From 7fc7b78a0413979c7282d69ca4e52dc2e934071c Mon Sep 17 00:00:00 2001 From: Xavier Morel Date: Mon, 24 Sep 2018 10:06:58 +0200 Subject: [PATCH] [FIX] runbot_merge: security concern The webhook used the "sender" of the event as comment author, however if the comment is edited by a maintainer github sends a "issue_comment" event with that maintainer as sender. This means a random user could create a comment with a robodoo command, and if a registered reviewer happened to edit the comment the command would suddenly be taken in account. This was not the intention. --- runbot_merge/controllers/__init__.py | 2 +- runbot_merge/tests/fake_github/__init__.py | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/runbot_merge/controllers/__init__.py b/runbot_merge/controllers/__init__.py index 23b65317..f5efcfb3 100644 --- a/runbot_merge/controllers/__init__.py +++ b/runbot_merge/controllers/__init__.py @@ -215,7 +215,7 @@ def handle_comment(env, event): repo = event['repository']['full_name'] issue = event['issue']['number'] - author = event['sender']['login'] + author = event['comment']['user']['login'] comment = event['comment']['body'] _logger.info('comment: %s %s:%s "%s"', author, repo, issue, comment) diff --git a/runbot_merge/tests/fake_github/__init__.py b/runbot_merge/tests/fake_github/__init__.py index 5d39b66f..5b1f1600 100644 --- a/runbot_merge/tests/fake_github/__init__.py +++ b/runbot_merge/tests/fake_github/__init__.py @@ -747,8 +747,7 @@ class Client(werkzeug.test.Client): 'action': 'created', 'issue': { 'number': issue.number }, 'repository': self._repo(issue.repo.name), - 'sender': { 'login': user }, - 'comment': { 'body': body }, + 'comment': { 'body': body, 'user': {'login': user } }, } if isinstance(issue, PR): contents['issue']['pull_request'] = { 'url': 'fake' }