@kamilhism discovered that forking a repository would not cause the repository’s wiki to be forked immediately. Instead, the wiki was forked when the fork owner attempted to create a new wiki. This could occur long after the initial repository fork occurred and could have allowed a user to access recent wiki content from the parent wiki, even if they no longer had access to the parent repository. We addressed this issue by forking wikis at the same time as the repository.
@kamilhism discovered an issue in the way that Gist and GitHub repository archive endpoints resolve, making it possible to make the “Download ZIP” button of a Gist point to the content of a Git repository with different content. We addressed the vulnerability by altering the fallback logic of the archive lookup to segment Gist and repository lookups.
@kamilhism reported the “check if a team manages a repository” API allowed any member of an organization to verify the existence of any repository within that organization. While the API validated the user was a member of the organization, it did not ensure the user had the ability to view the repository. We addressed this by updating the authorization check done for the API endpoint.
@kamilhism reported an information disclosure bug in organization event timelines that could allow an attacker to learn the names of teams within an organization. When users were added to a team an event that contained the name of the team was added to the organization’s public event timeline. We addressed this by removing the “Team add” event from an organization’s event timeline.