)]}'
{
  "commit": "93a9b50f8fc22bc22ee92c35a93be9e4c16f0c9a",
  "tree": "7e18749a60eaf408c7a6437a6191e3293d342db0",
  "parents": [
    "2cf21319cb457a1464aade9862c27ceb9173c1b6"
  ],
  "author": {
    "name": "Antonio Barone",
    "email": "syntonyze@gmail.com",
    "time": "Wed Aug 24 19:07:14 2022 +0100"
  },
  "committer": {
    "name": "Antonio Barone",
    "email": "syntonyze@gmail.com",
    "time": "Thu Sep 22 18:49:06 2022 +0200"
  },
  "message": "Encrypt oauth token at rest\n\nThe oauth token provided by Github is used together with the\n`github_oauth` schema, to generate a new external identity for the\nGerrit user.\n\nThe external-id is then persisted on disk as a note under the\n`refs/meta/external-ids` ref of the `All-Users.git` repo, as documented\nin [1].\n\nAll credentials should be stored encrypted and protected at-rest, as the\ntoken could be used to impersonate the user associated with it.\n\nThis vulnerability has been exploited in the past on other OAuth-based\nintegrations [2].\n\nAvoid using plaintext oauth tokens for storing github external-ids by\nencrypting them first.\n\n[1] https://gerrit-documentation.storage.googleapis.com/Documentation/3.6.1/config-accounts.html#external-ids\n[2] https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/\n\nBug: Issue 16192\nChange-Id: I69c2add9170159ab8b9a31098cf35f184e678401\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "dc8b456fb3c2abab7fc17642a62185d7fb69c961",
      "old_mode": 33188,
      "old_path": "github-oauth/pom.xml",
      "new_id": "21631aa154ef9e0a03c933537fc95719a982fb97",
      "new_mode": 33188,
      "new_path": "github-oauth/pom.xml"
    },
    {
      "type": "add",
      "old_id": "0000000000000000000000000000000000000000",
      "old_mode": 0,
      "old_path": "/dev/null",
      "new_id": "6ab74d03345b399c3a56100bf4a701d7e89ec20b",
      "new_mode": 33188,
      "new_path": "github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/CipherException.java"
    },
    {
      "type": "modify",
      "old_id": "91a17d8ba28434cad213380a5d21feab3c52a243",
      "old_mode": 33188,
      "old_path": "github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java",
      "new_id": "a826886bfb1414636b009a02440455821c90438a",
      "new_mode": 33188,
      "new_path": "github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfig.java"
    },
    {
      "type": "modify",
      "old_id": "b95353153b8917def73bbfa981f0ac2410023be8",
      "old_mode": 33188,
      "old_path": "github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/IdentifiedUserGitHubLoginProvider.java",
      "new_id": "54493471c849af379ef80d06b130bb913bd2ec9f",
      "new_mode": 33188,
      "new_path": "github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/IdentifiedUserGitHubLoginProvider.java"
    },
    {
      "type": "add",
      "old_id": "0000000000000000000000000000000000000000",
      "old_mode": 0,
      "old_path": "/dev/null",
      "new_id": "a8133dca7d6b4a631951b601a1f7d2cbe9dfa9ae",
      "new_mode": 33188,
      "new_path": "github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthTokenCipher.java"
    },
    {
      "type": "modify",
      "old_id": "87f56e52e20765802e8aa38ac87e29444f354d7c",
      "old_mode": 33188,
      "old_path": "github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthWebFilter.java",
      "new_id": "3c721412df8f207137261236d1dfa9ef75ae0690",
      "new_mode": 33188,
      "new_path": "github-oauth/src/main/java/com/googlesource/gerrit/plugins/github/oauth/OAuthWebFilter.java"
    },
    {
      "type": "add",
      "old_id": "0000000000000000000000000000000000000000",
      "old_mode": 0,
      "old_path": "/dev/null",
      "new_id": "94d1a43e70f9e64d8055f7669a7a39526e39b16d",
      "new_mode": 33188,
      "new_path": "github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/GitHubOAuthConfigTest.java"
    },
    {
      "type": "add",
      "old_id": "0000000000000000000000000000000000000000",
      "old_mode": 0,
      "old_path": "/dev/null",
      "new_id": "9621fc560f2685299aae1c04d7be9aef67e6ce5a",
      "new_mode": 33188,
      "new_path": "github-oauth/src/test/java/com/googlesource/gerrit/plugins/github/oauth/OAuthTokenCipherTest.java"
    },
    {
      "type": "modify",
      "old_id": "4fc15339e7fde1113bafd200e52e331a0813723a",
      "old_mode": 33188,
      "old_path": "github-plugin/src/main/java/com/googlesource/gerrit/plugins/github/filters/GitHubOAuthFilter.java",
      "new_id": "b025737ead9a4ad0f61096f3117255acaa71fda8",
      "new_mode": 33188,
      "new_path": "github-plugin/src/main/java/com/googlesource/gerrit/plugins/github/filters/GitHubOAuthFilter.java"
    },
    {
      "type": "modify",
      "old_id": "e8fc5fa0986d7b8a2e4382568775f9e9d00cc9c5",
      "old_mode": 33188,
      "old_path": "github-plugin/src/main/resources/Documentation/config.md",
      "new_id": "ea328902e42664082a411f38302a6c17032976cc",
      "new_mode": 33188,
      "new_path": "github-plugin/src/main/resources/Documentation/config.md"
    },
    {
      "type": "modify",
      "old_id": "6202ae394b152e168f66d9110749ed32218a2072",
      "old_mode": 33188,
      "old_path": "pom.xml",
      "new_id": "34b101830a90ef297571f381aa047feaff20f485",
      "new_mode": 33188,
      "new_path": "pom.xml"
    }
  ]
}