jenkinsci · myoung34 · Jan 23, 2017 · Jan 25, 2017 · Jan 26, 2017
@@ -534,7 +534,7 @@ private void doRetrieve(SCMSourceCriteria criteria, SCMHeadObserver observer, Ta
                if (includes != null && !wantBranches && !wantPRNumbers.contains(number)) {
                    continue;
                }
-                boolean fork = !repo.getOwner().equals(ghPullRequest.getHead().getUser());
+                boolean fork = !repo.getOwner().getName().equalsIgnoreCase(ghPullRequest.getRepository().getOwnerName());
                if (wantPRs) {
                    listener.getLogger().format("%n    Checking pull request %s%n",
                            HyperlinkNote.encodeTo(ghPullRequest.getHtmlUrl().toString(), "#" + number));
@@ -556,8 +556,9 @@ private void doRetrieve(SCMSourceCriteria criteria, SCMHeadObserver observer, Ta
                    }
                    continue;
                }
-                boolean trusted = collaboratorNames != null
-                        && collaboratorNames.contains(ghPullRequest.getHead().getRepository().getOwnerName());
+                boolean trusted = fork ? (collaboratorNames != null
+                        && collaboratorNames.contains(ghPullRequest.getHead().getRepository().getOwnerName()))
+                        : true;
                if (!trusted) {
                    listener.getLogger().format("    (not from a trusted source)%n");
                }
@@ -968,7 +969,9 @@ public SCMRevision getTrustedRevision(SCMRevision revision, TaskListener listene
        if (revision instanceof PullRequestSCMRevision) {
            /*
             * Evaluates whether this pull request is coming from a trusted source.
-             * Quickest is to check whether the author of the PR
+             * Quickest is to check whether the author of the PR is requesting from a fork.
+             * If it's not a fork, we can trust it as it means the user has permission to the
+             * repository as a whole. If not we can check if the author
             * <a href="https://developer.github.com/v3/repos/collaborators/#check-if-a-user-is-a-collaborator">is a
             * collaborator of the repository</a>.
             * By checking <a href="https://developer.github.com/v3/repos/collaborators/#list-collaborators">all
@@ -978,8 +981,13 @@ public SCMRevision getTrustedRevision(SCMRevision revision, TaskListener listene
             * TODO since the GitHub API wrapper currently supports neither, we list all collaborator names and check
             * for membership, paying the performance penalty without the benefit of the accuracy.
             */
+            PullRequestSCMHead head = (PullRequestSCMHead) revision.getHead();
+
+            boolean fork = !(head.getSourceOwner().equalsIgnoreCase(head.getTargetOwner()));

-            if (collaboratorNames == null) {
+            if (!fork) {
+                return revision;
+            } else {
                listener.getLogger().format("Connecting to %s to obtain list of collaborators for %s/%s%n",
                        apiUri == null ? GITHUB_URL : apiUri, repoOwner, repository);
                StandardCredentials credentials = Connector.lookupScanCredentials(getOwner(), apiUri, scanCredentialsId);
@@ -1032,7 +1040,6 @@ public SCMRevision getTrustedRevision(SCMRevision revision, TaskListener listene
                    }
                }
            }
-            PullRequestSCMHead head = (PullRequestSCMHead) revision.getHead();
            if (!collaboratorNames.contains(head.getSourceOwner())) {
                PullRequestSCMRevision rev = (PullRequestSCMRevision) revision;
                listener.getLogger().format("Loading trusted files from base branch %s at %s rather than %s%n",

@@ -49,6 +49,7 @@ public final class PullRequestSCMHead extends SCMHead implements ChangeRequestSC
    private final String sourceOwner;
    private final String sourceRepo;
    private final String sourceBranch;
+    private final String targetOwner;
    /**
     * Only populated if de-serializing instances.
     */
@@ -60,19 +61,21 @@ public final class PullRequestSCMHead extends SCMHead implements ChangeRequestSC
        this.merge = merge;
        this.number = pr.getNumber();
        this.target = new BranchSCMHead(pr.getBase().getRef());
+        this.targetOwner = pr.getBase().getRepository().getOwnerName();
        // the source stuff is immutable for a pull request on github, so safe to store here
        this.sourceOwner = pr.getHead().getRepository().getOwnerName();
        this.sourceRepo = pr.getHead().getRepository().getName();
        this.sourceBranch = pr.getHead().getRef();
    }

    PullRequestSCMHead(@NonNull String name, boolean merge, int number,
-                       BranchSCMHead target, String sourceOwner, String sourceRepo, String sourceBranch) {
+                       BranchSCMHead target, String sourceOwner, String targetOwner, String sourceRepo, String sourceBranch) {
        super(name);
        this.merge = merge;
        this.number = number;
        this.target = target;
        this.sourceOwner = sourceOwner;
+        this.targetOwner = targetOwner;
        this.sourceRepo = sourceRepo;
        this.sourceBranch = sourceBranch;
    }
@@ -108,9 +111,11 @@ private Object readResolve() {
                    new BranchSCMHead(metadata.getBaseRef()),
                    metadata.getUserLogin(),
                    null,
+                    null,
                    null
            );
        }
+
        return this;
    }

@@ -139,6 +144,10 @@ public SCMHead getTarget() {
        return target;
    }

+    public String getTargetOwner() {
+        return targetOwner;
+    }
+
    public String getSourceOwner() {
        return sourceOwner;
    }