Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New audit: repojacking #479

Open
woodruffw opened this issue Jan 19, 2025 · 3 comments
Open

New audit: repojacking #479

woodruffw opened this issue Jan 19, 2025 · 3 comments
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed new-audit New audits

Comments

@woodruffw
Copy link
Owner

We should flag uses: foo/bar if foo is not a valid GitHub user/org/etc. In some cases (if foo/bar was not already a sufficiently popular repository, an attacker can create the foo user and bar repository).

GitHub now has stronger repository "retirement" protections, so this is not always exploitable.
@woodruffw woodruffw added the new-audit New audits label Jan 19, 2025
@woodruffw
Copy link
Owner Author

Ref: https://www.youtube.com/watch?v=j8ZiIOd53JU

@woodruffw woodruffw added enhancement New feature or request help wanted Extra attention is needed good first issue Good for newcomers labels Jan 19, 2025
@thebigbone
Copy link

so basically check if that username or org exists by maybe querying github's API? I can add it.

@woodruffw
Copy link
Owner Author

Yep, exactly. Querying the API will be a requirement, but that's not a problem since we already have online-only audits 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers help wanted Extra attention is needed new-audit New audits
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@woodruffw @thebigbone