Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent loading files from repos with incorrect names #426

Merged
merged 1 commit into from
Oct 28, 2024
Merged

Prevent loading files from repos with incorrect names #426

merged 1 commit into from
Oct 28, 2024

Conversation

ulrikandersen
Copy link
Contributor

@ulrikandersen ulrikandersen commented Oct 28, 2024
edited
Loading

Description

This change adds a safeguard against accidentally loading files from non-eligible repositories.

Motivation and Context

Framna Docs builds upon loading files from repositories with a specific naming convention ("-openapi" by default). Prior to this change, the GitHub client used would allow loading files from all the repos the user has access to, including ones that do not have the correct name.

Loading files from non-eligible repositories is not a problem per-se, but it is an unexpected behaviour as we are specifically loading data from repositories only with the correct suffix.

It could become an issue if someone gains access to a user's session, as this would allow the exploiter to access files in all repositories that the user has access to. Specifically via the endpoint /api/blob/[owner]/[repository]/[...path] which is otherwise only used for loading images. Example: /api/blob/my-org/secret-project/README.md.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

@ulrikandersen
Prevent loading files from repos with incorrect names
1807f18 
Framna Docs builds upon loading files from repositories with a specific naming convention ("-openapi" by default). Prior to this change, the GitHub client used would allow loading files from all the repos the user has access to, including ones that do not have the correct name.

This change adds a safeguard against accidentally loading files from non-eligible repositories.
@ulrikandersen ulrikandersen marked this pull request as ready for review October 28, 2024 13:09
simonbs
simonbs approved these changes Oct 28, 2024
View reviewed changes
Copy link
Contributor

@simonbs simonbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! 🚀

@ulrikandersen ulrikandersen merged commit 59803bb into develop Oct 28, 2024
7 checks passed
@ulrikandersen ulrikandersen deleted the only-allow-accessing-repos-with-correct-suffix branch October 28, 2024 13:37
@ulrikandersen ulrikandersen mentioned this pull request Oct 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simonbs simonbs simonbs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ulrikandersen @simonbs