Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Global labels are publicly accessible without authentication #16480

Closed
SimonAlling opened this issue Mar 7, 2022 · 9 comments
Closed

Global labels are publicly accessible without authentication #16480

SimonAlling opened this issue Mar 7, 2022 · 9 comments

Comments

@SimonAlling
Copy link
Contributor

$ curl "https://example.com/api/v2.0/labels?scope=g"
[{"color":"#F52F52","creation_time":"2021-07-05T16:21:06.911Z","description":"Testing","id":2,"name":"test","scope":"g","update_time":"2021-07-05T16:21:06.911Z"},…]

In particular, the label description may contain sensitive information, and Harbor admins cannot be expected to realize that everything they put in label descriptions is accessible to everyone on the Internet. (Note that "global" in this context means "not project-scoped".)

We have reported this according to the security vulnerability guidelines and received a reply that this is by design. We're creating this issue because we're not convinced that the design is good.

@SimonAlling
Copy link
Contributor Author

Possibly related: #12306

@wy65701436
Copy link
Contributor

It's by designed since every one can attach the system level(global) label to any specific artifact.

@SimonAlling
Copy link
Contributor Author

every one can attach the system level(global) label to any specific artifact.

Could you please clarify what this means?

@lindhe
Copy link

lindhe commented Apr 4, 2022

@wy65701436 If I understand you correctly, I must disagree with what you are saying. Not everyone should be able to attach system level labels to artifacts. Surely only authorized users should be able to do that.

You say this is by design. What exactly is the intended use-case that you are designing for here? Why should any unauthorized user be able to access details about my artifacts?

@github-actions
Copy link

github-actions bot commented Jul 5, 2022

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

@github-actions github-actions bot added the Stale label Jul 5, 2022
@lindhe
Copy link

lindhe commented Jul 5, 2022

Please keep this open.

@github-actions github-actions bot removed the Stale label Jul 6, 2022
@github-actions
Copy link

github-actions bot commented Sep 5, 2022

This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.

@github-actions github-actions bot added the Stale label Sep 5, 2022
@github-actions
Copy link

github-actions bot commented Oct 5, 2022

This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue.

@github-actions github-actions bot closed this as completed Oct 5, 2022
@lindhe
Copy link

lindhe commented Oct 5, 2022

@wy65701436 Hi! Have you had time to read my comment?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants