Page MenuHomePhabricator
Create Task
Maniphest T148876

Submitting a patch through the web editor on someone elses patch can result in you being able to run the same tests as that owner
Closed, ResolvedPublic
Actions

Description

This only applied to inline edits.

Steps to reproduce

You can do this in two way.

  • As a non whitelisted user
  • Use the inline edit, and try and change something simple, then save and publish it.
  • Wait for jenkins to report back.
  • It reports back with the tests done in the Test pipeline only for whitelisted users but you would have been a none-whitelisted user editing a whitelisted users patch.
  • Edit as a whitelisted user
  • Use gerrits inline edit and edit something simple
  • Save and publish
  • The tests are now run in the check pipeline
  • But I'm a whitelisted user so running recheck works.

Actual results

  • Users who are not whitelisted can get whitelisted users tests tested again by using inline edit.
  • Users who are whitelisted and edit non whitelisted patches get tests that are run for non whitelisted users.
  • Running recheck runs the tests as whitelisted users.

Expected results

  • I expect that if you are a whitelisted user then the tests are the ones whitelisted users can run
  • I Expect that if you are a non whitelisted user then you should only be able to run the tests in the non whitelisted pipeline.

This is fixed in gerrit 2.12.4

https://www.gerritcodereview.com/releases/2.12.md#2.12.4

"•Issue 4324: Set the correct uploader on new patch sets created via the inline editor."

Related Objects
Search...

Event Timeline

Paladox created this task.Oct 21 2016, 10:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 21 2016, 10:39 PM
Paladox added projects: Gerrit, Release-Engineering-Team.Oct 21 2016, 10:41 PM
Paladox added a subtask: T143089: Update gerrit to 2.12.5.
Paladox added subscribers: demon, Dzahn, hashar.
Paladox moved this task from Bugs & stuff to Maybe fixed? on the Gerrit board.Oct 21 2016, 10:43 PM
Paladox added a comment.EditedOct 21 2016, 10:50 PM

The whitelist is there to prevent this, but is failing because of a bug in gerrit which is fixed in gerrit 2.12.4.

Paladox added a project: Zuul.Oct 21 2016, 11:28 PM
matmarex subscribed.Oct 22 2016, 5:38 AM

Hmm. Is this the same issue that's causing web editor patches to be reported on IRC as submitted by the changeset owner, rather than the actual patch submitter?

Paladox added a comment.EditedOct 22 2016, 8:27 AM

Yes, the same is fixed in gerrit 2.12.4

Aklapper added a comment.Oct 22 2016, 10:18 AM
In T148876#2735515, @Paladox wrote:

is failing because of a bug in gerrit which is fixed in gerrit 2.12.4.

Do you have a link to the bug report or the patch?

Paladox added a comment.Oct 22 2016, 10:32 AM

Yes here https://bugs.chromium.org/p/gerrit/issues/detail?id=4324

Paladox added a project: Upstream.Oct 22 2016, 10:52 AM
Paladox moved this task from Backlog to Patch merged upstream on the Upstream board.
hashar triaged this task as High priority.Oct 22 2016, 4:14 PM

That is nice find.

The upstream patch is https://gerrit-review.googlesource.com/#/c/80830/ which is included in Gerrit 2.12.4. So that is another argument to T143089: Update gerrit to 2.12.5.

Paladox added a comment.Oct 22 2016, 5:03 PM

Thankyou yep, I was updating someone elses patch to link to another bug, but found I was being tested in the check pipeline, so I did a recheck and then it tested me In the test pipeline.

Paladox mentioned this in T141329: Patchsets created through web interface attributed to the wrong user.Oct 22 2016, 5:18 PM
Paladox added a comment.Oct 23 2016, 9:25 PM

@hashar we may want to notify openstack about there gerrit version. I'm not sure if the bug exist in that release too - 2.11.4.

Paladox added a comment.Oct 24 2016, 6:09 PM
This comment was removed by Paladox.
Paladox added a comment.Oct 24 2016, 9:29 PM

Fixed in https://gerrit.wikimedia.org/r/317654

Paladox moved this task from Backlog / Other to Patch pending deployment on the acl*security board.Oct 27 2016, 8:32 PM
Paladox merged a task: T149770: Restricted tests are not run when creating a new patchset using Gerrit's web editor.Nov 2 2016, 8:37 AM
Paladox added a subscriber: Nikerabbit.
demon closed this task as Resolved.Nov 15 2016, 6:26 PM
demon claimed this task.
demon closed subtask T143089: Update gerrit to 2.12.5 as Resolved.
demon changed the visibility from "Custom Policy" to "Public (No Login Required)".
demon changed Security from Software security bug to None.
sbassett moved this task from Patch pending deployment to Done on the acl*security board.Sep 26 2019, 2:37 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
hashar moved this task from Maybe fixed? to Bugs & stuff on the Gerrit board.Mar 1 2023, 10:53 AM
Restricted Application added a project: Continuous-Integration-Infrastructure. · View Herald TranscriptMar 1 2023, 10:53 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL