)]}' { "commit": "45071d6977932bca5a1427c8abad24710fed2e33", "tree": "fd174dfb05b2b69816cbb75ad7179e912387e17b", "parents": [ "988882e0ad3e825ee427a9c2b28de67f726d010c" ], "author": { "name": "Luca Milanesio", "email": "luca.milanesio@gmail.com", "time": "Fri Nov 13 00:12:38 2020 +0000" }, "committer": { "name": "Luca Milanesio", "email": "luca.milanesio@gmail.com", "time": "Fri Nov 13 16:14:54 2020 +0000" }, "message": "Workaround Gitiles bug on All-Users visibility\n\nGitiles has special FilteredRepository wrapper that\nallows to carefully hide refs based on the project\u0027s ACLs.\nThere is however an optimisation that skips the filtering\nin case a user has READ permissions on every ACLs patterns.\n\nWhen the target repository is All-Users, the optimisation\nturns into a security issue because it allows seeing everything\nthat belongs to everyone:\n- draft comments\n- PII of all users\n- external ids\n- draft edits\n\nBlock Gitiles or any other part of Gerrit to abuse of this\npower when the target repository is All-Users, where nobody\ncan be authorised to skip the ACLs evaluation.\n\nCover the additional special case of the All-Users project\naccess with two explicit positive and negative tests,\nso that the security check is covered.\n\nBug: Issue 13621\nChange-Id: Ia6ea1a9fd5473adff534204aea7d8f25324a45b7\n", "tree_diff": [ { "type": "modify", "old_id": "82fce53d0ed8d3a77d4e104b6f8ee0c580469f4b", "old_mode": 33188, "old_path": "java/com/google/gerrit/server/permissions/ProjectControl.java", "new_id": "edffcc6e49a0f63175120d027a54084fb255d165", "new_mode": 33188, "new_path": "java/com/google/gerrit/server/permissions/ProjectControl.java" }, { "type": "modify", "old_id": "d4442d44d264fa4af0cb7eceffd5a07e4fb209ac", "old_mode": 33188, "old_path": "javatests/com/google/gerrit/server/permissions/RefControlTest.java", "new_id": "336b6fb97f3f1c67ac117169bf817679d1331eaf", "new_mode": 33188, "new_path": "javatests/com/google/gerrit/server/permissions/RefControlTest.java" } ] }