and wiki. Fixes search page timeout for big repositories
- Allow administrators to disable 2FA for a specific user - Allow administrators to disable 2FA for a specific user
- Add error message for SSH key linebreaks - Add error message for SSH key linebreaks
- Store commits count in database (will populate with valid values only after first push) - Store commits count in database (will populate with valid values only after first push)
...@@ -122,7 +125,7 @@ v 7.12.1 ...@@ -122,7 +125,7 @@ v 7.12.1
- Add SAML to list of social_provider (Matt Firtion) - Add SAML to list of social_provider (Matt Firtion)
- Fix merge requests API scope to keep compatibility in 7.12.x patch release (Dmitriy Zaporozhets) - Fix merge requests API scope to keep compatibility in 7.12.x patch release (Dmitriy Zaporozhets)
- Fix closed merge request scope at milestone page (Dmitriy Zaporozhets) - Fix closed merge request scope at milestone page (Dmitriy Zaporozhets)
- Revert merge request states renaming - Revert merge request states renaming
- Fix hooks for web based events with external issue references (Daniel Gerhardt) - Fix hooks for web based events with external issue references (Daniel Gerhardt)
- Improve performance for issue and merge request pages - Improve performance for issue and merge request pages
- Compress database dumps to reduce backup size - Compress database dumps to reduce backup size
......
...@@ -39,6 +39,11 @@ class Key < ActiveRecord::Base ...@@ -39,6 +39,11 @@ class Key < ActiveRecord::Base
self.key = key.strip unless key.blank? self.key = key.strip unless key.blank?
end end
def publishable_key
#Removes anything beyond the keytype and key itself
self.key.split[0..1].join(' ')
end
# projects that has this key # projects that has this key
def projects def projects
user.authorized_projects user.authorized_projects
......
...@@ -619,7 +619,7 @@ class User < ActiveRecord::Base ...@@ -619,7 +619,7 @@ class User < ActiveRecord::Base
end end
def all_ssh_keys def all_ssh_keys
keys.map(&:key) keys.map(&:publishable_key)
end end
def temp_oauth_email? def temp_oauth_email?
......
...@@ -48,6 +48,17 @@ describe Profiles::KeysController do ...@@ -48,6 +48,17 @@ describe Profiles::KeysController do
expect(response.body).not_to eq("") expect(response.body).not_to eq("")
expect(response.body).to eq(user.all_ssh_keys.join("\n")) expect(response.body).to eq(user.all_ssh_keys.join("\n"))
# Unique part of key 1
expect(response.body).to match(/PWx6WM4lhHNedGfBpPJNPpZ/)
# Key 2
expect(response.body).to match(/AQDmTillFzNTrrGgwaCKaSj/)
end
it "should not render the comment of the key" do
get :get_keys, username: user.username
expect(response.body).not_to match(/dummy@gitlab.com/)
end end
it "should respond with text/plain content type" do it "should respond with text/plain content type" do
......
...@@ -100,7 +100,7 @@ FactoryGirl.define do ...@@ -100,7 +100,7 @@ FactoryGirl.define do
factory :key do factory :key do
title title
key do key do
"ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=" "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0= dummy@gitlab.com"
end end
factory :deploy_key, class: 'DeployKey' do factory :deploy_key, class: 'DeployKey' do
......
...@@ -32,6 +32,13 @@ describe Key do ...@@ -32,6 +32,13 @@ describe Key do
describe "Methods" do describe "Methods" do
it { is_expected.to respond_to :projects } it { is_expected.to respond_to :projects }
it { is_expected.to respond_to :publishable_key }
describe "#publishable_keys" do
it 'strips all personal information' do
expect(build(:key).publishable_key).not_to match(/dummy@gitlab/)
end
end
end end
context "validation of uniqueness" do context "validation of uniqueness" do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment