[ZF] A couple of github issues

Jim Fulton jim at zope.com
Sun Feb 10 20:56:59 UTC 2013


On Fri, Feb 8, 2013 at 10:37 AM, Matthew Wilkes
<matthew at matthewwilkes.co.uk> wrote:
...
> Just to try and make it clearer, here's the workflow that we'd do for adding
> a new contributor and a contributor creating a repo:

Thanks. I was getting dizzy. :)

>
> New contributor
> ===============
>
> 1. A member of the owners team, such as Tres or Andreas goes to github
> 2. They go to the repository settings page
> 3. Then the teams tab
> 4. They select the developer team
> 5. They add the new contributor
> 6. The mr.sisyphus script automatically adds the new contributor to the
> CanAdd team
>
> New repo
> ========
>
> 1. A member has been added to the developer team
> 2. Therefore they're also in the CanAdd team
> 3. They can select the new repo button on github then choose zope-foundation
> 4. They create a new repo which GitHub associates with the CanAdd team
> 5. All developers gain have push, pull and administration rights on that
> repo by virtue of being in CanAdd
> 6. The mr.sisyphus script automatically disassociates that repo with the
> CanAdd team and associates it with the developer team
> 7. The push, pull, admin granted by CanAdd is removed, but all developers
> retain push and pull by virtue of being in the developer team.

OK, so with this scheme, the vulnerability I see is that:

- Someone on the CanAdd team could walk up to the github UI and add a
  non-contributor.

  Doing this would be a pretty significant foul and one that could be
  detected by monitoring the membership of the developer and CanAdd
  teams.

- The non-contributor could add a repository and push something to it
  before it was moved to the developer team.

Does this sound right?

This is a fairly small vulnerability.

I wonder what others think.

Jim

--
Jim Fulton
http://www.linkedin.com/in/jimfulton
Jerky is better than bacon! http://zo.pe/Kqm


More information about the foundation mailing list