| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Change-Id: I8380b2e3fa3790c3e3b5080b65cceb75954d24fa
|
|
|
|
| |
Change-Id: I8952441a47411b906c95e2dca3ccc745ef2d8555
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Change-Id: Iffcd0fbd7 has involuntarily triggered the
creation of a new HTTP Session for every invocation a Git-over-HTTP
request.
All came from the mistake of tracing the HTTP session instead
of the Gerrit session in the audit record.
The HTTP Servlet API specs say that any attempt to access
the current session of an incoming request would result
in the creation of a brand-new session.
The session involuntarily created also had an expiry time
equal to zero, which prevented the session housekeeper
to reclaim them later on, even though they were unused.
The consequence of creating an empty session for every
Git-over-HTTP request isn't immediately tangible, because
the session is empty and doesn't occupy a significant
amount of memory. However, longer-term, the in-memory
hashtable that records all the sessions, each one using
750 bytes on average, will be causing the overload
of the JVM heap and the crash of the process because of
lack of available memory.
Use the correct Gerrit session-id, retrieving
from the Provider<WebSession> the proper session, if active
and logged in, and make sure in tests that no HTTP sessions
are created as a result of a Git-over-http request.
Bug: Issue 13858
Change-Id: I8c086fed54b196c3f46fa88ac78c127784524d30
|
|
|
|
|
|
|
|
|
|
|
|
| |
Simplify the code, remove unused variables and make use of JUnit
assumption violation feature to avoid running graceful tests in
SSH daemon without activated sshd.gracefulStopTimeout configuration
option.
This is a preparation change to switch to using Apache MINA sshd
client.
Change-Id: I80bb97ac4c15a3af6bff86b0b3d0dcc7887e8314
|
|\
| |
| |
| |
| |
| |
| | |
* stable-2.16:
Update git submodules
Change-Id: Ic71835d9ad79bd2d22cc0dd4a8ee3717d15e6980
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update plugins/replication from branch 'stable-2.16'
to ba2c8e16b798c2eaf4e56dd66d8c1cd00999e096
- Fix replication to retry on lock errors
Versions of Git released since 2014 have created a new status
"failed to update ref" which replaces the two statuses "failed to lock"
and "failed to write". So, we now see the newer status when the remote
is unable to lock a ref.
Refer Git commit:
https://github.com/git/git/commit/6629ea2d4a5faa0a84367f6d4aedba53cb0f26b4
Config 'lockErrorMaxRetries' is not removed as part of this change
as folks who have it configured currently don't run into unexpected
behavior with retries when they upgrade to a newer version of the
plugin. Also, the "failed to lock" check is not removed for folks
still using a version of Git older than 2014.
Change-Id: I9b3b15bebd55df30cbee50a0e0c2190d04f2f443
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Update plugins/replication from branch 'stable-3.0'
to 2a600dede934b348173bff26e00f373367a3d142
- Merge branch 'stable-2.16' into stable-3.0
* stable-2.16:
Fix replication to retry on lock errors
Change-Id: I6e262d2c22d2dcd49b341b3c752d6d8b6c93b32c
- Fix replication to retry on lock errors
Versions of Git released since 2014 have created a new status
"failed to update ref" which replaces the two statuses "failed to lock"
and "failed to write". So, we now see the newer status when the remote
is unable to lock a ref.
Refer Git commit:
https://github.com/git/git/commit/6629ea2d4a5faa0a84367f6d4aedba53cb0f26b4
Config 'lockErrorMaxRetries' is not removed as part of this change
as folks who have it configured currently don't run into unexpected
behavior with retries when they upgrade to a newer version of the
plugin. Also, the "failed to lock" check is not removed for folks
still using a version of Git older than 2014.
Change-Id: I9b3b15bebd55df30cbee50a0e0c2190d04f2f443
|
|\|
| |
| |
| |
| |
| |
| | |
* stable-2.16:
Update JGit to 5.1.15.202012011955-r
Change-Id: I9f1dba85ca7860082254ba2437dec3bc7b170e16
|
| |
| |
| |
| |
| |
| |
| |
| | |
This version fixes a bug occurring when processing a fetch request and
running gc concurrently.
Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=569349
Change-Id: I605749727d39822683371b98d996f5afdf1604e9
|
| |
| |
| |
| |
| |
| |
| |
| | |
This version fixes a bug occurring when processing a fetch request and
running gc concurrently.
Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=569349
Change-Id: I6aa23a9ac75a059156ee26b5a4e72bab676b7655
|
|\|
| |
| |
| |
| |
| |
| | |
* stable-2.16:
Upgrade JGit to 5.1.14.202011251942-r
Change-Id: I3e6c74fa97044e3c16a7c74b01b05d4e7eac1dc7
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This version contains the following fix:
Ensure that GC#deleteOrphans respects pack lock
If pack or index files are guarded by a pack lock (.keep file)
deleteOrphans() should not touch the respective files protected by the
lock file. Otherwise it may interfere with PackInserter concurrently
inserting a new pack file and its index.
