search

OWASP / threat-dragon

An open source threat modeling tool from OWASP
https://owasp.org/www-project-threat-dragon/
Apache License 2.0
902 stars 244 forks source link

github oauth: too much of requested permissions #5

Closed jgadsden closed 9 months ago

jgadsden commented 4 years ago

This issue has been migrated from : https://github.com/mike-goodwin/owasp-threat-dragon/issues/72 and was opened by @fadeevab :

To use the online version of application the GitHub's authentication is requested.

However a requested scope of permissions is quietly wide:

This application will be able to read and write all public repository data. This includes the following:

Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys

I'm pretty sure it's enough to get an empty scope (see https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/): to read public account information. It's not clear about all other permissions.

Thank you!

jgadsden commented 9 months ago

Nothing can be done about this, it is provide by the GitHub OAuth Application and there is not an (obvious) way of changing it