From bb3011f0b03cb31c1f06e488314a4e1f2f220ca2 Mon Sep 17 00:00:00 2001 From: David Ostrovsky Date: Thu, 27 Dec 2018 22:39:09 +0100 Subject: [PATCH 1/5] Upgrade JGit to 4.5.5.201812240535-r This release fixes an issue where AdvertiseRefsHook was not called for git-upload-pack in protocol v0 bidirectional transports, meaning that wants aren't validated and a user can fetch anything that is pointed to by any ref (using fetch-by-sha1), as long as they can guess the object name. Bug: Issue 10262 Change-Id: I5c1af5c7c549e1796fe6347c1ec08797471393a1 --- lib/jgit/BUCK | 18 +++++++++++------- lib/maven.defs | 1 + tools/util.py | 1 + 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/lib/jgit/BUCK b/lib/jgit/BUCK index b6dd17d3ac..8c9e1c6af9 100644 --- a/lib/jgit/BUCK +++ b/lib/jgit/BUCK @@ -1,16 +1,17 @@ include_defs('//lib/maven.defs') -REPO = MAVEN_CENTRAL # Leave here even if set to MAVEN_CENTRAL. -VERS = '4.5.4.201711221230-r' +REPO = ECLIPSE # Leave here even if set to MAVEN_CENTRAL. +VERS = '4.5.5.201812240535-r' maven_jar( name = 'jgit', id = 'org.eclipse.jgit:org.eclipse.jgit:' + VERS, - bin_sha1 = 'b30f322c7d441260f4fa454ce5de65cf7e961274', - src_sha1 = '459f648f8bbf10e1aa0b122d4f9919e1779922e9', + bin_sha1 = '1dac8dd7deb4ec72939fe30cd6fd57c22fd4a403', + src_sha1 = '6c5fe5a2bd6b12571d15984916463f2f28223a93', license = 'jgit', unsign = True, deps = [':ewah'], + repository = REPO, exclude = [ 'META-INF/eclipse.inf', 'about.html', @@ -21,9 +22,10 @@ maven_jar( maven_jar( name = 'jgit-servlet', id = 'org.eclipse.jgit:org.eclipse.jgit.http.server:' + VERS, - sha1 = '264fac29b6007146127156113ed3d4e0aa922b39', + sha1 = '6498fa4f4bd5db11d3069952540b68a9aef024c2', license = 'jgit', deps = [':jgit'], + repository = REPO, unsign = True, exclude = [ 'about.html', @@ -34,12 +36,13 @@ maven_jar( maven_jar( name = 'jgit-archive', id = 'org.eclipse.jgit:org.eclipse.jgit.archive:' + VERS, - sha1 = '6b0b919ee42bf8276193c3c03581634bc3aa7e18', + sha1 = 'd64327d788ae43d79eb4e42d2432646c7b485789', license = 'jgit', deps = [':jgit', '//lib/commons:compress', '//lib:tukaani-xz', ], + repository = REPO, unsign = True, exclude = [ 'about.html', @@ -50,10 +53,11 @@ maven_jar( maven_jar( name = 'junit', id = 'org.eclipse.jgit:org.eclipse.jgit.junit:' + VERS, - sha1 = '58ca0a0fba72f2db6e6b27bd464dc44a946a617c', + sha1 = '50c36e367e7df961c1acc9308b7d52ea21a73d91', license = 'DO_NOT_DISTRIBUTE', unsign = True, deps = [':jgit'], + repository = REPO, ) maven_jar( diff --git a/lib/maven.defs b/lib/maven.defs index 7f0bc1dfa2..1b36fdb498 100644 --- a/lib/maven.defs +++ b/lib/maven.defs @@ -13,6 +13,7 @@ # limitations under the License. ATLASSIAN = 'ATLASSIAN:' +ECLIPSE = 'ECLIPSE:' GERRIT = 'GERRIT:' GERRIT_API = 'GERRIT_API:' ECLIPSE = 'ECLIPSE:' diff --git a/tools/util.py b/tools/util.py index ceb89adcea..fb49664251 100644 --- a/tools/util.py +++ b/tools/util.py @@ -23,6 +23,7 @@ except ImportError: REPO_ROOTS = { 'ATLASSIAN': 'https://maven.atlassian.com/content/repositories/atlassian-3rdparty', + 'ECLIPSE': 'https://repo.eclipse.org/content/groups/releases', 'GERRIT': 'http://gerrit-maven.storage.googleapis.com', 'GERRIT_API': 