Transfer repo ownership should be confirmed by new owner #2218

Closed
opened 2025-11-02 04:27:49 -06:00 by GiteaMirror · 4 comments
Owner

Originally created by @SagePtr on GitHub (Aug 18, 2018).

Description

User can easily frame another user. How to reproduce:

  1. Create new repo.
  2. Configure local git to use victim's name/email.
  3. Add to this repo something illegal in victim's country (or something agressive about other group of people or just smething very shameful).
  4. Transfer ownership of repo to victim.
  5. Call the police (or press, victim's boss, victim's wife or anyone else who will hate victim for publishing such information).

From (2) there is no protection, because it's how git itself works (it allows unsigned commits by design).
But from (4) there should be some kind of protection. For example, on Github anyone cannot simply transfer repo ownership to anyone, new owner should confirm this transfer.

Between user/org, user should be able to transfer repo without confirmation if he has admin rights in this org. If transferring repo to another org, any org admin should be able to confirm this transfer. If transferring repo to another user, another user should confirm transfer. And actual transfer must be performed after confirmation. And if user has admin rights, he probably should be able to transfer repo without confirmation (as he implicitly has all privileges on server).

Upd: additionally, when transfer is pending and waiting for user confirmation, new repo owner should have temporary read access to repo if it's private - to make him able to investigate this repo content before accepting/rejecting transfer.

Screenshot

How it looks on Github:

Originally created by @SagePtr on GitHub (Aug 18, 2018). - Gitea version (or commit ref): b1ad573 - Git version: any - Operating system: any - Database (use `[x]`): any - Can you reproduce the bug at https://try.gitea.io: - [x] Yes (provide example URL) https://try.gitea.io/test/frame-test - [ ] No - [ ] Not relevant - Log gist: ## Description User can easily frame another user. How to reproduce: 1. Create new repo. 2. Configure local git to use victim's name/email. 3. Add to this repo something illegal in victim's country (or something agressive about other group of people or just smething very shameful). 4. Transfer ownership of repo to victim. 5. Call the police (or press, victim's boss, victim's wife or anyone else who will hate victim for publishing such information). From (2) there is no protection, because it's how git itself works (it allows unsigned commits by design). But from (4) there should be some kind of protection. For example, on Github anyone cannot simply transfer repo ownership to anyone, new owner should confirm this transfer. Between user/org, user should be able to transfer repo without confirmation if he has admin rights in this org. If transferring repo to another org, any org admin should be able to confirm this transfer. If transferring repo to another user, another user should confirm transfer. And actual transfer must be performed after confirmation. And if user has admin rights, he probably should be able to transfer repo without confirmation (as he implicitly has all privileges on server). Upd: additionally, when transfer is pending and waiting for user confirmation, new repo owner should have temporary read access to repo if it's private - to make him able to investigate this repo content before accepting/rejecting transfer. ## Screenshot How it looks on Github: ![](https://habrastorage.org/webt/9u/jo/se/9ujosekvzkv68m2wcanarj6fsa4.png)
GiteaMirror added the type/proposaltopic/security labels 2025-11-02 04:27:49 -06:00
Author
Owner

@lafriks commented on GitHub (Aug 19, 2018):

Wasn't there already issue for that?

@lafriks commented on GitHub (Aug 19, 2018): Wasn't there already issue for that?
Author
Owner

@SagePtr commented on GitHub (Aug 19, 2018):

Probably this one: #4352 is similar enough, but that issue was concerning features, and this issue is concerning security and related to any users, not only to orgs

@SagePtr commented on GitHub (Aug 19, 2018): Probably this one: #4352 is similar enough, but that issue was concerning features, and this issue is concerning security and related to any users, not only to orgs
Author
Owner

@0x5c commented on GitHub (Jan 9, 2019):

How are github and others currently handling that?

@0x5c commented on GitHub (Jan 9, 2019): How are github and others currently handling that?
Author
Owner

@adelowo commented on GitHub (Jan 9, 2019):

Looks like I do have some time to kill tomorrow, I will take a stab at this.

@adelowo commented on GitHub (Jan 9, 2019): Looks like I do have some time to kill tomorrow, I will take a stab at this.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#2218