Fix private user email being visible in tag webhooks

Fixes #54721

Fix private user email being visible in tag webhooks
c3cfffbc · Luke Duncalfe · 71729b38 · c3cfffbc · c3cfffbc · c3cfffbc
Commit c3cfffbc authored 6 years ago by Luke Duncalfe
--- a/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml
+++ b/changelogs/unreleased/security-fix-user-email-tag-push-leak.yml
+---
+title: Fix private user email being visible in push (and tag push) webhooks
+merge_request:
+author:
+type: security
--- a/lib/gitlab/data_builder/push.rb
+++ b/lib/gitlab/data_builder/push.rb
@@ -93,7 +93,7 @@ module Gitlab
          user_id: user.id,
          user_name: user.name,
          user_username: user.username,
-          user_email: user.email,
+          user_email: user.public_email,
          user_avatar: user.avatar_url(only_path: false),
          project_id: project.id,
          project: project.hook_attrs,

--- a/spec/lib/gitlab/data_builder/push_spec.rb
+++ b/spec/lib/gitlab/data_builder/push_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
  
 describe Gitlab::DataBuilder::Push do
  let(:project) { create(:project, :repository) }
-  let(:user) { build(:user) }
+  let(:user) { build(:user, public_email: 'public-email@example.com') }
  
  describe '.build_sample' do
    let(:data) { described_class.build_sample(project, user) }
@@ -36,7 +36,7 @@ describe Gitlab::DataBuilder::Push do
    it { expect(data[:user_id]).to eq(user.id) }
    it { expect(data[:user_name]).to eq(user.name) }
    it { expect(data[:user_username]).to eq(user.username) }
-    it { expect(data[:user_email]).to eq(user.email) }
+    it { expect(data[:user_email]).to eq(user.public_email) }
    it { expect(data[:user_avatar]).to eq(user.avatar_url) }
    it { expect(data[:project_id]).to eq(project.id) }
    it { expect(data[:project]).to be_a(Hash) }