Skip to content

Unauthenticated metadata indexes leak private-repo data: /ipfs/pins and /arweave/anchors #121

Description

@beardthelion

Summary

Two node-wide metadata indexes are served with no authentication and no visibility filtering, exposing metadata about private-repo objects and ref history.

Where (verified by reading the handlers; both on routers with no auth layer)

  • crates/gitlawb-node/src/api/ipfs.rslist_pins (:103), route GET /api/v1/ipfs/pins (server.rs:192). Returns the (sha256, cid, pinned_at) index for every pinned object on the node, with no repo scope and no caller. This is the targeting oracle for GET /ipfs/{cid} serves any git object by raw hash with no visibility check, leaking withheld blobs #110: it hands an anonymous caller the exact CIDs to fetch private-repo blob content through the ungated GET /ipfs/{cid}.
  • crates/gitlawb-node/src/api/arweave.rslist_anchors (:24), route GET /api/v1/arweave/anchors (server.rs:195). Returns ref-transition anchors (owner DID, ref names, old/new SHAs, CIDs, tx ids) filtered only by ?repo=, with no visibility check. Today it is bounded by the write-side announce invariant (anchoring only fires for announce-able repos), but it trusts that invariant rather than enforcing it, and anchors are permanent: a repo anchored while public and later made private leaks its ref graph here forever.

Impact

Fix

Found during a read-only egress audit; related to #110 (content-addressed blob egress).

Metadata

Metadata

Assignees

No one assigned

    Labels

    crate:nodegitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningsev:mediumDegraded but workaround existssubsystem:apiNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholding

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions