Access Data From Deleted Forks
Exposure of Data in Deleted GitHub Repositories
GitHub, one of the most widely used platforms for hosting source code, allows access to data from deleted and private repositories indefinitely. This feature, known by GitHub and intentionally designed this way, represents a significant attack vector for organizations using the platform.
Cross Fork Object Reference Vulnerability (CFOR)
We present a new term: Cross Fork Object Reference (CFOR). A CFOR vulnerability occurs when a fork of a repository can access sensitive data from another fork, including data from private and deleted forks. Similar to an Insecure Direct Object Reference (IDOR), in CFOR users provide commit hashes to directly access commit data that would otherwise not be visible to them.
Let's look at some examples.
Access Data From Deleted Forks
Consider this common workflow on GitHub:
1. You fork a public repository.
2. You make commits to your fork.
3. You delete your fork.
Are those commits still accessible? The answer is yes. Even if you delete your fork, the data remains accessible indefinitely.
In a video, we demonstrate how by forking a repository, making commits, deleting the fork, and then accessing the "deleted" commit data through the original repository, the data remains accessible.
VIDEO: https://www.youtube.com/watch?v=eF-_mTvk7TQ
Access Data From Deleted Repositories
Another situation is:
1. You have a public repository on GitHub.
2. A user forks your repository.
3. You make commits after the user has forked (and they never synchronize their fork with your updates).
4. You delete the entire repository.
Are the commits made after the fork still accessible?
The answer, again, is yes. GitHub stores repositories and forks in a network of repositories, with the original "upstream" repository as the root node. When a public "upstream" repository that has been forked is "deleted," GitHub reassigns the root node role to one of the downstream forks. However, all commits from the "upstream" repository still exist and are accessible through any fork.
Access Data From Private Repositories
Consider this workflow for open source:
1. You create a private repository that will eventually become public.
2. You create a private internal version of that repository (via a fork) and make additional commits with features you won't make public.
3. You make your "upstream" repository public and keep your fork private.
Are the private data (from step 2) visible to the public?
Yes. Any commit made between the time you created an internal fork and when you made the repository public, those commits are accessible in the public repository.
How to Access the Data
Destructive actions in GitHub's repository network (such as the scenarios mentioned) remove references to commit data from GitHub's standard UI and normal git operations. However, this data still exists and is accessible if you know the commit hash. Commit hashes are SHA-1 values.
If a user knows the SHA-1 hash of a particular commit they want to view, they can navigate directly to that commit using the URL:
https://github.com/<user/org>/<repo>/commit/<commit_hash>
.
They will see a yellow banner explaining that "this commit does not belong to any branch on this repository, and may belong to a fork outside the repository."
GitHub Policies
GitHub designed repositories to function this way.
Implications
The conclusions are:
- As long as a fork exists, any commit in that network of repositories will exist forever.
- The only secure way to remediate a leaked key in a public GitHub repository is by rotating keys.
- The architecture of GitHub repositories requires these design flaws, and unfortunately, most GitHub users will never understand how a repository network truly works and will be less secure because of it.
As secret scanning evolves, it is important to consider that these issues may also exist in other version control system products.
This article highlights the need for increased diligence and awareness about how data is managed and protected on collaborative development platforms like GitHub.
Source: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
Comments