This is a ticket to report a security issue in gitment.
In your README.md under "Is it safe to make my client secret public?" you state the following:
Client secret is necessary for OAuth, without which users can't login or comment with their GitHub accounts. Although GitHub does't recommend to hard code client secret in the frontend, you can still do that because GitHub will verify your callback URL. In theory, no one else can use your secret except your site.
If you find a way to hack it, please open an issue.
There turns out to be an issue in GitHub that allows one to bypass the callback URL whitelist and effectively leak the code values to a third-party. By specifying a sub-domain one can force a redirect to that endpoint. So if one whitelists http://example.com/auth, you can bypass it using http://SOMETHING.example.com/auth. If http://SOMETHING.example.com/auth meets any of the following conditions you have a serious security issue on your hands:
HTML injection in a sub-domain
XSS in a sub-domain
Sub-domain takeover
Sub-domain redirect to third-party
This behaviour is unfortunately unintended, because it is not documented anywhere.
In order to mitigate this issue, I suggest rethinking how to design this project altogether.
sariabiha
commented
2 years ago
This is a ticket to report a security issue in gitment.
In your README.md under "Is it safe to make my client secret public?" you state the following:
There turns out to be an issue in GitHub that allows one to bypass the callback URL whitelist and effectively leak the
codevalues to a third-party. By specifying a sub-domain one can force a redirect to that endpoint. So if one whitelistshttp://example.com/auth, you can bypass it usinghttp://SOMETHING.example.com/auth. Ifhttp://SOMETHING.example.com/authmeets any of the following conditions you have a serious security issue on your hands:This behaviour is unfortunately unintended, because it is not documented anywhere.
In order to mitigate this issue, I suggest rethinking how to design this project altogether.