Summary
A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.
Details
go-gh sources authentication tokens from different environment variables depending on the host involved:
GITHUB_TOKEN, GH_TOKEN for GitHub.com and ghe.comGITHUB_ENTERPRISE_TOKEN, GH_ENTERPRISE_TOKEN for GitHub Enterprise Server
Prior to 2.11.1, auth.TokenForHost could source a token from the GITHUB_TOKEN environment variable for a host other than GitHub.com or ghe.com when within a codespace.
In 2.11.1, auth.TokenForHost will only source a token from the GITHUB_TOKEN environment variable for GitHub.com or ghe.com hosts.
Impact
Successful exploitation could send authentication token to an unintended host.
Remediation and mitigation
- Upgrade
go-gh to 2.11.1
- Advise extension users to regenerate authentication tokens:
- Advise extension users to review their personal security log and any relevant audit logs for actions associated with their account or enterprise
BagToad Remediation developer
williammartin Remediation developer
andyfeller Remediation reviewer
jtmcg Remediation reviewer
Ry0taK Finder
Summary
A security vulnerability has been identified in
go-ghthat could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace.Details
go-ghsources authentication tokens from different environment variables depending on the host involved:GITHUB_TOKEN,GH_TOKENfor GitHub.com and ghe.comGITHUB_ENTERPRISE_TOKEN,GH_ENTERPRISE_TOKENfor GitHub Enterprise ServerPrior to
2.11.1,auth.TokenForHostcould source a token from theGITHUB_TOKENenvironment variable for a host other than GitHub.com or ghe.com when within a codespace.In
2.11.1,auth.TokenForHostwill only source a token from theGITHUB_TOKENenvironment variable for GitHub.com or ghe.com hosts.Impact
Successful exploitation could send authentication token to an unintended host.
Remediation and mitigation
go-ghto2.11.1