'https://gerrit-api.commondatastorage.googleapis.com/release', 'ECLIPSE': 'https://repo.eclipse.org/content/groups/releases', From a9c456548354fd99f6f5d9934f90800e5b117adb Mon Sep 17 00:00:00 2001 From: David Ostrovsky Date: Fri, 28 Dec 2018 09:23:12 +0100 Subject: [PATCH 2/5] maven_jar: Add repo.eclipse.org to supported repositories Change-Id: Ida1d56b8dd9a78fe4f0787aada9ac327be79f5ad --- tools/bzl/maven_jar.bzl | 2 ++ tools/util.py | 1 + 2 files changed, 3 insertions(+) diff --git a/tools/bzl/maven_jar.bzl b/tools/bzl/maven_jar.bzl index 05f18bd14a..821e037687 100644 --- a/tools/bzl/maven_jar.bzl +++ b/tools/bzl/maven_jar.bzl @@ -6,6 +6,8 @@ MAVEN_CENTRAL = "MAVEN_CENTRAL:" MAVEN_LOCAL = "MAVEN_LOCAL:" +ECLIPSE = "ECLIPSE:" + def _maven_release(ctx, parts): """induce jar and url name from maven coordinates.""" if len(parts) not in [3, 4]: diff --git a/tools/util.py b/tools/util.py index e8182ed9d8..0967f1b539 100644 --- a/tools/util.py +++ b/tools/util.py @@ -15,6 +15,7 @@ from os import path REPO_ROOTS = { + 'ECLIPSE': 'https://repo.eclipse.org/content/groups/releases', 'GERRIT': 'http://gerrit-maven.storage.googleapis.com', 'GERRIT_API': 'https://gerrit-api.commondatastorage.googleapis.com/release', 'MAVEN_CENTRAL': 'http://repo1.maven.org/maven2', From 0b61aa0aa19afe84b83766572cda46f6cb529dd8 Mon Sep 17 00:00:00 2001 From: David Ostrovsky Date: Thu, 27 Dec 2018 21:34:08 +0100 Subject: [PATCH 3/5] Upgrade JGit to 4.7.7.201812240805-r This release fixes an issue where AdvertiseRefsHook was not called for git-upload-pack in protocol v0 bidirectional transports, meaning that wants aren't validated and a user can fetch anything that is pointed to by any ref (using fetch-by-sha1), as long as they can guess the object name. Bug: Issue 10262 Change-Id: I8b81336acffc655f8d768ba84c8b95a086397b32 --- lib/jgit/jgit.bzl | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/jgit/jgit.bzl b/lib/jgit/jgit.bzl index 1b7e652fe4..e010710a7c 100644 --- a/lib/jgit/jgit.bzl +++ b/lib/jgit/jgit.bzl @@ -1,12 +1,12 @@ -load("//tools/bzl:maven_jar.bzl", "MAVEN_CENTRAL", "maven_jar") +load("//tools/bzl:maven_jar.bzl", "ECLIPSE", "maven_jar") -_JGIT_VERS = "4.7.6.201810191618-r" +_JGIT_VERS = "4.7.7.201812240805-r" _DOC_VERS = _JGIT_VERS # Set to _JGIT_VERS unless using a snapshot JGIT_DOC_URL = "http://download.eclipse.org/jgit/site/" + _DOC_VERS + "/apidocs" -_JGIT_REPO = MAVEN_CENTRAL # Leave here even if set to MAVEN_CENTRAL. +_JGIT_REPO = ECLIPSE # Leave here even if set to MAVEN_CENTRAL. # set this to use a local version. # "/home//projects/jgit" @@ -35,28 +35,28 @@ def jgit_maven_repos(): name = "jgit-lib", artifact = "org.eclipse.jgit:org.eclipse.jgit:" + _JGIT_VERS, repository = _JGIT_REPO, - sha1 = "e65c01d8f3a30a413b613f1fa5f770bfa8b62c81", - src_sha1 = "c837b9e774573afcb8a80ee318c2fbf1a3f29dd2", + sha1 = "d2358e838084d2482d51b51b70fd34a356495925", + src_sha1 = "29471dec1313292c0b97a9b89bc3009802145497", unsign = True, ) maven_jar( name = "jgit-servlet", artifact = "org.eclipse.jgit:org.eclipse.jgit.http.server:" + _JGIT_VERS, repository = _JGIT_REPO, - sha1 = "e55ba5476474939aaf74c76f3aa9f377391ee043", + sha1 = "ed85179e4fd6aabadf00db035578dd0888c68228", unsign = True, ) maven_jar( name = "jgit-archive", artifact = "org.eclipse.jgit:org.eclipse.jgit.archive:" + _JGIT_VERS, repository = _JGIT_REPO, - sha1 = "6d873357c44f217f59f52a70cd91fa30bd80e79a", + sha1 = "83820dc9253d6e1450742cbea9f7de265caf2a89", ) maven_jar( name = "jgit-junit", artifact = "org.eclipse.jgit:org.eclipse.jgit.junit:" + _JGIT_VERS, repository = _JGIT_REPO, - sha1 = "50932594f877a56f88d2a5ab4b19198a4dfd495a", + sha1 = "3275d89afdad003b03a055a8a2b838cc512cd2fc", unsign = True, ) From 2afce52141f7495d6867a9aeb0bcbd0c7494288f Mon Sep 17 00:00:00 2001 From: David Ostrovsky Date: Sat, 5 Jan 2019 17:04:59 +0100 Subject: [PATCH 4/5] Revert "Fix the missing DB entry in Gerrit DB" This reverts commit fcc90699fdec17b941a473221d228c832a533fc0. Reason for revert: Security vulnerability for OAuth and OpenID auth schemes. OAuth and OpenID authentication schemes support multiple identity providers, e.g.: CAS-OAuth2 and GitHub-OAuth2. An attacker can easily impersonate existing Gerrit user by creating account on a different provider with exactly the same username as the existing Gerrit account. Instead of creating a fresh new user, the new account is erroneously linked to the existing Gerrit account, even though, account linking feature was not triggered from the Gerrit UI. The original commit tried to fix intermittent database corruption problem, with missing record in the database, in the context of single identity provider (LDAP) where such problem doesn't exist, as there is no way that one single username can belong to physical different users. Nevertheless, there should be found another workaround, as trying to recover on the fly and introducing severe security breach for other auth schemes supported in Gerrit. If all else fails, the missing database record has to be inserted manually and the corresponding account must be re-indexed. Bug: Issue 7652 Bug: Issue 10242 Change-Id: Icba3452c153b2ae3cc1a4ebc569342641f38c07c --- .../gerrit/server/account/AccountManager.java | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java b/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java index a4c39e07aa..ee337981db 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/account/AccountManager.java @@ -14,7 +14,6 @@ package com.google.gerrit.server.account; -import static com.google.gerrit.server.account.ExternalId.SCHEME_USERNAME; import static java.util.stream.Collectors.toSet; import com.google.common.base.Strings; @@ -108,23 +107,8 @@ public class AccountManager { try (ReviewDb db = schema.open()) { ExternalId id = findExternalId(db, who.getExternalIdKey()); if (id == null) { - if (who.getUserName() != null) { - ExternalId.Key key = ExternalId.Key.create(SCHEME_USERNAME, who.getUserName()); - ExternalId existingId = findExternalId(db, key); - if (existingId != null) { - // An inconsistency is detected in the database, having a record for scheme - // "username:" - // but no record for scheme "gerrit:". Try to recover by linking - // "gerrit:" identity to the existing account. - log.warn( - "User {} already has an account; link new identity to the existing account.", - who.getUserName()); - return link(existingId.accountId(), who); - } - } // New