Page 1 of 1

Anyone can Access Deleted and Private Repository Data on GitHub

Posted: Fri Jul 26, 2024 5:52 am
by Fred Rimbert
On GitHub, it is possible to access data from deleted repositories, deleted forks, and even private repositories. This vulnerability, known as Cross Fork Object Reference (CFOR), is intentionally crafted by GitHub and represents a major attack vector for organizations using this platform.

Sources: Truffle Security - GitHub (1, 2)

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Posted: Sun Jul 28, 2024 4:26 pm
by Kailey
Interesting write up from them. I wonder why this isn't getting more attention.

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Posted: Mon Jul 29, 2024 3:10 pm
by danieltj
The video on that page does a good job explaining it, however I myself don't understand what attack vector this opens up. You create a fork of a repo and commit something to it, then delete it. What real world scenario does this create a security issue for?

The article focuses on API keys being embedded in code which is simple enough to fight against: just don't do it... 😂

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Posted: Mon Jul 29, 2024 3:40 pm
by bonelifer
danieltj wrote: Mon Jul 29, 2024 3:10 pm The video on that page does a good job explaining it, however I myself don't understand what attack vector this opens up. You create a fork of a repo and commit something to it, then delete it. What real world scenario does this create a security issue for?

The article focuses on API keys being embedded in code which is simple enough to fight against: just don't do it... 😂
Lets say author danieltj creates an extension abc. Its free for everyone. Lets say user zero asks for feature xyz. danieltj creates a private repo fork called abcpro. This version is paid and is in a private repo. The paper above is suggesting that there is a way to get abcpro, without danieltj giving the code to a paid user, despite it being in a private repo. Not only that but if danieltj were to delete the private repo, it isn't ever really deleted. You can see this in your personal/organization settings, under I think the development settings. There a page for deleted repos, no where to permanently delete them.

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Posted: Wed Jul 31, 2024 2:05 pm
by danieltj
Ohhh okay that explains it much better than the article does.

That is a problem, but I guess that must obviously be a design choice of git. I suppose one way to combat this is to either prevent forks of public repos from going private or to display some kind of massive warning message to at least let people know?

Re: Anyone can Access Deleted and Private Repository Data on GitHub

Posted: Wed Jul 31, 2024 4:40 pm
by bonelifer
That's the only way FORKS can work. Forks aren't part of GIT. This isn't a bug. It's the only way forks can work. Linus wasn't thinking about this sort of thing. If you wanted to upstream your code in his design, submit a patch file manually.