-
Notifications
You must be signed in to change notification settings - Fork 19
Issues
is:issue state:open
is:issue state:open
Issue creation is restricted in this repository
Search results
GraphQL refUpdates serves private-repo ref metadata to anonymous callers (visibility bypass)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:highMajor break or real security/trust risk, no easy workaroundMajor break or real security/trust risk, no easy workaroundsubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#112 In Gitlawb/node;GET /ipfs/{cid} serves any git object by raw hash with no visibility check, leaking withheld blobs
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:highMajor break or real security/trust risk, no easy workaroundMajor break or real security/trust risk, no easy workaroundsubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#110 In Gitlawb/node;Smart-HTTP git endpoints leak absolute server path in 500 body
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:lowCosmetic, cleanup, or nice-to-haveCosmetic, cleanup, or nice-to-havesubsystem:apiNode REST API request/response surfaceNode REST API request/response surfaceStatus: Open.#106 In Gitlawb/node;Unauthenticated GET /api/v1/stats leaks the count of private/mode-A repos (count oracle)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#104 In Gitlawb/node;Paged repo-list owner filter misses bare-owner mirror rows when given a full DID
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:lowCosmetic, cleanup, or nice-to-haveCosmetic, cleanup, or nice-to-havesubsystem:replicationMirror, replica, and cross-node syncMirror, replica, and cross-node syncStatus: Open.#102 In Gitlawb/node;Visibility deny rules miss paths under Unicode normalization (NFC/NFD) skew, leaking content
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#101 In Gitlawb/node;Filter out bots from intelligent agents
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIenhancementNew feature or requestNew feature or requestkind:featureNew capability or surfaceNew capability or surfacesev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:peersPeer announce, discovery, and registryPeer announce, discovery, and registryStatus: Open.#100 In Gitlawb/node;Pin full-scan fallback can replicate an unreachable private blob in cleartext
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:replicationMirror, replica, and cross-node syncMirror, replica, and cross-node syncsubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#99 In Gitlawb/node;Private repos (is_public=false) are enumerable via unauthenticated list/stats/GraphQL surfaces
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#97 In Gitlawb/node;sync_queue: enqueue_sync ON CONFLICT DO NOTHING never dedupes; per-ref notify enqueues N redundant full fetches
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:lowCosmetic, cleanup, or nice-to-haveCosmetic, cleanup, or nice-to-havesubsystem:replicationMirror, replica, and cross-node syncMirror, replica, and cross-node syncStatus: Open.#96 In Gitlawb/node;Document a minimum supported Git version (blob:limit filter is version-sensitive)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:docsDocs and comments onlyDocs and comments onlysev:lowCosmetic, cleanup, or nice-to-haveCosmetic, cleanup, or nice-to-havesubsystem:replicationMirror, replica, and cross-node syncMirror, replica, and cross-node syncStatus: Open.#95 In Gitlawb/node;Unauthenticated GET /repos/:owner/:repo/hooks leaks webhook target URLs for any repo
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:highMajor break or real security/trust risk, no easy workaroundMajor break or real security/trust risk, no easy workaroundsubsystem:apiNode REST API request/response surfaceNode REST API request/response surfaceStatus: Open.#94 In Gitlawb/node;