Release Notes:
https://projects.eclipse.org/projects/technology.jgit/releases/5.1.14
Bug: Issue 13544
Change-Id: Ieeb5a883bcb487a4d45f299aec5b31475002cdd3
|
|\|
| |
| |
| |
| |
| |
| | |
* stable-2.16:
Fix bazel run_shell usage for newer versions
Change-Id: I8abcf83cb4886f18a340eda46e560a10e0060ebd
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The Bazel option `--incompatible_run_shell_command_string` is going to be flipped to true in upcoming Bazel 4.0 release per default, see: [1] for more details.
Test Plan:
bazel build :release
[1] https://github.com/bazelbuild/bazel/issues/5903
Bug: Issue 13612
Change-Id: Icc9589906198386b1e4805ceeabbb420a7ea1afb
(cherry picked from commit c1f4e91406b9da411dd2f5eab4ee92bfc761e1f4)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This version, in particular, fixes the bug:
"Request without Host header fails with NullPointerException in
ForwardedRequestCustomizer" [1]
This bug caused Gerrit to throw a NullPointerException when serving
forwarded http/1.0 requests having no `Host` header set.
[1] https://github.com/eclipse/jetty.project/issues/5443
Bug: Issue 13752
Change-Id: I9f9f7df74f6d6c3996e044ba9883b2aa8951c209
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This version contains the following fix:
Ensure that GC#deleteOrphans respects pack lock
If pack or index files are guarded by a pack lock (.keep file)
deleteOrphans() should not touch the respective files protected by the
lock file. Otherwise it may interfere with PackInserter concurrently
inserting a new pack file and its index.
Release Notes:
https://projects.eclipse.org/projects/technology.jgit/releases/5.1.14
Bug: Issue 13544
Change-Id: I81272f4cac9923b63b0966bcf227325efbf7d0e9
|
|\ \
| | |
| | |
| | |
| | |
| | | |
* changes:
Use strict equality
Add a warning if submitting a change with an open change edit
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This was done in another commit [1].
[1] https://gerrit-review.googlesource.com/c/gerrit/+/281526/3/polygerrit-ui/app/elements/change/gr-confirm-submit-dialog/gr-confirm-submit-dialog.ts#71
Change-Id: I2ae7435922b55a4e5f5422b73a65bc83c44cdf94
|
| | |
| | |
| | |
| | |
| | |
| | | |
Bug: Issue 12287
Change-Id: I25aa799a69d0fcce1db55d9d1ed87675a6d3f1fb
(cherry picked from commit a36f08348aaab175cab001d6f50be1db903a6d7b)
|
|\ \ \
| | |/
| |/|
| | |
| | |
| | |
| | | |
* stable-2.16:
Update bazel-toolchains to 3.1.0
Change-Id: I77a62d8a61814b46a867fa2784679ed787934c6b
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The version of bazel-toolchain in the current WORKSPACE file has some invalid escape sequences (https://buildkite.com/bazel/bazel-at-head-plus-downstream/builds/1756#951353b2-9c81-4819-b89e-e448b043f284). Bazel itself uses bazel-toolchains 3.1.0 right now, and those invalid escape sequences have been fixed some time before 3.1.0.
Change-Id: I013dfb1202bb2cbecd0d479e0fcd9e59a80ce929
(cherry picked from commit f100cda91ea0278bf2d4b1e68f18d35779d3209e)
|
|\| |
| |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* stable-2.16:
Disk cache metrics require cache.enableDiskStatMetrics
Set version to 2.14.22
Workaround Gitiles bug on All-Users visibility
Validate Gerrit changes on stable-2.15 with Jenkins
Set version to 2.15.22-SNAPSHOT
Set version to 2.15.21
Set version to 2.16.26-SNAPSHOT
Set version to 2.16.25
Workaround Gitiles bug on All-Users visibility
Workaround Gitiles bug on All-Users visibility
Set version to 2.15.21-SNAPSHOT
Set version to 2.15.20
Fetch JGit documentation from the archive site
Remove generation for c.g.gwtexpui.* JavaDoc
Set version to 2.16.25-SNAPSHOT
Set version to 2.16.24
Make PermissionBackend#ForRef authoritative
Validate Gerrit changes on stable-2.15 with Jenkins
Fix tests for stable-2.15 branch
Make PermissionBackend#ForRef authoritative
Change-Id: I43524c086a41461138d29dcea1aaf2edefce42c5
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* stable-2.15:
Set version to 2.14.22
Workaround Gitiles bug on All-Users visibility
Validate Gerrit changes on stable-2.15 with Jenkins
Set version to 2.15.22-SNAPSHOT
Set version to 2.15.21
Workaround Gitiles bug on All-Users visibility
Set version to 2.15.21-SNAPSHOT
Set version to 2.15.20
Fetch JGit documentation from the archive site
Remove generation for c.g.gwtexpui.* JavaDoc
Make PermissionBackend#ForRef authoritative
Validate Gerrit changes on stable-2.15 with Jenkins
Fix tests for stable-2.15 branch
Change-Id: I8cf90d6a78c946f12140462f97e81cca3f3c18e3
|
| | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* stable-2.14:
Set version to 2.14.22
Workaround Gitiles bug on All-Users visibility
Validate Gerrit changes on stable-2.15 with Jenkins
Change-Id: I1839c9aebbbe14544464e07025fbd96d576dd5bf
|
| | | |\
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* stable-2.14-2020-11.notedb-refs-tags:
Set version to 2.14.22
Workaround Gitiles bug on All-Users visibility
Validate Gerrit changes on stable-2.15 with Jenkins
Also, set target version to 2.14.23-SNAPSHOT.
