Add site.github.private_repositories field #58
Conversation
This creates a GET request to /user/repos with type set to `private`. See https://developer.github.com/v3/repos/#list-your-repositories for more information. fixes jekyll#23
|
There's a security concern here, although I'm not sure how likely or how large. GitHub Pages sites are built with the pusher's OAuth token. Adding this endpoint could create an existence disclosure vulnerability, in which the name of and metadata regarding private repos are published inadvertently. It'd require the repo collaborator to trigger a build (e.g., on merge), but there might be cases, e.g., branch builds that that's not true. Not saying no, just saying we need to think through and document the implications. Put another way, what's the use case for wanting to disclose the existence of private repos programmatically? |
|
Hi @benbalter , thanks for your quick feedback! You're right, there could be a security issue if an attacker is able to access the result of |
This creates a GET request to /user/repos with type set to
private.For the webmock in
api_get_accessible_private_repos.jsoni used the same json asapi_get_owner_repos.jsononly with theprivateattributes set totrue.fixes #23