github-metadata icon indicating copy to clipboard operation
github-metadata copied to clipboard
verified publisher icon jekyll

Add site.github.private_repositories field

Open Crunch09 opened this issue 9 years ago • 2 comments

This creates a GET request to /user/repos with type set to private.

For the webmock in api_get_accessible_private_repos.json i used the same json as api_get_owner_repos.json only with the private attributes set to true.

fixes #23

Crunch09 avatar May 13 '16 22:05 Crunch09

There's a security concern here, although I'm not sure how likely or how large.

GitHub Pages sites are built with the pusher's OAuth token. Adding this endpoint could create an existence disclosure vulnerability, in which the name of and metadata regarding private repos are published inadvertently. It'd require the repo collaborator to trigger a build (e.g., on merge), but there might be cases, e.g., branch builds that that's not true. Not saying no, just saying we need to think through and document the implications.

Put another way, what's the use case for wanting to disclose the existence of private repos programmatically?

benbalter avatar May 13 '16 22:05 benbalter

Hi @benbalter ,

thanks for your quick feedback! You're right, there could be a security issue if an attacker is able to access the result of private_repositories or at least the API call. The use case was #23 but maybe i didn't understand the feature request correctly.

Crunch09 avatar May 13 '16 22:05 Crunch09