Change-Id: I400d374a5950c95d9abfedc8a6ff07a6b4864b66
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: Id3c767d04411ac7551e7016a37136a77e4ae8118
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Gitiles has special FilteredRepository wrapper that
allows to carefully hide refs based on the project's ACLs.
There is however an optimisation that skips the filtering
in case a user has READ permissions on every ACLs patterns.
When the target repository is All-Users, the optimisation
turns into a security issue because it allows seeing everything
that belongs to everyone:
- draft comments
- PII of all users
- external ids
- draft edits
Block Gitiles or any other part of Gerrit to abuse of this
power when the target repository is All-Users, where nobody
can be authorised to skip the ACLs evaluation.
Cover the additional special case of the All-Users project
access with two explicit positive and negative tests,
so that the security check is covered.
Bug: Issue 13621
Change-Id: Ia6ea1a9fd5473adff534204aea7d8f25324a45b7
(cherry picked from commit 45071d6977932bca5a1427c8abad24710fed2e33)
(cherry picked from commit 1be1d6ff45f18c978fd21e5c7d437d0a1351d7d8)
|
| | | |/
| | | |
| | | |
| | | |
| | | | |
Change-Id: I35c47ba60c08e8d5d1f767672b5e83b7d29fea1b
(cherry picked from commit 1346eab23259f8dc4adec9cb098e2f818c9cf79d)
|
| | |\ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
* stable-2.15-2020-11.notedb-refs-tags:
Set version to 2.15.22-SNAPSHOT
Set version to 2.15.21
Workaround Gitiles bug on All-Users visibility
Set version to 2.15.21-SNAPSHOT
Set version to 2.15.20
Fetch JGit documentation from the archive site
Remove generation for c.g.gwtexpui.* JavaDoc
Make PermissionBackend#ForRef authoritative
Validate Gerrit changes on stable-2.15 with Jenkins
Fix tests for stable-2.15 branch
Change-Id: I91db12c2c627550b2e897ccb4d7e27ee760cd32d
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I1ed863213d9946b77ae558d52094731db10ff721
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I3e3eb891d717169f912a20e7de948cea1f47fab3
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Gitiles has special FilteredRepository wrapper that
allows to carefully hide refs based on the project's ACLs.
There is however an optimisation that skips the filtering
in case a user has READ permissions on every ACLs patterns.
When the target repository is All-Users, the optimisation
turns into a security issue because it allows seeing everything
that belongs to everyone:
- draft comments
- PII of all users
- external ids
- draft edits
Block Gitiles or any other part of Gerrit to abuse of this
power when the target repository is All-Users, where nobody
can be authorised to skip the ACLs evaluation.
Cover the additional special case of the All-Users project
access with two explicit positive and negative tests,
so that the security check is covered.
Bug: Issue 13621
Change-Id: Ia6ea1a9fd5473adff534204aea7d8f25324a45b7
(cherry picked from commit 45071d6977932bca5a1427c8abad24710fed2e33)
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I3f5c762fda9d47da21685ca12b0f6c80032a3be2
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I83a8ece5ace5da608b3377461c572399b70962d0
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I8e78f5064fda7c2ff73134f6ac3d681c6be2e7d1
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The JavaDoc for com.google.gwtexpui.* cannot be generated
because the source files are not accessible anymore.
Failing to generate the JavaDocs caused the Gerrit build to
fail with 'No source files for package com.google.gwtexpui...'.
Change-Id: Ie36e650962636813d8f9f615e495a980b7280420
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This change fixes a misconception that leads to data being accessible
through Gerrit APIs that should be locked down.
Gerrit had two components for determining if a Git ref is visible to a
user: (Default)RefFilter and PermissionBackend#ForRef (ex RefControl).
The former was always capable of providing correct results for all refs.
