How to avoid leaking your customer's source code with GitHub apps

How to avoid leaking your customer's source code with GitHub apps(roadie.io)

50 points by grinnick 4 years ago | 7 comments

eranation 4 years ago |

Good article and agree with the recommendations, I'm trying to understand the attack flow though. You perform an actual installation and get a valid authorization code, but replace the actual installation ID with another (that the user has no access to)?

This is a major issue then from GitHub's side. I think what GitHub should do is just like with Oauth apps, allow you to provide a state (assuming the flow is starting from the SaaS app, not from the GitHub marketplace, I assume you can't send a state since it's sort of like an "IdP initiated" flow in case you start the installation from the github marketplace, but they should let you opt out and require a state. There is a reason why things like PKCE and such exist.

brianfletcher 4 years ago | |

If you use the setup url callback, you don't get any authorization code just an installation id and the setup action. So there is no means to verify that the user honestly owns the installation that they are providing. Because the number is so short, it's easy to guess every combination.

eranation 4 years ago | | |

Right, agree and understand 100%, but if I do the authorization code flow (which I agree all apps should do) - is the 2nd check (of using the received token to check the user can access that installation) required? if they didn't have permission to install it, the callback wouldn't happen? I am feeling they imply a 3rd, interim diagram flow where you do the authorization code (instead of the setup URL that they should probably remove due to the risk) - but without the GET /user/installations check - I am trying to understand if they had a POC of that being exploitable (e.g. using a valid code but sending a different installation ID)

fortran77 4 years ago |

One reason we use Amazon's "Code Commit" over any github project is there's no possibility we can click the wrong setting and make our code public.

netr0ute 4 years ago |

The real fix? Make all of their software open source.

yjftsjthsd-h 4 years ago | |

That would rather defeat the purpose...