On GitHub, it is possible to access data from deleted repositories, deleted forks, and even private repositories. This vulnerability, known as Cross Fork Object Reference (CFOR), is intentionally crafted by GitHub and represents a major attack vector for organizations using this platform.
Sources: Truffle Security - GitHub (1, 2)
Anyone can Access Deleted and Private Repository Data on GitHub
- Fred Rimbert
- New member
- Posts: 16
- Joined: Wed Jul 17, 2024 6:36 pm
- Location: Le Lude, Pays de la Loire - France
- Contact:
Re: Anyone can Access Deleted and Private Repository Data on GitHub
Interesting write up from them. I wonder why this isn't getting more attention.
Re: Anyone can Access Deleted and Private Repository Data on GitHub
The video on that page does a good job explaining it, however I myself don't understand what attack vector this opens up. You create a fork of a repo and commit something to it, then delete it. What real world scenario does this create a security issue for?
The article focuses on API keys being embedded in code which is simple enough to fight against: just don't do it...
The article focuses on API keys being embedded in code which is simple enough to fight against: just don't do it...
- bonelifer
- Administrator
- Posts: 107
- Joined: Sat May 18, 2024 4:13 am
- Name: William
- GitHub: https://github.com/bonelifer
Re: Anyone can Access Deleted and Private Repository Data on GitHub
Lets say author danieltj creates an extension abc. Its free for everyone. Lets say user zero asks for feature xyz. danieltj creates a private repo fork called abcpro. This version is paid and is in a private repo. The paper above is suggesting that there is a way to get abcpro, without danieltj giving the code to a paid user, despite it being in a private repo. Not only that but if danieltj were to delete the private repo, it isn't ever really deleted. You can see this in your personal/organization settings, under I think the development settings. There a page for deleted repos, no where to permanently delete them.danieltj wrote: Mon Jul 29, 2024 3:10 pm The video on that page does a good job explaining it, however I myself don't understand what attack vector this opens up. You create a fork of a repo and commit something to it, then delete it. What real world scenario does this create a security issue for?
The article focuses on API keys being embedded in code which is simple enough to fight against: just don't do it...
phpBB Modders is looking for developers! If you have phpBB experience and want to join us, click here!
Re: Anyone can Access Deleted and Private Repository Data on GitHub
Ohhh okay that explains it much better than the article does.
That is a problem, but I guess that must obviously be a design choice of git. I suppose one way to combat this is to either prevent forks of public repos from going private or to display some kind of massive warning message to at least let people know?
That is a problem, but I guess that must obviously be a design choice of git. I suppose one way to combat this is to either prevent forks of public repos from going private or to display some kind of massive warning message to at least let people know?
- bonelifer
- Administrator
- Posts: 107
- Joined: Sat May 18, 2024 4:13 am
- Name: William
- GitHub: https://github.com/bonelifer
Re: Anyone can Access Deleted and Private Repository Data on GitHub
That's the only way FORKS can work. Forks aren't part of GIT. This isn't a bug. It's the only way forks can work. Linus wasn't thinking about this sort of thing. If you wanted to upstream your code in his design, submit a patch file manually.
phpBB Modders is looking for developers! If you have phpBB experience and want to join us, click here!