)]}' { "commit": "0532fb876cb86bc091a91f78e6f28fff9e39ca65", "tree": "81d483ea3348eb3607333375bc9b4ae43c6c5fd4", "parents": [ "33ce3f0ad6d6f17b731887517938562469b693b3" ], "author": { "name": "Patrick Hiesel", "email": "hiesel@google.com", "time": "Mon Nov 02 14:30:54 2020 +0100" }, "committer": { "name": "Patrick Hiesel", "email": "hiesel@google.com", "time": "Fri Nov 06 14:13:41 2020 +0100" }, "message": "Make PermissionBackend#ForRef authoritative\n\nThis change fixes a misconception that leads to data being accessible\nthrough Gerrit APIs that should be locked down.\n\nGerrit had two components for determining if a Git ref is visible to a\nuser: (Default)RefFilter and PermissionBackend#ForRef (ex RefControl).\nThe former was always capable of providing correct results for all refs.\nThe latter only had logic to decide if a Git ref is visible according to\nthe Gerrit READ permissions. This includes all refs under refs/heads as\nwell as any other ref that isn\u0027t a database ref or a Git tag. This\ncomponent was unware of Git tags and database references. Hence, when\nasked for a database reference such as refs/changes/xx/yyyyxx/meta the\nlogic would allow access if the user has READ permissions on any of the\nref prefixes, such as the default \"read refs/* Anonymous Users\".\n\nThat is problematic, because it bypasses documented behavior [1] where\na user should only have access to a change if they can see the destination\nref. The same goes for other database references.\n\nThis change fixes the problem. It is intentionally kept to a minimally\ninvasive code change so that it\u0027s easier to backport it.\n\nAdd tests to assert the correct behavior. These tests would fail before\nthis fix. We have included them in this change to be able to backport\njust a single commit.\n\n[1] https://gerrit-review.googlesource.com/Documentation/access-control.html\n\nChange-Id: Ice3a756cf573dd9b38e3f198ccc44899ccf65f75\n", "tree_diff": [ { "type": "modify", "old_id": "400861c8a3c9af39ff80f3d474ece8cd10f107de", "old_mode": 33188, "old_path": "java/com/google/gerrit/entities/RefNames.java", "new_id": "5595bc75e35fec3e609b0a26f7bdac0e42ed46ba", "new_mode": 33188, "new_path": "java/com/google/gerrit/entities/RefNames.java" }, { "type": "modify", "old_id": "143547b1d3fac8e90fbfc36a4be291cd91505884", "old_mode": 33188, "old_path": "java/com/google/gerrit/server/permissions/ChangeControl.java", "new_id": "2c1894e40cd77c256895f0202635086077979803", "new_mode": 33188, "new_path": "java/com/google/gerrit/server/permissions/ChangeControl.java" }, { "type": "modify", "old_id": "e92ada1125f28f6a269fed19710dd57c02be751b", "old_mode": 33188, "old_path": "java/com/google/gerrit/server/permissions/DefaultRefFilter.java", "new_id": "c7b10608b2e946c8a09ec1e33fa1465b761e0f4f", "new_mode": 33188, "new_path": "java/com/google/gerrit/server/permissions/DefaultRefFilter.java" }, { "type": "modify", "old_id": "145e0b61bcaf76e11bf750ee9816aa96631d918a", "old_mode": 33188, "old_path": "java/com/google/gerrit/server/permissions/ProjectControl.java", "new_id": "82fce53d0ed8d3a77d4e104b6f8ee0c580469f4b", "new_mode": 33188, "new_path": "java/com/google/gerrit/server/permissions/ProjectControl.java" }, { "type": "modify", "old_id": "7c5d6bda167b57e8c35419d5dcf5df6e9e47aaf8", "old_mode": 33188, "old_path": "java/com/google/gerrit/server/permissions/RefControl.java", "new_id": "9e78b7e2b861ab1d6568853b4c68f976331e4b2a", "new_mode": 33188, "new_path": "java/com/google/gerrit/server/permissions/RefControl.java" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "c8a1ebe27065b4c17359292bb3e302bf7f344325", "new_mode": 33188, "new_path": "java/com/google/gerrit/server/permissions/RefVisibilityControl.java" }, { "type": "modify", "old_id": "5c786a5b184b6a00138017214e3a2190c658cb21", "old_mode": 33188, "old_path": "javatests/com/google/gerrit/acceptance/api/change/ChangeIT.java", "new_id": "bf77b9181e1f1058d134adf2dce78a697e6cf2a0", "new_mode": 33188, "new_path": "javatests/com/google/gerrit/acceptance/api/change/ChangeIT.java" }, { "type": "modify", "old_id": "dcf2afdbba03c25d01f64782318a34c7d8e29682", "old_mode": 33188, "old_path": "javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java", "new_id": "10bd03b3ca3ff8848e941804c37f09a62d0cc0d0", "new_mode": 33188, "new_path": "javatests/com/google/gerrit/acceptance/api/group/GroupsIT.java" }, { "type": "modify", "old_id": "d70d120c19f9ca3e7ac15929c6b3e20c964ba4a7", "old_mode": 33188, "old_path": "javatests/com/google/gerrit/acceptance/rest/project/AbstractPushTag.java", "new_id": "9276b9a5c3e9275f001af77fa44901b16928dc15", "new_mode": 33188, "new_path": "javatests/com/google/gerrit/acceptance/rest/project/AbstractPushTag.java" }, { "type": "add", "old_id": "0000000000000000000000000000000000000000", "old_mode": 0, "old_path": "/dev/null", "new_id": "964cff7b30427eca35bd0a9a1f0c3a2b865c4eda", "new_mode": 33188, "new_path": "javatests/com/google/gerrit/acceptance/rest/project/GetBranchIT.java" }, { "type": "modify", "old_id": "33446e4d885b14db67ae0092c317cda6d9f939c9", "old_mode": 33188, "old_path": "javatests/com/google/gerrit/server/permissions/RefControlTest.java", "new_id": "d4442d44d264fa4af0cb7eceffd5a07e4fb209ac", "new_mode": 33188, "new_path": "javatests/com/google/gerrit/server/permissions/RefControlTest.java" } ] }