Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories (public or private) and from deleted copies (forks) of repositories isn’t necessarily deleted.

Joe Leon, a security researcher with the outfit, said in an advisory on Wednesday that being able to access deleted repo data – such as APIs keys – represents a security risk. And he proposed a new term to describe the alleged vulnerability: Cross Fork Object Reference (CFOR).

“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Leon explained.

For example, the firm showed how one can fork a repository, commit data to it, delete the fork, and then access the supposedly deleted commit data via the original repository.

The researchers also created a repo, forked it, and showed how data not synced with the fork continues to be accessible through the fork after the original repo is deleted. You can watch that particular demo.

  • @[email protected]
    link
    fedilink
    English
    75 months ago

    Forks do not exist in git. It’s a GitHub feature, and a massive blunder at the same time.

      • @arcuru
        link
        English
        75 months ago

        The article is specifically about how GitHub forks are not the same as a git clone. A clone isn’t accessible from the upstream without the upstream pulling the changes, but this vulnerability points out that a fork on GitHub is accessible from the upstream without a pull, even if the fork is private.

        It’s because GitHub under the hood doesn’t actually do a real clone so that they can save on disk usage.

        • Mubelotix
          link
          fedilink
          English
          05 months ago

          You actually can’t turn a fork private on github

      • @[email protected]
        link
        fedilink
        English
        45 months ago

        How can such a wrong answer get so many points? Clones and forge forks are unrelated. First, GitHub or GitLab cannot and could not link clones together without analyzing the remotes of each clone.

        FFS it’s a tech community…

        • Mubelotix
          link
          fedilink
          English
          -35 months ago

          Because you are the one being wrong. Github and others only provide a nice interface around clones. That’s all there is, and it doesn’t matter much