diff options
author | Douwe Maan <douwe@gitlab.com> | 2015-08-06 09:05:15 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2015-08-06 09:05:15 +0000 |
commit | c6cbee846cd83c7b3a37e0565a0d994e0777d81a (patch) | |
tree | a24aa952bc7f199bd7e1970f91b32d74751b35b1 | |
parent | 4b3b286eef64917247be032f67af1a062aac0254 (diff) | |
parent | 4ccd767abf45df909c43e93d8898096236c99e3d (diff) | |
download | gitlab-ce-c6cbee846cd83c7b3a37e0565a0d994e0777d81a.tar.gz |
Merge branch 'remove-email-from-published-keys' into 'master'
Only publish ssh key-type and key
Now when requesting my keys; my emailadres is exposed. [My keys](https://gitlab.com/zj.keys)
To prevent harvesting only key-type and the key itself are displayed instead of all data supplied when uploaded.
See merge request !850
-rw-r--r-- | CHANGELOG | 13 | ||||
-rw-r--r-- | app/models/key.rb | 5 | ||||
-rw-r--r-- | app/models/user.rb | 2 | ||||
-rw-r--r-- | spec/controllers/profile_keys_controller_spec.rb | 11 | ||||
-rw-r--r-- | spec/factories.rb | 2 | ||||
-rw-r--r-- | spec/models/key_spec.rb | 7 |
6 files changed, 33 insertions, 7 deletions
diff --git a/CHANGELOG b/CHANGELOG index df8e9a48474..439534c37d9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -36,6 +36,7 @@ v 7.14.0 (unreleased) - Add support for CI skipped status - Fetch code from forks to refs/merge-requests/:id/head when merge request created - Remove satellites + - Remove comments and email addresses when publicly exposing ssh keys (Zeger-Jan van de Weg) v 7.13.2 - Fix randomly failed spec @@ -61,6 +62,8 @@ v 7.13.1 v 7.13.0 - Remove repository graph log to fix slow cache updates after push event (Stan Hu) - Return comments in created order in merge request API (Stan Hu) + +v 7.13.0 (unreleased) - Only enable HSTS header for HTTPS and port 443 (Stan Hu) - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu) - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt) @@ -87,15 +90,15 @@ v 7.13.0 - Update ssl_ciphers in Nginx example to remove DHE settings. This will deny forward secrecy for Android 2.3.7, Java 6 and OpenSSL 0.9.8 - Admin can edit and remove user identities - Convert CRLF newlines to LF when committing using the web editor. - - API request /projects/:project_id/merge_requests?state=closed will return only closed merge requests without merged one. If you need ones that were merged - use state=merged. + - API request /projects/:project_id/merge_requests?state=closed will return only closed merge requests without merged one. If you need ones that were merged - use state=merged. - Allow Administrators to filter the user list by those with or without Two-factor Authentication enabled. - Show a user's Two-factor Authentication status in the administration area. - Explicit error when commit not found in the CI - - Improve performance for issue and merge request pages + - Improve performance for issue and merge request pages - Users with guest access level can not set assignee, labels or milestones for issue and merge request - Reporter role can manage issue tracker now: edit any issue, set assignee or milestone and manage labels - Better performance for pages with events list, issues list and commits list - - Faster automerge check and merge itself when source and target branches are in same repository + - Faster automerge check and merge itself when source and target branches are in same repository - Correctly show anonymous authorized applications under Profile > Applications. - Query Optimization in MySQL. - Allow users to be blocked and unblocked via the API @@ -103,7 +106,7 @@ v 7.13.0 - Redesign project page. Show README as default instead of activity. Move project activity to separate page - Make left menu more hierarchical and less contextual by adding back item at top - A fork can’t have a visibility level that is greater than the original project. - - Faster code search in repository and wiki. Fixes search page timeout for big repositories + - Faster code search in repository and wiki. Fixes search page timeout for big repositories - Allow administrators to disable 2FA for a specific user - Add error message for SSH key linebreaks - Store commits count in database (will populate with valid values only after first push) @@ -122,7 +125,7 @@ v 7.12.1 - Add SAML to list of social_provider (Matt Firtion) - Fix merge requests API scope to keep compatibility in 7.12.x patch release (Dmitriy Zaporozhets) - Fix closed merge request scope at milestone page (Dmitriy Zaporozhets) - - Revert merge request states renaming + - Revert merge request states renaming - Fix hooks for web based events with external issue references (Daniel Gerhardt) - Improve performance for issue and merge request pages - Compress database dumps to reduce backup size diff --git a/app/models/key.rb b/app/models/key.rb index 2dcae059c0e..406a1257b5d 100644 --- a/app/models/key.rb +++ b/app/models/key.rb @@ -39,6 +39,11 @@ class Key < ActiveRecord::Base self.key = key.strip unless key.blank? end + def publishable_key + #Removes anything beyond the keytype and key itself + self.key.split[0..1].join(' ') + end + # projects that has this key def projects user.authorized_projects diff --git a/app/models/user.rb b/app/models/user.rb index 2beefb1d614..57145cc6b6e 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -619,7 +619,7 @@ class User < ActiveRecord::Base end def all_ssh_keys - keys.map(&:key) + keys.map(&:publishable_key) end def temp_oauth_email? diff --git a/spec/controllers/profile_keys_controller_spec.rb b/spec/controllers/profile_keys_controller_spec.rb index 593d3e9eb56..b6573f105dc 100644 --- a/spec/controllers/profile_keys_controller_spec.rb +++ b/spec/controllers/profile_keys_controller_spec.rb @@ -48,6 +48,17 @@ describe Profiles::KeysController do expect(response.body).not_to eq("") expect(response.body).to eq(user.all_ssh_keys.join("\n")) + + # Unique part of key 1 + expect(response.body).to match(/PWx6WM4lhHNedGfBpPJNPpZ/) + # Key 2 + expect(response.body).to match(/AQDmTillFzNTrrGgwaCKaSj/) + end + + it "should not render the comment of the key" do + get :get_keys, username: user.username + + expect(response.body).not_to match(/dummy@gitlab.com/) end it "should respond with text/plain content type" do diff --git a/spec/factories.rb b/spec/factories.rb index 05e3211d551..200f18f660d 100644 --- a/spec/factories.rb +++ b/spec/factories.rb @@ -100,7 +100,7 @@ FactoryGirl.define do factory :key do title key do - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=" + "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0= dummy@gitlab.com" end factory :deploy_key, class: 'DeployKey' do diff --git a/spec/models/key_spec.rb b/spec/models/key_spec.rb index 456bf221d62..2f819f60cbb 100644 --- a/spec/models/key_spec.rb +++ b/spec/models/key_spec.rb @@ -32,6 +32,13 @@ describe Key do describe "Methods" do it { is_expected.to respond_to :projects } + it { is_expected.to respond_to :publishable_key } + + describe "#publishable_keys" do + it 'strips all personal information' do + expect(build(:key).publishable_key).not_to match(/dummy@gitlab/) + end + end end context "validation of uniqueness" do |