Commit bf9fa538 authored by Yorick Peterse's avatar Yorick Peterse

Merge branch 'security-fix-user-email-tag-push-leak' into 'master'

[master] User email is visible in hook logs if they triggers tag push events

Closes #2775

See merge request gitlab/gitlabhq!2789
parents 6a5ff493 c3cfffbc
---
title: Fix private user email being visible in push (and tag push) webhooks
merge_request:
author:
type: security
...@@ -93,7 +93,7 @@ module Gitlab ...@@ -93,7 +93,7 @@ module Gitlab
user_id: user.id, user_id: user.id,
user_name: user.name, user_name: user.name,
user_username: user.username, user_username: user.username,
user_email: user.email, user_email: user.public_email,
user_avatar: user.avatar_url(only_path: false), user_avatar: user.avatar_url(only_path: false),
project_id: project.id, project_id: project.id,
project: project.hook_attrs, project: project.hook_attrs,
......
...@@ -2,7 +2,7 @@ require 'spec_helper' ...@@ -2,7 +2,7 @@ require 'spec_helper'
describe Gitlab::DataBuilder::Push do describe Gitlab::DataBuilder::Push do
let(:project) { create(:project, :repository) } let(:project) { create(:project, :repository) }
let(:user) { create(:user) } let(:user) { build(:user, public_email: 'public-email@example.com') }
describe '.build_sample' do describe '.build_sample' do
let(:data) { described_class.build_sample(project, user) } let(:data) { described_class.build_sample(project, user) }
...@@ -36,7 +36,7 @@ describe Gitlab::DataBuilder::Push do ...@@ -36,7 +36,7 @@ describe Gitlab::DataBuilder::Push do
it { expect(data[:user_id]).to eq(user.id) } it { expect(data[:user_id]).to eq(user.id) }
it { expect(data[:user_name]).to eq(user.name) } it { expect(data[:user_name]).to eq(user.name) }
it { expect(data[:user_username]).to eq(user.username) } it { expect(data[:user_username]).to eq(user.username) }
it { expect(data[:user_email]).to eq(user.email) } it { expect(data[:user_email]).to eq(user.public_email) }
it { expect(data[:user_avatar]).to eq(user.avatar_url) } it { expect(data[:user_avatar]).to eq(user.avatar_url) }
it { expect(data[:project_id]).to eq(project.id) } it { expect(data[:project_id]).to eq(project.id) }
it { expect(data[:project]).to be_a(Hash) } it { expect(data[:project]).to be_a(Hash) }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment