Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prow web UI exposes private repositories #201

Open
ivanvc opened this issue Jun 28, 2024 · 5 comments
Open

Prow web UI exposes private repositories #201

ivanvc opened this issue Jun 28, 2024 · 5 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/testing Categorizes an issue or PR as relevant to SIG Testing.

Comments

@ivanvc
Copy link

ivanvc commented Jun 28, 2024

The plugin catalog and the command help pages expose private repositories in the repository dropdown. For example, both show the repository etcd-io/etcd-GHSA-j8g6-82f3-cvhp, which is private.

I tried tracing the issue, and it seems to come from (client) GetRepos(...), as it gets all the repositories accessible to the user/organization without filtering (however, I may be wrong that this is the root cause):

prow/pkg/github/client.go

Lines 2529 to 2560 in 79d27b6

func (c *client) GetRepos(org string, isUser bool) ([]Repo, error) {
durationLogger := c.log("GetRepos", org, isUser)
defer durationLogger()
var (
repos []Repo
nextURL string
)
if c.fake {
return repos, nil
}
if isUser {
nextURL = fmt.Sprintf("/users/%s/repos", org)
} else {
nextURL = fmt.Sprintf("/orgs/%s/repos", org)
}
err := c.readPaginatedResults(
nextURL, // path
acceptNone, // accept
org,
func() interface{} { // newObj
return &[]Repo{}
},
func(obj interface{}) { // accumulate
repos = append(repos, *(obj.(*[]Repo))...)
},
)
if err != nil {
return nil, err
}
return repos, nil
}

@smg247
Copy link
Contributor

smg247 commented Jul 19, 2024

This is obviously not expected behavior, but this doesn't seem harmful to me. You can see the repositories in the dropdown, but there is no data there when selected. Essentially, we are leaking names of private repositories. Is there a reason you can think of where this is a serious issue?

@BenTheElder
Copy link
Member

FWIW, if this is considered a problem, I'd highly recommend using a distinct instance.

prow.k8s.io used to have private repositories for some sensitive embargoed security-patch related work, but that's not the approach now, and the Kubernetes project is primarily focused on open repos.

It's super likely that there will be other gaps and I would encourage using an isolated deployment for anything so sensitive that the names of the repos are considered an info leak.

@ivanvc
Copy link
Author

ivanvc commented Jul 25, 2024

I don't have a local Prow deployment. However, I noticed this information leak while checking Prow's Web UI. I don't know if other Kubernetes organizations make use of private repositories. I noticed etcd's because I'm a contributor.

Feel free to close if you feel this is irrelevant or the risk is minor :)

@BenTheElder
Copy link
Member

We should probably consider this a bug anyhow, I just didn't want anyone getting the wrong idea about how secure this is.

That includes etcd, we should discuss privately in slack with the other K8s Infra / Testing leads about the requirements for etcd and private repos.

@BenTheElder
Copy link
Member

/kind bug
/sig testing

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Jul 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/testing Categorizes an issue or PR as relevant to SIG Testing.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ivanvc @BenTheElder @smg247 @k8s-ci-robot