[ZF] A couple of github issues

Jim Fulton jim at zope.com
Sat May 11 19:35:29 UTC 2013 

On Sun, Feb 10, 2013 at 3:56 PM, Jim Fulton <jim at zope.com> wrote:
> On Fri, Feb 8, 2013 at 10:37 AM, Matthew Wilkes
> <matthew at matthewwilkes.co.uk> wrote:
> ...
>> Just to try and make it clearer, here's the workflow that we'd do for adding
>> a new contributor and a contributor creating a repo:
>
> Thanks. I was getting dizzy. :)
>
>>
>> New contributor
>> ===============
>>
>> 1. A member of the owners team, such as Tres or Andreas goes to github
>> 2. They go to the repository settings page
>> 3. Then the teams tab
>> 4. They select the developer team
>> 5. They add the new contributor
>> 6. The mr.sisyphus script automatically adds the new contributor to the
>> CanAdd team
>>
>> New repo
>> ========
>>
>> 1. A member has been added to the developer team
>> 2. Therefore they're also in the CanAdd team
>> 3. They can select the new repo button on github then choose zope-foundation
>> 4. They create a new repo which GitHub associates with the CanAdd team
>> 5. All developers gain have push, pull and administration rights on that
>> repo by virtue of being in CanAdd
>> 6. The mr.sisyphus script automatically disassociates that repo with the
>> CanAdd team and associates it with the developer team
>> 7. The push, pull, admin granted by CanAdd is removed, but all developers
>> retain push and pull by virtue of being in the developer team.
>
> OK, so with this scheme, the vulnerability I see is that:
>
> - Someone on the CanAdd team could walk up to the github UI and add a
>   non-contributor.
>
>   Doing this would be a pretty significant foul and one that could be
>   detected by monitoring the membership of the developer and CanAdd
>   teams.
>
> - The non-contributor could add a repository and push something to it
>   before it was moved to the developer team.
>
> Does this sound right?
>
> This is a fairly small vulnerability.
>
> I wonder what others think.

Hm, crickets.

Well, I think this is a good idea.

Are you still willing to set this up?

Jim

-- 
Jim Fulton
http://www.linkedin.com/in/jimfulton

More information about the foundation mailing list