The latter only had logic to decide if a Git ref is visible according to
the Gerrit READ permissions. This includes all refs under refs/heads as
well as any other ref that isn't a database ref or a Git tag. This
component was unware of Git tags and database references. Hence, when
asked for a database reference such as refs/changes/xx/yyyyxx/meta the
logic would allow access if the user has READ permissions on any of the
ref prefixes, such as the default "read refs/* Anonymous Users".
That is problematic, because it bypasses documented behavior [1] where
a user should only have access to a change if they can see the destination
ref. The same goes for other database references.
This change fixes the problem. It is intentionally kept to a minimally
invasive code change so that it's easier to backport it.
Add tests to assert the correct behavior. These tests would fail before
this fix. We have included them in this change to be able to backport
just a single commit.
[1] https://gerrit-review.googlesource.com/Documentation/access-control.html
Change-Id: Ice3a756cf573dd9b38e3f198ccc44899ccf65f75
|
| | | | |
| | | | |
| | | | |
| | | | | |
Change-Id: I35c47ba60c08e8d5d1f767672b5e83b7d29fea1b
|
| | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Add the 'manual' tag to wct test_suite templates,
so it is excluded from bazel test //...
(cherry picked from commit ae42cd00bdfa8a34e75c563b62f0151a561cc82b)
Change-Id: Idc62df90e90e6000fa0792799a3997580fc6b011
|
| |\ \ \ |
|
| |\ \ \ \ |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
After setting up the metrics-reporter-prometheus, I have missed entries
for caches/disk_cached and caches/disk_hit_ratio. Turns out they are
disabled by default via cache.enableDiskStatMetrics.
The feature flag comes from I41ee2d9a368c312b7b2729d17d6c19bee0d90922
which has been backported to all stable branches.
Add to the metrics documentation a reference to enableDiskStatMetrics
setting.
Change-Id: I3620e0cb68b992f094a1b8d7b0016fc834a8e7e6
|
| |\ \ \ \ \
| | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
* stable-2.16-2020-11.notedb-refs-tags:
Set version to 2.16.26-SNAPSHOT
Set version to 2.16.25
Workaround Gitiles bug on All-Users visibility
Set version to 2.16.25-SNAPSHOT
Set version to 2.16.24
Make PermissionBackend#ForRef authoritative
Change-Id: Idec7d52fa1ef663240b4e3ca3900427b87d8d003
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: Icc689699eff3eb06a6b10e8221feab87e38b11e0
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: I67be710b6fda2069e798964ec81ad9add637bab5
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Gitiles has special FilteredRepository wrapper that
allows to carefully hide refs based on the project's ACLs.
There is however an optimisation that skips the filtering
in case a user has READ permissions on every ACLs patterns.
When the target repository is All-Users, the optimisation
turns into a security issue because it allows seeing everything
that belongs to everyone:
- draft comments
- PII of all users
- external ids
- draft edits
Block Gitiles or any other part of Gerrit to abuse of this
power when the target repository is All-Users, where nobody
can be authorised to skip the ACLs evaluation.
Cover the additional special case of the All-Users project
access with two explicit positive and negative tests,
so that the security check is covered.
Bug: Issue 13621
Change-Id: Ia6ea1a9fd5473adff534204aea7d8f25324a45b7
(cherry picked from commit 45071d6977932bca5a1427c8abad24710fed2e33)
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: Icc90a7b68e2764cbdb677c7a7f2261c7cf015e7c
|
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Change-Id: If3ea98f0db8ef6b102ce3775e19a64739b883f8e
|
| |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This change fixes a misconception that leads to data being accessible
through Gerrit APIs that should be locked down.
Gerrit had two components for determining if a Git ref is visible to a
user: (Default)RefFilter and PermissionBackend#ForRef (ex RefControl).
The former was always capable of providing correct results for all refs.
The latter only had logic to decide if a Git ref is visible according to
the Gerrit READ permissions. This includes all refs under refs/heads as
well as any other ref that isn't a database ref or a Git tag. This
component was unware of Git tags and database references. Hence, when
asked for a database reference such as refs/changes/xx/yyyyxx/meta the
logic would allow access if the user has READ permissions on any of the
ref prefixes, such as the default "read refs/* Anonymous Users".
That is problematic, because it bypasses documented behavior [1] where
a user should only have access to a change if they can see the destination
ref. The same goes for other database references.
This change fixes the problem. It is intentionally kept to a minimally
invasive code change so that it's easier to backport it.
Add tests to assert the correct behavior. These tests would fail before
this fix. We have included them in this change to be able to backport
just a single commit.
[1] https://gerrit-review.googlesource.com/Documentation/access-control.html
Change-Id: Ice3a756cf573dd9b38e3f198ccc44899ccf65f75
|
|\ \ \ \ \ |
|