Git Product home page Git Product logo

Comments (6)

douglasday avatar douglasday commented on August 18, 2024 1

@nr-kkenney , the reproduction step about adjusting the URL via a manual request was just to bypass any client-side UI checks on the protocol. In this issue, the attacker is still updating the github url in the nerdlet; just using a proxy tool like Burpsuite to bypass any client-side checks.

from nr1-github.

moonlight-komorebi avatar moonlight-komorebi commented on August 18, 2024

i dropped this question in slack but ill also drop it here:

hmmmmm. this is interesting. for the ticket i worked on, one of the reproduction steps was to adjust the url via manual request rather than interaction through the UI.
is it possible to invalidate the PAT if the github url is changed outside of the nerdlet? this seems only possible within the app, since we dont have other domain code.

from nr1-github.

rudouglas avatar rudouglas commented on August 18, 2024

#72 should fix this issue

from nr1-github.

rudouglas avatar rudouglas commented on August 18, 2024

This has now been pushed to production :)

from nr1-github.

rudouglas avatar rudouglas commented on August 18, 2024

I've reopened this as i'm meeting with Emily tomorrow to get clarity on the scenario so we are 100% clear on how to resolve this

from nr1-github.

rudouglas avatar rudouglas commented on August 18, 2024

Met with Emily to clarify the scenario which I was then able to reproduce:

  1. User A logs in, navigates to any app -> GitHub Repo (in sidebar)
  2. User B logs in (Incognito Window), navigates to same app -> GitHub Repo
  3. User A enters a PAT and saves it
  4. User B without refreshing the page, enters a custom GHE URL and sets it (which sets globally for the NerdPack)
    • The PAT input shows empty for them and they leave it empty
  5. User A simply refreshes their app
    • Their PAT gets sent to the URL that User B set

#77 Should fix this, on initial setup it won't allow you to set an GHEnterprise URL until you have set a PAT. User B is forced to set a PAT which overwrites User A's PAT, so when User A refreshes, it's User B's PAT that gets sent to the custom URL

from nr1-github.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.