Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fine-grained access-tokens #12465

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fine-grained access-tokens #12465

wants to merge 2 commits into from
+122 −12

Conversation

tomberek
Copy link
Contributor

Motivation

Support fine-grained tokens, multiple tokens per host.

Context

Supports:

access-tokens = github.com/ORG/REPO=TOKEN

Fixes: #8474

@tomberek tomberek requested a review from edolstra as a code owner February 13, 2025 12:12
@github-actions github-actions bot added the fetching Networking with the outside (non-Nix) world, input locking label Feb 13, 2025
edolstra
edolstra approved these changes Feb 13, 2025
View reviewed changes
src/libfetchers/github.cc
{
auto tokens = settings.accessTokens.get();
std::string answer;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs a comment explaining that it searches for the longest possible match.

edolstra
edolstra reviewed Feb 13, 2025
View reviewed changes
src/libfetchers/github.cc
if(! url.empty()) {
for (auto & token : tokens) {
auto match_len = url.find(token.first);
if (match_len != std::string::npos && token.first.length() > answer_match_len) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will make the URL github.com/foobar match against the token for github.com/foo and I'm not sure that's desirable. Maybe it should only match if the match is followed by a / or end-of-string. (Similar to isInDir().)

Copy link
Member

@edolstra edolstra Feb 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And in general the substring search is a bit iffy, since the token github.com/foo will also match attacker.org/github.com/foo which could theoretically be used to exfiltrate an access token? (If the attacker can get a user to evaluate an expression containing that URL, for instance.)

Maybe it should parse the URL and match the authority and path fields separately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edolstra edolstra edolstra approved these changes

Assignees
No one assigned
Labels
fetching Networking with the outside (non-Nix) world, input locking
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support multiple access tokens for github.com
2 participants
@tomberek @edolstra