fix: user token now correctly scans specified user repos instead of token owner's repos#4940
fix: user token now correctly scans specified user repos instead of token owner's repos#4940mitre88 wants to merge 1 commit intotrufflesecurity:mainfrom
Conversation
…oken owner's repos When using --org $user --token $GITHUB_TOKEN, the tool was incorrectly scanning the token owner's repositories instead of the specified user's. The issue was in getReposByOrgOrUser which passed the authenticated flag to getReposByUser. When authenticated=true, it used the ListByAuthenticatedUser API which returns the authenticated user's repos, not the target user's repos. This fix: - Removes the authenticated parameter from getReposByOrgOrUser - Always uses unauthenticated user listing (ListByUser) when looking up user repos, since the target is the specified user, not the token owner Fixes trufflesecurity#4517
|
Open Source Contributor seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: bdeb027d52
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // Always use unauthenticated user listing since `name` is the target user, | ||
| // not the authenticated user. Using authenticated listing would incorrectly | ||
| // return the authenticated user's repos instead of the specified user's. | ||
| err = s.getReposByUser(ctx, name, false, reporter) |
There was a problem hiding this comment.
The fallback now hard-codes authenticated=false when resolving a non-org account, which means token/basic-auth scans that target the credential owner (for example --org <my-username>) use ListByUser instead of ListByAuthenticatedUser. In this path, private repositories accessible to the authenticated account are no longer enumerated, so scans can silently miss private repos that were previously included. This regression is triggered whenever org lookup 404s and the target is actually the authenticated user.
Useful? React with 👍 / 👎.
2 participants
Description
When using
--org $user --token $GITHUB_TOKEN, the tool was incorrectly scanning the token owner's repositories instead of the specified user's.Root Cause
The issue was in
getReposByOrgOrUserwhich passed theauthenticatedflag togetReposByUser. Whenauthenticated=true, it used theListByAuthenticatedUserAPI which returns the authenticated user's repos, not the target user's repos.Fix
authenticatedparameter fromgetReposByOrgOrUserListByUser) when looking up user repos, since the target is the specified user, not the token ownerFixes #4517
Note
Low Risk
Low risk: small, localized change to GitHub repo enumeration that only affects which API endpoint is used for user repo listing; main risk is reduced visibility into private repos if the unauthenticated user listing lacks access.
Overview
Fixes GitHub enumeration so
--org <user> --token <token>scans the specified user’s repositories rather than the token owner’s.This removes the
authenticatedflag fromgetReposByOrgOrUserand always usesListByUser(unauthenticated user listing) when falling back from org repos to user repos, updating all call sites accordingly.Reviewed by Cursor Bugbot for commit bdeb027. Bugbot is set up for automated code reviews on this repo. Configure here.