search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
44.44k stars 5.43k forks source link

Webhook Request to Woodpecker CI with wrong mail address in pusher #28532

Open philipkozeny opened 9 months ago

philipkozeny commented 9 months ago

Description

I am running Gitea and Woodpecker CI. For some releases now there might be a bug in the mail address of the commit author / pusher, that gets sent to Woodpecker via the web hook.

Here is an example of the Content Request:

{
  "ref": "refs/heads/main",
  "before": "a930081ca449a21d4416bdeb345bc4d3181b916e",
  "after": "3d6d4085e41d1a044a67c15ddb99a7ea4746ded7",
  "compare_url": "xxxx/compare/a930081ca449a21d4416bdeb345bc4d3181b916e...3d6d4085e41d1a044a67c15ddb99a7ea4746ded7",
  "commits": [
    {
      "id": "3d6d4085e41d1a044a67c15ddb99a7ea4746ded7",
      "message": "Update .woodpecker.yml\n",
      "url": "xxxx/commit/3d6d4085e41d1a044a67c15ddb99a7ea4746ded7",
      "author": {
        "name": "Philip Kozeny",
        "email": "philip.kozeny@mydomain.com",
        "username": "philip.kozeny"
      },
      "committer": {
        "name": "Philip Kozeny",
        "email": "philip.kozeny@mydomain.com",
        "username": "philip.kozeny"
      },
      "verification": null,
      "timestamp": "2023-12-19T10:32:26Z",
      "added": [],
      "removed": [],
      "modified": [
        ".woodpecker.yml"
      ]
    }
  ],
  "total_commits": 1,
  "head_commit": {
    "id": "3d6d4085e41d1a044a67c15ddb99a7ea4746ded7",
    "message": "Update .woodpecker.yml\n",
    "url": "xxx/commit/3d6d4085e41d1a044a67c15ddb99a7ea4746ded7",
    "author": {
      "name": "Philip Kozeny",
      "email": "philip.kozeny@mydomain.com",
      "username": "philip.kozeny"
    },
    "committer": {
      "name": "Philip Kozeny",
      "email": "philip.kozeny@mydomain.com",
      "username": "philip.kozeny"
    },
    "verification": null,
    "timestamp": "2023-12-19T10:32:26Z",
    "added": [],
    "removed": [],
    "modified": [
      ".woodpecker.yml"
    ]
  },
...
  "pusher": {
    "id": 1,
    "login": "philip.kozeny",
    "login_name": "",
    "full_name": "Philip Kozeny",
    "email": "philip.kozeny@anotherdomain.com",
    ...
  },
  "sender": {
    "id": 1,
    "login": "philip.kozeny",
    "login_name": "",
    "full_name": "Philip Kozeny",
    "email": "philip.kozeny@anotherdomain.com",
    ...
    "username": "philip.kozeny"
  }
}

As you can see in "pusher" the email is suddenly refilled with another domain. Here is also the issue I have created on Woodpeckers side: https://github.com/woodpecker-ci/woodpecker/issues/2971

Gitea Version

1.21.2

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Self hosted binary with systemd on an arch linux machine

Database

SQLite

wxiaoguang commented 9 months ago

IIRC:

philipkozeny commented 9 months ago

IIRC:

  • commiter email: the email in your git commit
  • pusher email: the user email of the Gitea user

The @anotherdomain.com emails appears nowhere though, when I go to my profile -> account -> manage email addresses I only see mydomain.com

wxiaoguang commented 9 months ago

What is "anotherdomain". Maybe you have set to "hide email", or some code hides the email intentionally? then you see a fake email address?

For example, this one? Fix API leaking Usermail if not logged in #25097

philipkozeny commented 9 months ago

What is "anotherdomain". Maybe you have set to "hide email", or some code hides the email intentionally? then you see a fake email address?

For example, this one? Fix API leaking Usermail if not logged in #25097

let's say mydomain.com -> gmail.com and anotherdomain.com would be "mail.gmail.com"

When I run a request for my user via the API /api/v1/user I get the correct mail address. Also via /api/user/emails I get the one correct mail address. The anotherdomain.com is setup in the app.ini in [service] as NO_REPLY_ADDRESS. Hide Email address is deactivated in the settings though. Do I miss something else? 

[service]
...
DEFAULT_KEEP_EMAIL_PRIVATE = false
NO_REPLY_ADDRESS = anotherdomain.com

My user has keep_email_private set to 0 in the users table.

As soon as I remove NO_REPLY_ADDRESS from the settings, my mail gets changed to philip.kozeny@noreply.mygiteadomain.com

wxiaoguang commented 9 months ago

So the pusher email you saw is a fake email. According to "Show real mail in Webhooks #27943", that behavior seems to be still related to "Fix API leaking Usermail if not logged in #25097". So it might be a regression.

philipkozeny commented 9 months ago

So the pusher email you saw is a fake email. According to "Show real mail in Webhooks #27943", that behavior seems to be still related to "Fix API leaking Usermail if not logged in #25097". So it might be a regression.

Thanks for the info! My workaround for now is to set NO_REPLY_ADDRESS to a valid domain.