Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn’t necessarily deleted.

Joe Leon, a security researcher with the outfit, said in an advisory on Wednesday that being able to access deleted repo data – such as APIs keys – represents a security risk. And he proposed a new term to describe the alleged vulnerability: Cross Fork Object Reference (CFOR).

“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Leon explained.

For example, the firm showed how one can fork a repository, commit data to it, delete the fork, and then access the supposedly deleted commit data via the original repository.

The researchers also created a repo, forked it, and showed how data not synced with the fork continues to be accessible through the fork after the original repo is deleted. You can watch that particular demo.

  • @[email protected]
    link
    fedilink
    English
    -85 months ago

    Classic microsoft. Use other git instances please. If you want actions you can use any public Forejo instance.

    • Eager Eagle
      link
      English
      205 months ago

      that’s a direct cause of how forks work, it most likely predates microsoft’s acquisition

          • Mubelotix
            link
            fedilink
            English
            5
            edit-2
            5 months ago

            Imagine creating a whole new “universal” language and using such shitty diacritics that nobody likes

            • @[email protected]
              link
              fedilink
              English
              15 months ago

              Yeah, kinda dumb. But they do have a relatively popular workaround: the x-system. So forĝejo becomes forgxejo (x = diacritic for the prev letter).