Data from deleted GitHub repos may not really be deleted (www.theregister.com)
from lemmee_in@lemm.ee to technology@lemmy.world on 26 Jul 2024 14:53
https://lemm.ee/post/38035600

Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn’t necessarily deleted.

Joe Leon, a security researcher with the outfit, said in an advisory on Wednesday that being able to access deleted repo data – such as APIs keys – represents a security risk. And he proposed a new term to describe the alleged vulnerability: Cross Fork Object Reference (CFOR).

“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Leon explained.

For example, the firm showed how one can fork a repository, commit data to it, delete the fork, and then access the supposedly deleted commit data via the original repository.

The researchers also created a repo, forked it, and showed how data not synced with the fork continues to be accessible through the fork after the original repo is deleted. You can watch that particular demo.

#technology

threaded - newest

AdamEatsAss@lemmy.world on 26 Jul 2024 16:09 next collapse

Oh god. That means all the spaghetti code that I ever wrote is still out there.

radivojevic@discuss.online on 26 Jul 2024 16:18 next collapse

Yup. Along with the code from huge organizations. I always thought it was funny that people put their code online, blindly trusting some random company that got gobbled up by Microsoft.

4am@lemm.ee on 26 Jul 2024 16:33 next collapse

Along with every private key that was accidentally committed.

radivojevic@discuss.online on 26 Jul 2024 16:36 collapse

Ha ha, way way back in the day when I didn’t understand how keys worked, I sent a private key to another developer when they asked for my public. They were kind enough to educate me.

sugar_in_your_tea@sh.itjust.works on 26 Jul 2024 17:59 collapse

As a lifelong troll, I would’ve just generated a new pub key and made a bunch of commits as you. Then two days later, I would tell you what’s up once you had time to process the confusion.

Chocrates@lemmy.world on 26 Jul 2024 17:48 collapse

Your point is valid, but many (most?) enterprises don’t use a forking worlflow, so I suspect open source projects will be hit harder, sadly

Cosmos7349@lemmy.world on 26 Jul 2024 22:40 next collapse

Not only just out there. I am regenerating your spaghetti code into a new context with copilot 🧑‍✈️ Your (ai-regenerated) code will be driving our military nuclear launch code base! Congratulations!

ByteOnBikes@slrpnk.net on 27 Jul 2024 14:24 collapse

Your (ai-regenerated) code will be driving our military nuclear launch code base!

What’s so difficult about writing code that checks if you have 8 zeroes?

gizmodo.com/for-20-years-the-nuclear-launch-code-…

Cosmos7349@lemmy.world on 28 Jul 2024 00:33 collapse

Oh I’m just the cleaning guy, so I don’t really know how to code it myself. We laid off all the developers three weeks ago.

SpaghettiYeti@lemmy.world on 27 Jul 2024 01:29 collapse

My people!

Fijxu@programming.dev on 26 Jul 2024 16:41 next collapse

Classic microsoft. Use other git instances please. If you want actions you can use any public Forejo instance.

richieadler@lemmy.myserv.one on 26 Jul 2024 16:46 next collapse

You mean Forgejo?

Fijxu@programming.dev on 26 Jul 2024 17:08 collapse

Yes, forgejo. My hands are cold :s

sugar_in_your_tea@sh.itjust.works on 26 Jul 2024 17:57 collapse

Fun fact, it comes from the Esperanto: forĝejo. Try typing that with cold fingers. :)

Mubelotix@jlai.lu on 26 Jul 2024 20:11 collapse

Imagine creating a whole new “universal” language and using such shitty diacritics that nobody likes

sugar_in_your_tea@sh.itjust.works on 26 Jul 2024 20:58 collapse

Yeah, kinda dumb. But they do have a relatively popular workaround: the x-system. So forĝejo becomes forgxejo (x = diacritic for the prev letter).

amanda@aggregatet.org on 27 Jul 2024 08:00 collapse

Like lojban!

eager_eagle@lemmy.world on 26 Jul 2024 17:55 collapse

that’s a direct cause of how forks work, it most likely predates microsoft’s acquisition

Mubelotix@jlai.lu on 26 Jul 2024 20:09 next collapse

This is not a GitHub issue. It’s a GIT feature. People are always going to clone your repo.

Morphit@feddit.uk on 26 Jul 2024 21:03 next collapse

Well, sort of. GitHub certainly could refuse to render orphan commits. They pop up a banner saying so but I don’t see why they should show the commit at all. They could still keep the data until it’s garbage collected since a user might re-upload the commit in a new branch.

This seems like a non-issue though since someone who hasn’t already seen the disclosed information would need to somehow determine the hash of the deleted commit.

Morphit@feddit.uk on 27 Jul 2024 14:24 collapse

Ah - Actually reading the article reveals why this is actually an issue:

What’s more, Ayrey explained, you don’t even need the full identifying hash to access the commit. “If you know the first four characters of the identifier, GitHub will almost auto-complete the rest of the identifier for you,” he said, noting that with just sixty-five thousand possible combinations for those characters, that’s a small enough number to test all the possibilities.

So enumerating all the orphan commits wouldn’t be that hard.

In any case if a secret has been publicly disclosed, you should always assume it’s still out there. For sure, rotate your keys.

best_username_ever@sh.itjust.works on 27 Jul 2024 13:56 collapse

Forks do not exist in git. It’s a GitHub feature, and a massive blunder at the same time.

Mubelotix@jlai.lu on 27 Jul 2024 14:04 collapse

Yes they exist. It’s called a clone

best_username_ever@sh.itjust.works on 27 Jul 2024 14:47 next collapse

How can such a wrong answer get so many points? Clones and forge forks are unrelated. First, GitHub or GitLab cannot and could not link clones together without analyzing the remotes of each clone.

FFS it’s a tech community…

Mubelotix@jlai.lu on 27 Jul 2024 15:34 collapse

Because you are the one being wrong. Github and others only provide a nice interface around clones. That’s all there is, and it doesn’t matter much

arcuru@lemmy.world on 27 Jul 2024 16:04 collapse

The article is specifically about how GitHub forks are not the same as a git clone. A clone isn’t accessible from the upstream without the upstream pulling the changes, but this vulnerability points out that a fork on GitHub is accessible from the upstream without a pull, even if the fork is private.

It’s because GitHub under the hood doesn’t actually do a real clone so that they can save on disk usage.

Mubelotix@jlai.lu on 27 Jul 2024 16:09 collapse

You actually can’t turn a fork private on github

kernelle@lemmy.world on 26 Jul 2024 22:01 next collapse

So many OpenAI keys!

helenslunch@feddit.nl on 27 Jul 2024 13:28 collapse

It’s the internet. Nothing is deleted.