Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prow web UI exposes private repositories #201

Open
ivanvc opened this issue Jun 28, 2024 · 7 comments
Open

Prow web UI exposes private repositories #201

ivanvc opened this issue Jun 28, 2024 · 7 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/testing Categorizes an issue or PR as relevant to SIG Testing.

Comments

@ivanvc
Copy link

ivanvc commented Jun 28, 2024

The plugin catalog and the command help pages expose private repositories in the repository dropdown. For example, both show the repository etcd-io/etcd-GHSA-j8g6-82f3-cvhp, which is private.

I tried tracing the issue, and it seems to come from (client) GetRepos(...), as it gets all the repositories accessible to the user/organization without filtering (however, I may be wrong that this is the root cause):

prow/pkg/github/client.go

Lines 2529 to 2560 in 79d27b6

func (c *client) GetRepos(org string, isUser bool) ([]Repo, error) {
durationLogger := c.log("GetRepos", org, isUser)
defer durationLogger()
var (
repos []Repo
nextURL string
)
if c.fake {
return repos, nil
}
if isUser {
nextURL = fmt.Sprintf("/users/%s/repos", org)
} else {
nextURL = fmt.Sprintf("/orgs/%s/repos", org)
}
err := c.readPaginatedResults(
nextURL, // path
acceptNone, // accept
org,
func() interface{} { // newObj
return &[]Repo{}
},
func(obj interface{}) { // accumulate
repos = append(repos, *(obj.(*[]Repo))...)
},
)
if err != nil {
return nil, err
}
return repos, nil
}

@smg247
Copy link
Contributor

smg247 commented Jul 19, 2024

This is obviously not expected behavior, but this doesn't seem harmful to me. You can see the repositories in the dropdown, but there is no data there when selected. Essentially, we are leaking names of private repositories. Is there a reason you can think of where this is a serious issue?

@BenTheElder
Copy link
Member

FWIW, if this is considered a problem, I'd highly recommend using a distinct instance.

prow.k8s.io used to have private repositories for some sensitive embargoed security-patch related work, but that's not the approach now, and the Kubernetes project is primarily focused on open repos.

It's super likely that there will be other gaps and I would encourage using an isolated deployment for anything so sensitive that the names of the repos are considered an info leak.

@ivanvc
Copy link
Author

ivanvc commented Jul 25, 2024

I don't have a local Prow deployment. However, I noticed this information leak while checking Prow's Web UI. I don't know if other Kubernetes organizations make use of private repositories. I noticed etcd's because I'm a contributor.

Feel free to close if you feel this is irrelevant or the risk is minor :)

@BenTheElder
Copy link
Member

We should probably consider this a bug anyhow, I just didn't want anyone getting the wrong idea about how secure this is.

That includes etcd, we should discuss privately in slack with the other K8s Infra / Testing leads about the requirements for etcd and private repos.

@BenTheElder
Copy link
Member

/kind bug
/sig testing

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Jul 25, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 23, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/testing Categorizes an issue or PR as relevant to SIG Testing.
Projects
None yet
Development

No branches or pull requests

5 participants