-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Global labels are publicly accessible without authentication #16480
Comments
Possibly related: #12306 |
It's by designed since every one can attach the system level(global) label to any specific artifact. |
Could you please clarify what this means? |
@wy65701436 If I understand you correctly, I must disagree with what you are saying. Not everyone should be able to attach system level labels to artifacts. Surely only authorized users should be able to do that. You say this is by design. What exactly is the intended use-case that you are designing for here? Why should any unauthorized user be able to access details about my artifacts? |
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
Please keep this open. |
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days. |
This issue was closed because it has been stalled for 30 days with no activity. If this issue is still relevant, please re-open a new issue. |
@wy65701436 Hi! Have you had time to read my comment? |
In particular, the label description may contain sensitive information, and Harbor admins cannot be expected to realize that everything they put in label descriptions is accessible to everyone on the Internet. (Note that "global" in this context means "not project-scoped".)
We have reported this according to the security vulnerability guidelines and received a reply that this is by design. We're creating this issue because we're not convinced that the design is good.
The text was updated successfully, but these errors were encountered: