Closed aswanson-nr closed 3 years ago
i dropped this question in slack but ill also drop it here:
hmmmmm. this is interesting. for the ticket i worked on, one of the reproduction steps was to adjust the url via manual request rather than interaction through the UI. is it possible to invalidate the PAT if the github url is changed outside of the nerdlet? this seems only possible within the app, since we dont have other domain code.
@nr-kkenney , the reproduction step about adjusting the URL via a manual request was just to bypass any client-side UI checks on the protocol. In this issue, the attacker is still updating the github url in the nerdlet; just using a proxy tool like Burpsuite to bypass any client-side checks.
This has now been pushed to production :)
I've reopened this as i'm meeting with Emily tomorrow to get clarity on the scenario so we are 100% clear on how to resolve this
Met with Emily to clarify the scenario which I was then able to reproduce:
We had a report of a vulnerability in this nerdpack that we'll want to resolve. please refer to the internal JIRA issue for specifics
Acceptance Criteria
jira/INFOSEC-3228