nelsonic
commented
4 years ago On line 99 we are merely joining the scopes supplied to login_url_with_scope/1 with a "%20":
https://github.com/dwyl/elixir-auth-github/blob/44021233add025348f261f5bf0b9b32fe6c5711a/lib/elixir_auth_github.ex#L92-L104
This means that the people consuming this package can still easily add their own scopes
(_even new ones that are not listed in @valid_scopes because they were by GitHub added recently_)
by just appending them to the end of the url returned by login_url/1
url <> "&scope=#{Enum.join(["admin:org", "delete_repo", "etc"], "%20")}"Yes, this is an extra step. But it means that people are intentional about the scopes they are adding and:
a) we won't need to update the list of @valid_scopes each time GitHub releases a new feature. e.g workflow actions
b) we (@dwyl) are not arbitrarily restricting anyone from building Apps with legit "admin" use case.
At present we have a lot of items in the list of
@valid_scopes: https://github.com/dwyl/elixir-auth-github/blob/44021233add025348f261f5bf0b9b32fe6c5711a/lib/elixir_auth_github.ex#L51-L58This feels like it was copy-pasted from https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/#available-scopes without much thought given to why we would want to allow all these scopes in our App(s). (Note: this is not intended as criticism, this package was built to ship as fast as possible. Most devs don't have a security-first mindset, we need to change that. Hence: https://github.com/dwyl/learn-security)
I'm especially concerned with
"delete_repo","write:public_key","admin:public_key","write:gpg_key"and"admin:gpg_key"The ability to
write:public_keywould allow a malicious attacker to overwrite someone's RSA key for their GitHub account which would allow them to inflict serious damage on their account. (think re-writing commit history to introduce security vulnerabilities intomasterof popular published packages...) I certainly could not afford for this to happen to me given that I maintain auth packages used by thousands of Apps.We are only using two scopes in the application that uses this package:
"user:email"and"read:org"https://github.com/dwyl/library/blob/221152bfd4185e5c83747f591b1c66d6a75ce183/lib/library_web/controllers/login_controller.ex#L17 These scopes are appropriate for the Library App as we want to know if the person is a member of the @dwyl org. ✅I do not foresee us ever using the Admin scopes in any @dwyl App. Therefore I think we should remove them from our auth package.
Proposed Amendment
In the interest of avoiding anyone using this package for any nefarious ends, I propose that we remove these "admin" and security scopes until someone specifically requests them providing a really good use case.
Remove:
"delete_repo"- deleting repos should never be done programmatically ..."write:public_key"- writing a public_key is a security can of worms"admin:public_key"- same as writing the key."write:gpg_key"- I can't think of a situation where this would be useful."admin:gpg_key"- same."write:org"- could allow someone to deface an organisation"admin:org"- all kinds of mischiefNote: I know that removing these scopes is a "Breaking Change" that could potentially break someone's App if they were to update their dependency on this package. 💭 It's difficult to determine from download stats https://hex.pm/packages/elixir_auth_github how many people/projects outside of @dwyl are using the package:
319 downloads for the latest version certainly would imply that people outside of @dwyl have at least attempted to use the package. 🎉
However given that all the Stargazers are members of @dwyl
and only 3 people (Zooey, Finn and me) have ever opened an issue on or contributed to this repo,
I feel it's quite "safe" to make this change.