Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add site.github.private_repositories field #58

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

Crunch09
Copy link
Member

This creates a GET request to /user/repos with type set to private.

For the webmock in api_get_accessible_private_repos.json i used the same json as api_get_owner_repos.json only with the private attributes set to true.

fixes #23

This creates a GET request to /user/repos with type set to `private`.
See https://developer.github.com/v3/repos/#list-your-repositories for more
information.

fixes jekyll#23
@benbalter
Copy link
Contributor

There's a security concern here, although I'm not sure how likely or how large.

GitHub Pages sites are built with the pusher's OAuth token. Adding this endpoint could create an existence disclosure vulnerability, in which the name of and metadata regarding private repos are published inadvertently. It'd require the repo collaborator to trigger a build (e.g., on merge), but there might be cases, e.g., branch builds that that's not true. Not saying no, just saying we need to think through and document the implications.

Put another way, what's the use case for wanting to disclose the existence of private repos programmatically?

@Crunch09
Copy link
Member Author

Hi @benbalter ,

thanks for your quick feedback! You're right, there could be a security issue if an attacker is able to access the result of private_repositories or at least the API call. The use case was #23 but maybe i didn't understand the feature request correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

possibility to use private repo's
3 participants