Issue 191: hints may lead reviews to be misassigned
Status:  Released
Owner:
Closed:  Oct 2012
Reported by code-rev...@gtempaccount.com, Sep 24, 2009
Reported by Andrew D. Stadler (Google) <stadler@android.com> on Tue May 26 08:32:23 PDT 2009
Source: JIRA GERRIT-191

I have a change that I'd like to ask Bob Lee to review.

However, when I type "bob lee" or "crazybob" into gerrit all I get is a non-
google, non-android address "Bob Lee <crazybob@crazybob.org>".

I know Bob so it's a reasonable guess that this is really him.  But what if
it's not?  I don't want to be sending random CL's to random people, or even
worse what if somebody signed up a bunch of fake "almost" addresses to try and
divert legitimate code reviews.

I know this probably isn't super serious but it smells fishy, like there's an
exploit in there.  At best, it's annoying not to get hints for the people
we're actually looking for.
Sep 24, 2009
#1 code-rev...@gtempaccount.com
Comment by Shawn Pearce <sop@google.com> on Tue May 26 09:13:47 PDT 2009

The issue here is, Bob has set his preferred email to be
<crazybob@crazybob.org>, as in, that is the address he wants Gerrit to show to
the world.  When you start typing in his name, its going to offer only the
public visible information that Bob has asked Gerrit to show to others.

If you know Bob's @google.com address, you could type that in instead.  Gerrit
will still offer "Bob Lee <crazybob@crazybob.org>" as the completion however,
because Gerrit has matched the @google.com to Bob's account, and then is
presenting the preferred public email, rather than the one you punched in.

You can trust a full email entered, when picking a completion option.  Emails
have to be validated, typically by a registration confirmation link being sent
to the address, and needing to be completed back to the user account in
Gerrit.  If you get exactly one completion for a full email, you can be pretty
certain that is the person, even if the preferred email is a different address.
I can see how in such cases, showing the email you entered is perhaps better
than showing the preferred email.  But Gerrit does email completion by prefix,
so early on, when all we have is the local part, we can't offer non-preferred
addresses as completion options, because we don't know if you know the
person's non-preferred addresses.

In the case of an internal server, where access is already restricted to the
corporate network, and login is controlled by the corporate SSO system, you
can be reasonably certain that X is X, because there is little chance of a
pseudo-X being able to gain access to the system and create a fake account.

In the case of a more public server, where access is open to everyone, yes,
you need to be a bit more careful about picking addresses.  In these cases,
unless I know the person's preferred email address by memory, I enter a full
email I do know for them, so there isn't any ambiguity in which account I get
completed to.

------

I think in the end, this boils down to a feature request that during
completion, if you entered a full email address, and that full address isn't
the user's preferred address, that we should show the address you entered in
the completion list, rather than the preferred address.

Maybe you could also ask crazybob to make his preferred email address on the
internal server his @google.com address, reducing the chance of confusion.
Sep 24, 2009
#2 code-rev...@gtempaccount.com
Update by Shawn Pearce <sop@google.com> on Tue May 26 09:14:10 PDT 2009

Change description to:
----
I have a change that I'd like to ask Bob Lee to review.

However, when I type "bob lee" or "crazybob" into gerrit all I get is a non-
google, non-android address "Bob Lee <crazybob@crazybob.org>".

I know Bob so it's a reasonable guess that this is really him.  But what if
it's not?  I don't want to be sending random CL's to random people, or even
worse what if somebody signed up a bunch of fake "almost" addresses to try and
divert legitimate code reviews.

I know this probably isn't super serious but it smells fishy, like there's an
exploit in there.  At best, it's annoying not to get hints for the people
we're actually looking for.
----
Sep 24, 2009
#3 code-rev...@gtempaccount.com
Comment by Shawn Pearce <sop@google.com> on Mon Jun 08 18:24:11 PDT 2009

Fixed by https://review.source.android.com/10309

But... in the case of the one user account you mentioned (crazybob), he has no
@google.com address registered with Gerrit.  So you'll never get an
@google.com address completion.  If he has an @google.com, try to encourage
him to link his GAIA account to the existing account in Gerrit, so you can use
it to add him as a reviewer.
Sep 24, 2009
#4 code-rev...@gtempaccount.com
Update by Shawn Pearce <sop@google.com> on Mon Jun 08 18:24:11 PDT 2009

Fixed in version 2.0.14.
Status: Fixed
Sep 25, 2009
#5 code-rev...@gtempaccount.com
(No comment was entered for this change.)
Labels: FixedIn-2.0.14
Oct 25, 2012
#6 sop@google.com
(No comment was entered for this change.)
Status: Released