Page MenuHomePhorge

Repository Identity "Automatically Detected User": don't trust unverified emails

Authored by valerio.bozzolan on Dec 5 2024, 09:58.
Referenced Files
F3221575: D25845.1741864224.diff
Wed, Mar 12, 11:10
F3221331: D25845.1741823560.diff
Tue, Mar 11, 23:52
F3216131: D25845.1741680010.diff
Mon, Mar 10, 08:00
F3087951: D25845.1741084975.diff
Mon, Mar 3, 10:42
F2977311: D25845.1739632145.diff
Fri, Feb 14, 15:09
F2977310: D25845.1739632144.diff
Fri, Feb 14, 15:09
F2977309: D25845.1739632142.diff
Fri, Feb 14, 15:09
F2977280: D25845.1739627798.diff
Fri, Feb 14, 13:56



Make sure that Repository Diffusion Identities "Automatically Detected User " are not created from unverified emails.

Closes T15965

Test Plan

Find at least one identity that is assigned to nobody:


(For example, you may easily find an identity of "GitHub <>")

(Double check that its "Assigned To" is unset or make sure it's unset for this test)

Be evil: add *that* email in your ProfileSettingsEmail addresses. So, for example add "", like a rogue. The email can stay unverified.

Run this command to immediately cause an effect:

./bin/repository rebuild-identities --all-identities
  • before this change, you can reproduce that you successfully steal that identity and you become "GitHub" or whoever
  • after this change, you see that "Automatically Detected User" is unset again
  • after this change, any other identity manually assigned, is still assigned to that value
  • after this change, any other identity automatically assigned to verified emails, are still "Automatically Detected User"

Diff Detail

rP Phorge
Lint Passed
Tests Passed
Build Status
Buildable 1640
Build 1640: arc lint + arc unit

Event Timeline

valerio.bozzolan changed the edit policy from "All Users" to "Custom Policy".
valerio.bozzolan changed the visibility from "Public (No Login Required)" to "Custom Policy".Dec 5 2024, 10:02
valerio.bozzolan changed the edit policy from "Custom Policy" to "All Users".
valerio.bozzolan added a subscriber: aklapper.
valerio.bozzolan retitled this revision from Repository Identity: don't trust unverified emails to Repository Identity "Automatically Detected User": don't trust unverified emails.Dec 9 2024, 08:57
valerio.bozzolan edited the summary of this revision. (Show Details)
This revision is now accepted and ready to land.Dec 11 2024, 02:23

Thanks folks 💃 Let's land and open visibility, so other people can read more and cherry-pick in their stable if they need.

P.S. sorry for late test plan completion :D :D I've tested in my production btw

valerio.bozzolan changed the visibility from "Custom Policy" to "Public (No Login Required)".Dec 11 2024, 08:31