Private repository names are discoverable

Issue #5894 wontfix
Gavin Wahl created an issue

By guessing repository names, anyone can discover the names of someone's private repos. For example, my user, gavinwahl, has a private repo named private-repo. By visiting this can be confirmed, because the page returns a redirect to the login page. I do not have a private repo named 'foo', and you know this because returns a 404.

It should not be possible to gain any information about a user's private repositories. By using different behavior for repositories that exist or don't, anyone can learn whether a specific repository name exists or not.

Comments (3)

  1. Erik van Zijst

    We get this issue raised every so often, yet have decided to keep the behavior as is.

    Always returning a 404 is known to confuse legitimate access by people who don't realize they are logged out, or users that have multiple accounts and are logged in with the one that does not have access to the repo. Or simply users that don't realize they've had their access revoked.

    We have seen people freak out thinking their repos has vanished and raising support requests before they figure out it's a privilege problem.

    We don't think the loss of privacy by being able to guess the existence of a resource you cannot access is worse than the confusion during legitimate use, although we do understand that some people might have a different opinion.

  2. Log in to comment