I was playing around using the badge API and I noticed that I could enumerate repositories from a Drone instance by bruteforcing the badge endpoint, and in case the repository actually exists, it would return me the build status, even though the repo is private in my Gitea instance.
Is it intended ?
Issuing the following curl would confim me if a given repo exists:
curl https://<drone instance>/api/badges/<user>/<private repo>/status.svg
This seems like it has some potential for information leakage.