Privacy issue: Repository enumeration using the badge API

thomas-maurice · August 24, 2018, 5:39pm

Hello !

I was playing around using the badge API and I noticed that I could enumerate repositories from a Drone instance by bruteforcing the badge endpoint, and in case the repository actually exists, it would return me the build status, even though the repo is private in my Gitea instance.

Is it intended ?

Issuing the following curl would confim me if a given repo exists: curl https://<drone instance>/api/badges/<user>/<private repo>/status.svg

This seems like it has some potential for information leakage.

Cheers

bradrydzewski · August 24, 2018, 9:13pm

The potential to brute force names was considered when badges were implemented. We weighted pros and cons and looked at other CI systems for precedent (see https://shields.io/#/examples/build for reference) and ultimately decided on the current approach.