-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prow web UI exposes private repositories #201
Comments
This is obviously not expected behavior, but this doesn't seem harmful to me. You can see the repositories in the dropdown, but there is no data there when selected. Essentially, we are leaking names of private repositories. Is there a reason you can think of where this is a serious issue? |
FWIW, if this is considered a problem, I'd highly recommend using a distinct instance. prow.k8s.io used to have private repositories for some sensitive embargoed security-patch related work, but that's not the approach now, and the Kubernetes project is primarily focused on open repos. It's super likely that there will be other gaps and I would encourage using an isolated deployment for anything so sensitive that the names of the repos are considered an info leak. |
I don't have a local Prow deployment. However, I noticed this information leak while checking Prow's Web UI. I don't know if other Kubernetes organizations make use of private repositories. I noticed etcd's because I'm a contributor. Feel free to close if you feel this is irrelevant or the risk is minor :) |
We should probably consider this a bug anyhow, I just didn't want anyone getting the wrong idea about how secure this is. That includes etcd, we should discuss privately in slack with the other K8s Infra / Testing leads about the requirements for etcd and private repos. |
/kind bug |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The plugin catalog and the command help pages expose private repositories in the repository dropdown. For example, both show the repository etcd-io/etcd-GHSA-j8g6-82f3-cvhp, which is private.
I tried tracing the issue, and it seems to come from
(client) GetRepos(...)
, as it gets all the repositories accessible to the user/organization without filtering (however, I may be wrong that this is the root cause):prow/pkg/github/client.go
Lines 2529 to 2560 in 79d27b6
The text was updated successfully, but these errors were encountered: