Impact
Hookshot supports the ability to provision a new room bridged to a particular GitHub repository, by joining a specific alias. Hookshot before 1.7.2 did not adequately implement the authorization check for this operation, allowing users with the ability to join rooms on the homeserver running the Hookshot instance to bridge to a GitHub repository they should not have access to.
This could expose information such as the titles of and actions performed on new issues and PRs opened in such a repository to an unauthorized user, from the point the room was created.
All versions of Hookshot prior to 1.7.2 are affected by this.
Patches
Hookshot 1.7.2 patches out the ability to automatically provision private repos, issues or discussions on private repos. Upgrading to this version will fix the bug. This will NOT remove any pre-existing room connections though, you should use the instructions below to ensure you are not leaking any information.
Detecting and removing unwanted connections
You can check to see if you are affected by:
- Ensuring your Matrix account is an
admin user in the config.yaml file (docs).
- Start a DM (or use the existing DM) with the hookshot bot and say
github list-connections to get a list of connections on your instance.
- For any that you don't recognise, run
disconnect <roomId> <connectionId>.
- You should now be protected.
Workarounds
You can disable the ability to join alias rooms by removing the alias entries from your registration.yaml file. You will need to restart Synapse and hookshot for the changes to take effect. This will work for all Hookshot versions.
# registration.yml
namespaces:
...
aliases:
# Remove these
- regex: "#github_.+:example.com"
exclusive: true
- regex: "#github_.+_.+_\\d+:example.com"
exclusive: true
- regex: "#github_disc_.+_.+:example.com"
exclusive: true
- regex: "#github_disc_.+_.+_\\d+:example.com"
exclusive: trueWe recommend upgrading to 1.7.2 to fully resolve the issue.
References
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org.
Impact
Hookshot supports the ability to provision a new room bridged to a particular GitHub repository, by joining a specific alias. Hookshot before 1.7.2 did not adequately implement the authorization check for this operation, allowing users with the ability to join rooms on the homeserver running the Hookshot instance to bridge to a GitHub repository they should not have access to.
This could expose information such as the titles of and actions performed on new issues and PRs opened in such a repository to an unauthorized user, from the point the room was created.
All versions of Hookshot prior to 1.7.2 are affected by this.
Patches
Hookshot 1.7.2 patches out the ability to automatically provision private repos, issues or discussions on private repos. Upgrading to this version will fix the bug. This will NOT remove any pre-existing room connections though, you should use the instructions below to ensure you are not leaking any information.
Detecting and removing unwanted connections
You can check to see if you are affected by:
adminuser in theconfig.yamlfile (docs).github list-connectionsto get a list of connections on your instance.disconnect <roomId> <connectionId>.Workarounds
You can disable the ability to join alias rooms by removing the alias entries from your
registration.yamlfile. You will need to restart Synapse and hookshot for the changes to take effect. This will work for all Hookshot versions.We recommend upgrading to 1.7.2 to fully resolve the issue.
References
For more information
If you have any questions or comments about this advisory, e-mail us at security@matrix.org.