Skip to content

Instantly share code, notes, and snippets.

@sarazasasa sarazasasa/forks.md Secret
Last active Mar 14, 2019

Embed
What would you like to do?
Some issues with GitHub Forks

Apparently, it is well known that GitHub uses forks as a kind of super-repository, letting you see all the commits in the fork network. This is true even for private repos. For example, if you (Bob) fork repo P from Alice), and Alice makes commit with hash X into their repo after you forked, you can access it via github.com/Bob/P/tree/X. Even after your fork is deleted, commits are still accesible via any of the forks and will last seemingly forever.

I have found the following related issues, and contacted GitHub about them. They said they were already known and it's OK to make them public.

Issue 1: Maintaining access to repos after they kick you out.

It is possible for a user to keep viewing new commits in a repo they no longer have access to. The idea is to make a fork of the private repo before your access is removed. This would let you access the commits by their hash.

According to the GitHub Docs, if you remove access to someone from your private repo, GitHub will delete all their forks. This is true for the repos you forked into your account, but not the repos you fork into an organization.

Scenario:

  • Alice has private repo P
  • Alice grants access to P to Bob.
  • Bob creates an organization, called B-org.
  • Bob forks P into B-org.
  • Alice removes access to P from user Bob.
  • Alice makes commit into P with hash X.
  • Bob can see commit with hash X by visiting github.com/B-org/P/tree/X.

Bob can access the commits in P by their hash. Once you reach one commit, you have access to all its parents as well, but not their children.

There are several ways to find commits in the repo:

  • If the repo owner has a pro account, all the hashes of their branches will show up in Insights -> Network.
  • GitHub let you reference commits via a prefix of their hash in the URLs, so you can just try bruteforcing the 16^4 hash space (~65k) iterating from github.com/B-org/P/tree/0000 to github.com/B-org/P/tree/ffff (you can also take into account existing commits). This can be also done via the GitHub API, but there's a quota limit.
  • GitHub will auto-link commits if you input a 6-char prefix of their hash in GitHub comments. I couldn't find a size restriction, but it looks like you can pack more than a couple thousands hashes in one comment. Note that GitHub mentions an anti-abuse quota.

Note that this is true also for private repos in organizations and teams, with the caveat that organizations need to specifically allow users to fork their repos.

How to check if someone has access to my repos

You can always see the number of forks that your repo has, and if you have a GitHub Pro account, you can see the usernames in the Insights -> Network tab.

Issue 2: Repo Owner has permanent access to private forks.

If you fork a private repo, and remove access to the owner from the fork, you would expect that the owner won't be able to see your commits, however, they can still access your commits by finding the commit hash and creating a link to it in their repo (like before).

Issue 3: Unlimited Private Repos for Organizations, and unlimited collaborators for users.

Free Organizations have a limit on the number of private repos, and free users have a limit on the number of collaborators they can have in private repos. However, if a free user forks a private repo into an organization, that org will have a new private repo, and there, the org can add all the collaborators they want.

@jcriddle4

This comment has been minimized.

Copy link

jcriddle4 commented Jan 22, 2019

In crypto or security discussion they often find it easier to follow if they use 'Alice' or 'Bob' instead of 'User A'. Particular names have some semi standard usages so Eve is often an eavesdropper. Malory is often malicious.

https://en.wikipedia.org/wiki/Alice_and_Bob

@loliveira

This comment has been minimized.

Copy link

loliveira commented Jan 23, 2019

This remembered me this xkcd comic: https://xkcd.com/1323/

@bekker

This comment has been minimized.

Copy link

bekker commented Jan 27, 2019

I can't believe Github said they are 'OK with it'. Isn't this a security hole or what.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.