account, automatically create and return. // - log.debug("External ID not found. Attempting to create new account."); return create(db, who); } @@ -367,16 +351,13 @@ public class AccountManager { public AuthResult link(Account.Id to, AuthRequest who) throws AccountException, OrmException, IOException { try (ReviewDb db = schema.open()) { - log.debug("Link another authentication identity to an existing account"); ExternalId extId = findExternalId(db, who.getExternalIdKey()); if (extId != null) { if (!extId.accountId().equals(to)) { throw new AccountException("Identity in use by another account"); } - log.debug("Updating existing external ID data"); update(db, who, extId); } else { - log.debug("Linking new external ID to the existing account"); externalIdsUpdateFactory .create() .insert( From 2cc0e17c1ca164ef223ac06c09357aa3571c38b6 Mon Sep 17 00:00:00 2001 From: David Pursehouse Date: Mon, 7 Jan 2019 08:43:41 +0900 Subject: [PATCH 5/5] Set version to 2.14.18 Change-Id: I946886eabb8e82b53bf78b712dee1e6dffae0e9e --- gerrit-acceptance-framework/pom.xml | 2 +- gerrit-extension-api/pom.xml | 2 +- gerrit-plugin-api/pom.xml | 2 +- gerrit-plugin-gwtui/pom.xml | 2 +- gerrit-war/pom.xml | 2 +- version.bzl | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/gerrit-acceptance-framework/pom.xml b/gerrit-acceptance-framework/pom.xml index 678d5ea182..1b78dd1c47 100644 --- a/gerrit-acceptance-framework/pom.xml +++ b/gerrit-acceptance-framework/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-acceptance-framework - 2.14.18-SNAPSHOT + 2.14.18 jar Gerrit Code Review - Acceptance Test Framework Framework for Gerrit's acceptance tests diff --git a/gerrit-extension-api/pom.xml b/gerrit-extension-api/pom.xml index 36f8d3a985..93da8c9766 100644 --- a/gerrit-extension-api/pom.xml +++ b/gerrit-extension-api/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-extension-api - 2.14.18-SNAPSHOT + 2.14.18 jar Gerrit Code Review - Extension API API for Gerrit Extensions diff --git a/gerrit-plugin-api/pom.xml b/gerrit-plugin-api/pom.xml index f9f5db67ed..acdbcd1829 100644 --- a/gerrit-plugin-api/pom.xml +++ b/gerrit-plugin-api/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-api - 2.14.18-SNAPSHOT + 2.14.18 jar Gerrit Code Review - Plugin API API for Gerrit Plugins diff --git a/gerrit-plugin-gwtui/pom.xml b/gerrit-plugin-gwtui/pom.xml index 7dcfdd5609..2b475168d6 100644 --- a/gerrit-plugin-gwtui/pom.xml +++ b/gerrit-plugin-gwtui/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-plugin-gwtui - 2.14.18-SNAPSHOT + 2.14.18 jar Gerrit Code Review - Plugin GWT UI Common Classes for Gerrit GWT UI Plugins diff --git a/gerrit-war/pom.xml b/gerrit-war/pom.xml index f88b63892b..f438621e1f 100644 --- a/gerrit-war/pom.xml +++ b/gerrit-war/pom.xml @@ -2,7 +2,7 @@ 4.0.0 com.google.gerrit gerrit-war - 2.14.18-SNAPSHOT + 2.14.18 war Gerrit Code Review - WAR Gerrit WAR diff --git a/version.bzl b/version.bzl index ad2a42ab75..86b6be5291 100644 --- a/version.bzl +++ b/version.bzl @@ -2,4 +2,4 @@ # Used by :api_install and :api_deploy targets # when talking to the destination repository. # -GERRIT_VERSION = "2.14.18-SNAPSHOT" +GERRIT_VERSION = "2.14.18"