If the assets of a private repository can be accessed without credentials, isn't it a security issue?

[chessmadridista]

Select Topic Area

Product Feedback

Body

I have a private repo. I usually add wireframe images in the description section of an issue. The images are stored in Github's s3 bucket. But if I open these images directly in a new tab, I can view them without even entering my credentials. Those images are accessible through Incognito mode in Chrome as well.

If the repo is private, shouldn't the assets be private as well?

Here's an example: https://github-production-user-asset-6210df.s3.amazonaws.com/58620639/321541386-eda570a8-4fa5-4e54-81a2-c24c90a4a293.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240413%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240413T081856Z&X-Amz-Expires=300&X-Amz-Signature=4c5133b12b58aa8fece2b06d3b05fde4b6d4f41bab411c74e5a70b03790bcd9f&X-Amz-SignedHeaders=host&actor_id=58620639&key_id=0&repo_id=784378362

[rpelissondaitan]

+1
This could be an huge security breach, depends on the uploaded Image.
If the repository is Private, everything related to this should be private too

[michealsander0901]

Absolutely, I completely agree with you, @rpelissondaitan. It's crucial to maintain consistency in privacy settings, especially within private repositories. This oversight could indeed lead to potential security vulnerabilities, depending on the nature of the uploaded images. Ensuring that all assets, including images, adhere to the privacy restrictions of the repository is essential for maintaining data integrity and security. Thanks for bringing attention to this issue!
Visit Here: best realtors in parkland

[sharoon2256]

response #1