|Issue 3311||Submodule subscriptions may allow security breaches.|
|Starred by 5 users||Project Member Reported by email@example.com, Apr 16 2015||Back to list|
Affected Version: What steps will reproduce the problem? 1. Eve gains access to an arbitrary repository on a host (such as by asking for a personal playground repo, called playground-eve to learn git pushes, whatever) 2. Eve gains knowledge of a non public repository (let's call it top-secret) name by accident or by guessing. 3. Eve sets up a submodule subscription as documented in https://review.openstack.org/Documentation/user-submodules.html to track the top-secret repository as a submodule. 4) Information about changes made to the top-secret repository will show up as the submodule updates in playground-eve. This includes commit ids and more problematic commit messages, (including change ids). What is the expected output? What do you see instead? There is *no* permission/acl checking at all in the submodule subscription feature. I'd expect the owners of top-secret to configure if that repo can be subscribed to (who can do it? how does the acl of subscribing repo look like) This breach means you can gain knowledge of commit messages of any repository on a host provided you have access to at least one repository on that host.
Jun 3 2016,
Jun 14 2016,
This was fixed by the addition of submodule ACLs.
Jun 14 2016,
Can we remove the security and nonpublic labels from this? Otherwise it won't be visible to people who click through from the 2.13 release notes.
I think we can remove the security label here.
|► Sign in to add a comment|