Page MenuHomePhabricator

Submitting a patch through the web editor on someone elses patch can result in you being able to run the same tests as that owner
Closed, ResolvedPublic

Description

This only applied to inline edits.

Steps to reproduce

You can do this in two way.

  • As a non whitelisted user
  • Use the inline edit, and try and change something simple, then save and publish it.
  • Wait for jenkins to report back.
  • It reports back with the tests done in the Test pipeline only for whitelisted users but you would have been a none-whitelisted user editing a whitelisted users patch.
  • Edit as a whitelisted user
  • Use gerrits inline edit and edit something simple
  • Save and publish
  • The tests are now run in the check pipeline
  • But I'm a whitelisted user so running recheck works.

Actual results

  • Users who are not whitelisted can get whitelisted users tests tested again by using inline edit.
  • Users who are whitelisted and edit non whitelisted patches get tests that are run for non whitelisted users.
  • Running recheck runs the tests as whitelisted users.

Expected results

  • I expect that if you are a whitelisted user then the tests are the ones whitelisted users can run
  • I Expect that if you are a non whitelisted user then you should only be able to run the tests in the non whitelisted pipeline.

This is fixed in gerrit 2.12.4

https://www.gerritcodereview.com/releases/2.12.md#2.12.4

"•Issue 4324: Set the correct uploader on new patch sets created via the inline editor."

Event Timeline

Paladox created this task.Oct 21 2016, 10:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 21 2016, 10:39 PM
Paladox moved this task from Bugs & stuff to Maybe fixed? on the Gerrit board.Oct 21 2016, 10:43 PM
Paladox added a comment.EditedOct 21 2016, 10:50 PM

The whitelist is there to prevent this, but is failing because of a bug in gerrit which is fixed in gerrit 2.12.4.

Hmm. Is this the same issue that's causing web editor patches to be reported on IRC as submitted by the changeset owner, rather than the actual patch submitter?

Paladox added a comment.EditedOct 22 2016, 8:27 AM

Yes, the same is fixed in gerrit 2.12.4

is failing because of a bug in gerrit which is fixed in gerrit 2.12.4.

Do you have a link to the bug report or the patch?

Paladox moved this task from Backlog to Patch merged upstream on the Upstream board.
hashar triaged this task as High priority.Oct 22 2016, 4:14 PM

That is nice find.

The upstream patch is https://gerrit-review.googlesource.com/#/c/80830/ which is included in Gerrit 2.12.4. So that is another argument to T143089: Update gerrit to 2.12.5.

Thankyou yep, I was updating someone elses patch to link to another bug, but found I was being tested in the check pipeline, so I did a recheck and then it tested me In the test pipeline.

@hashar we may want to notify openstack about there gerrit version. I'm not sure if the bug exist in that release too - 2.11.4.

This comment was removed by Paladox.
demon closed this task as Resolved.Nov 15 2016, 6:26 PM
demon claimed this task.
demon closed subtask T143089: Update gerrit to 2.12.5 as Resolved.
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".
demon changed Security from Software security bug to None.