Allow connecting to GitHub via GitHub Apps

Hi!

I am red teaming for my employer (Teleport) and one of our findings is:

Compromising our self hosted Drone database allows harvesting users’ Github oauth tokens. From those, I can clone private repos that have nothing to do with our organization, but instead reside under individual employees accounts. For example:

> select user_oauth_token from users where user_login='wadells';
gho_ID...

Allows me to do the following:

$ git clone https://gho_ID...@github.com/wadells/ctf.git

Where wadells/ctf is private and has nothing to do with my employer. As an open source security company, this is something we’re pretty deeply uncomfortable with – we hire active OSS contributors and don’t want employment with us and use of Drone to compromise their personal security.

We’d like to request the ability for self hosted Drone Enterprise to connect to GitHub via GitHub Apps:

This has several advantages:

  1. We’re able to limit blast radius to only the org repositories we want to run CI on
  2. It avoids situations like Drone stopped working after the admin user was removed from repo

In the interim, we’re looking at dedicated users solely for drone, but that has a greater burden of user management, or removes our employees ability to e.g. retrigger builds or interact with private repos.

Thanks for your time and consideration!

Walt

1 Like

And BitBucket App passwords too!

Support for GitHub Apps is on the Drone roadmap.

Thanks! I will track the trello card.

I’m unable to see which release/milestone that card is planned for (if any), is there another view of that board?

Best,
Walt