Anyone can Access Deleted and Private Repository Data on GitHub

Discussion of non-phpBB related topics with other users.
Post Reply
User avatar
Fred Rimbert
New member
New member
Posts: 16
Joined: Wed Jul 17, 2024 6:36 pm
Location: Le Lude, Pays de la Loire - France
Contact:

Anyone can Access Deleted and Private Repository Data on GitHub

Post by Fred Rimbert »

On GitHub, it is possible to access data from deleted repositories, deleted forks, and even private repositories. This vulnerability, known as Cross Fork Object Reference (CFOR), is intentionally crafted by GitHub and represents a major attack vector for organizations using this platform.

Sources: Truffle Security - GitHub (1, 2)
User avatar
Kailey
Administrator
Administrator
Posts: 32
Joined: Sat May 18, 2024 4:11 am
Name: Kailey Snay

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Post by Kailey »

Interesting write up from them. I wonder why this isn't getting more attention.
User avatar
danieltj
Customisations
Customisations
Posts: 45
Joined: Thu May 23, 2024 3:40 pm
Name: Daniel James

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Post by danieltj »

The video on that page does a good job explaining it, however I myself don't understand what attack vector this opens up. You create a fork of a repo and commit something to it, then delete it. What real world scenario does this create a security issue for?

The article focuses on API keys being embedded in code which is simple enough to fight against: just don't do it... 😂
User avatar
bonelifer
Administrator
Administrator
Posts: 106
Joined: Sat May 18, 2024 4:13 am
Name: William
GitHub: https://github.com/bonelifer

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Post by bonelifer »

danieltj wrote: Mon Jul 29, 2024 3:10 pm The video on that page does a good job explaining it, however I myself don't understand what attack vector this opens up. You create a fork of a repo and commit something to it, then delete it. What real world scenario does this create a security issue for?

The article focuses on API keys being embedded in code which is simple enough to fight against: just don't do it... 😂
Lets say author danieltj creates an extension abc. Its free for everyone. Lets say user zero asks for feature xyz. danieltj creates a private repo fork called abcpro. This version is paid and is in a private repo. The paper above is suggesting that there is a way to get abcpro, without danieltj giving the code to a paid user, despite it being in a private repo. Not only that but if danieltj were to delete the private repo, it isn't ever really deleted. You can see this in your personal/organization settings, under I think the development settings. There a page for deleted repos, no where to permanently delete them.
phpBB Modders is looking for developers! If you have phpBB experience and want to join us, click here!
User avatar
danieltj
Customisations
Customisations
Posts: 45
Joined: Thu May 23, 2024 3:40 pm
Name: Daniel James

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Post by danieltj »

Ohhh okay that explains it much better than the article does.

That is a problem, but I guess that must obviously be a design choice of git. I suppose one way to combat this is to either prevent forks of public repos from going private or to display some kind of massive warning message to at least let people know?
User avatar
bonelifer
Administrator
Administrator
Posts: 106
Joined: Sat May 18, 2024 4:13 am
Name: William
GitHub: https://github.com/bonelifer

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Post by bonelifer »

That's the only way FORKS can work. Forks aren't part of GIT. This isn't a bug. It's the only way forks can work. Linus wasn't thinking about this sort of thing. If you wanted to upstream your code in his design, submit a patch file manually.
phpBB Modders is looking for developers! If you have phpBB experience and want to join us, click here!
Post Reply