Last week, GitHub had a "security issue" - CFOR (Cross Fork Object Reference) - that hit the hot seat:
Remote repository commits can be accessed by anyone, even if they have been deleted. Just get the commit ID + the project address of the source/fork and anyone can access what was previously committed to the remote repository. Here are 3 demos that replicate the problem:
Demo 1: The Fork project has been deleted and the previous commits are visible to everyone, so here are the steps to reproduce it:
- Fork Any publicly available open source project (source project)
- Committing a commit in a Fork project and pushing it to a remote repository (push)
- Delete the Fork project after noting the commit ID
- Visit the source project and splice in the commit ID in the address bar to see previous commits
Demo 2: The source (upstream) project has been deleted, but commits from the source project are still accessible via the Fork project address and commit ID.
Demo 3: The source project is private, and when it is Forked, the source project is set to public, at which point the private content in the Forked project can be accessed by anyone.
To which GitHub officials responded a long time ago.These aren't bugs, they're intentional features.. That being the case, how should we circumvent these safety hazards? Due to space constraints, a detailed discussion will be carried out in the main text.
Back to this week's open source hot projects, the first open source project is recommended to the GitHub product manager refined-github, this is a "folk" from the optimization of the GitHub experience browser plug-ins. All-in-one token management platform Infisical, can effectively prevent the leakage of tokens and key information . Flower, a friendly federated learning framework that's newbie-friendly right out of the box.
Finally, the minimalist GPT-4o client and ai-renamer, a tool that intelligently batch renames files with AI, are both LLM app wizards that can help you improve your efficiency.
- Table of Contents for this article
- 1. Open-source journalism
- 1.1 Recommendations for the prevention of CFOR problems
- 2. Open source hot search project
- 2.1 Browser plugin to optimize GitHub experience: refined-github
- 2.2 All-in-one token management platform: Infisical
- 2.3 Linux Kernel Module Programming Guide: lkmpg
- 2.4 A Friendly Federated Learning Framework: Flower
- 2.5 Batch renaming files with AI: ai-renamer
- 3. HelloGitHub Hot Reviews
- 3.1 Free Visual Web Page Building Platform: GrapesJS
- 3.2 Minimalist GPT-4o client: gpt-computer-assistant
- 4. Conclusion
- 1. Open-source journalism
1. Open-source journalism
1.1 Recommendations for the prevention of CFOR problems
The original title of the article that broke this issue, Anyone can Access Deleted and Private Repository Data on GitHub, is a bit of an exaggeration, in my opinion, because the following conditions must be met:
- You need to push changes to the remote repository
- You must know the specific commit ID
- Classified information itself should not be pushed to a remote repository
But deleted/private content can be accessed on the public network, which is really "anti-human".If we don't improve it, we can only standardize the process of using GitHub to prevent leaks. If there is no official improvement, we can only standardize the process of using GitHub to prevent confidentiality leaks, and here are the suggestions I've given:
- Don't put confidential information such as plaintext keys and tokens in your project, they should be placed in local environment variables.
- Avoid performing sensitive operations directly on GitHub pages, as push operations are performed automatically.
- Setting up a git hook locally to automatically check for leaks controls the risk of leaks at the source.
- Before making a private project open source, it must be checked for desensitization. In addition, even if a private Fork project is developed, a leak-proof checking process should be added.
Finally, it is worth mentioninggit hanging commitsIt is often used to retrieve commits that have been deleted or forced out by mistake. If you've ever had the "pleasure" of using it:git fsck –lost-found
order, the mood was probably one of hijacking and thanking this divine order for saving your life again!
The git push command does not push pending commits.
2. Open source hot search project
2.1 Browser plugin to optimize GitHub experience: refined-github
Main language: TypeScript,Star:23.8k,Weekly growth: 200
This is an open source browser plugin to simplify the GitHub interface and add practical functions, it removes redundant elements on the page to make the interface and interaction more concise, and adds new whitespace visible, one-click merge to fix conflicts, and abandon all changes to a file in the PR and other practical features to optimize the GitHub experience, support for Chrome and Firefox browsers.
