beorn7
commented
2 months ago I merge this now as things won't get worse than the current redirect situation, even if the repos have already been repojacked. But if anyone has insights one way or the other, please share.
Repojacking is a security vulnerability that occurs when an attacker takes control of a repository name that was previously owned by another user or organization. This typically happens when the original owner deletes or renames their repository. If this repository is still referenced by other projects, an attacker can create a new repository with the same name, introducing malicious code that could be executed by those relying on the original repository link. In Prometheus's case, several exporters listed on Prometheus's official documentation could be claimed by an attacker. The attacker could create a repository with the old username and project name, potentially hosting a malicious exporter.
For example, currently, when a user clicks on the "aws-cost-exporter" link, GitHub redirects them to https://github.com/electrolux-oss/aws-cost-exporter, even though the original link points to https://github.com/opensourceelectrolux/aws-cost-exporter. Since the username "opensourceelectrolux" is available for claim, an attacker could take over this username and host a malicious exporter under https://github.com/opensourceelectrolux/aws-cost-exporter.
This PR updates the links to ensure they point to trusted sources.
Thanks, Yakir Kadkoda @yakirk Ofek Itach @Ofekitach