If the assets of a private repository can be accessed without credentials, isn't it a security issue? #118894
Replies: 3 comments 1 reply
-
+1 |
Beta Was this translation helpful? Give feedback.
-
Absolutely, I completely agree with you, @rpelissondaitan. It's crucial to maintain consistency in privacy settings, especially within private repositories. This oversight could indeed lead to potential security vulnerabilities, depending on the nature of the uploaded images. Ensuring that all assets, including images, adhere to the privacy restrictions of the repository is essential for maintaining data integrity and security. Thanks for bringing attention to this issue! |
Beta Was this translation helpful? Give feedback.
-
response #1 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Product Feedback
Body
I have a private repo. I usually add wireframe images in the description section of an issue. The images are stored in Github's s3 bucket. But if I open these images directly in a new tab, I can view them without even entering my credentials. Those images are accessible through Incognito mode in Chrome as well.
If the repo is private, shouldn't the assets be private as well?
Here's an example: https://github-production-user-asset-6210df.s3.amazonaws.com/58620639/321541386-eda570a8-4fa5-4e54-81a2-c24c90a4a293.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240413%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240413T081856Z&X-Amz-Expires=300&X-Amz-Signature=4c5133b12b58aa8fece2b06d3b05fde4b6d4f41bab411c74e5a70b03790bcd9f&X-Amz-SignedHeaders=host&actor_id=58620639&key_id=0&repo_id=784378362
Beta Was this translation helpful? Give feedback.
All reactions