GitHub address →/refined-github/refined-github
2.2 All-in-one token management platform: Infisical
Main language: TypeScript,Star:13.3k,Weekly growth: 150
This project helps teams centrally manage application configurations and confidential information to prevent leakage of information such as API TOKEN, passwords and public keys. It provides a simple interface , client SDK , command line tools and API interfaces , easy to centralize and integrate into existing projects and CI/CD processes , but also supports token scanning and other features to prevent git commit leaks .
GitHub address →/Infisical/infisical
2.3 Linux Kernel Module Programming Guide: lkmpg
Main language: Other,Star:7.3k,Weekly growth: 170
This is a guide on how to write modules for the Linux kernel, with examples for the latest and kernel versions.Linux kernel modules are a way to add new functionality to the Linux kernel without having to modify the kernel itself and reboot the system, and require a basic knowledge of the C programming language to write.
GitHub address →/sysprog21/lkmpg
2.4 A Friendly Federated Learning Framework: Flower
Main language: Python,Star:4.6k,Weekly growth: 200
Federated learning is a distributed machine learning approach that allows training models without sharing data. The project is an easy-to-use federated learning framework that can be used in conjunction with popular machine learning frameworks (PyTorch, TensorFlow, JAX and scikit-learn, etc.). It supports federated learning training, analysis and evaluation, as well as simulation of client-side operations, and contains rich examples for machine learning model development scenarios that require privacy protection, such as healthcare, government and enterprise, and finance.
import flwr as fl
import tensorflow as tf
# Load model and data (MobileNetV2, CIFAR-10)
model = .MobileNetV2((32, 32, 3), classes=10, weights=None)
("adam", "sparse_categorical_crossentropy", metrics=["accuracy"])
(x_train, y_train), (x_test, y_test) = .cifar10.load_data()
# Define Flower client
class CifarClient():
def get_parameters(self, config):
return model.get_weights()
def fit(self, parameters, config):
model.set_weights(parameters)
(x_train, y_train, epochs=1, batch_size=32)
return model.get_weights(), len(x_train), {}
def evaluate(self, parameters, config):
model.set_weights(parameters)
loss, accuracy = (x_test, y_test)
return loss, len(x_test), {"accuracy": accuracy}
# Start Flower client
.start_numpy_client(server_address="127.0.0.1:8080", client=CifarClient())
GitHub address →/adap/flower
2.5 Batch renaming files with AI: ai-renamer
Main language: JavaScript,Star:1.1,Weekly growth: 200
This is a Write command line tool for smart, automated, batch renaming of local files based on LLM (Llava, Gemma, Llama, etc.). It is easy to use, requires no human intervention, and intelligently renames files based on their content, supporting videos, images, and documents.
GitHub address →/ozgrozer/ai-renamer
3. HelloGitHub Hot Reviews
In this section, we'll share this week's top open source projects on the HelloGitHub website, and you're welcome to share your experiences with these open source projects.
3.1 Free Visual Web Page Building Platform: GrapesJS
Main language: TypeScript
The project enables users to quickly design and build HTML templates for websites with drag-and-drop through an intuitive visual interface. It is WYSIWYG, mobile-ready and suitable for official websites, news and CMS.
Project Details→/repository/572e31f5fc7541efb19c16d331796edf
3.2 Minimalist GPT-4o client: gpt-computer-assistant
Main language: Python
The project is a GPT-4o client for Windows, macOS and Ubuntu with a minimalist user interface that supports performing a variety of tasks, including reading the screen, opening applications, system audio and text input.
Project Details→/repository/4688db1465d5437aab851a70ba39f1e2
4. Conclusion
Above is the whole content of this issue of "GitHub Hot Spot", I hope you can find the open source projects you are interested in here, if you have other fun, interesting GitHub open source projects you want to share, welcome to theHelloGitHub Share and discuss with us.
Past Review
- NVIDIA takes another step toward open source
- Open Source Pioneers Bringing Traditional Applications to the Browser