-
Notifications
You must be signed in to change notification settings - Fork 24
Issues
is:issue state:open
is:issue state:open
Issue creation is restricted in this repository
Search results
Unbounded, unrate-limited filtered upload-pack lets an anonymous caller exhaust the blocking pool (#62 follow-up)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#166 In Gitlawb/node;Availability: unauthenticated GET /ipfs/{cid} runs one blocking git cat-file per readable repo
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfaceStatus: Open.#164 In Gitlawb/node;claim_bounty leaks private-repo metadata and locks the bounty — no repo-read gate (write-side of #120)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:highMajor break or real security/trust risk, no easy workaroundMajor break or real security/trust risk, no easy workaroundsubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#160 In Gitlawb/node;is_owner: bare-key mirror owner denied read to own repo; stale did_matches comment
kind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:identityDID/UCAN, http-sig auth, push authorizationDID/UCAN, http-sig auth, push authorizationStatus: Open.#153 In Gitlawb/node;list_ref_certificates fetches a repo's entire cert set with no LIMIT (permissionless read amplification on public repos)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:highMajor break or real security/trust risk, no easy workaroundMajor break or real security/trust risk, no easy workaroundsubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:attestationCertificates, anchoring, per-ref attestationCertificates, anchoring, per-ref attestationStatus: Open.#147 In Gitlawb/node;Ref-update feeds over-drop distinct-owner remote rows because the wire slug is method-lossy
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:lowCosmetic, cleanup, or nice-to-haveCosmetic, cleanup, or nice-to-havesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#144 In Gitlawb/node;list_pins / list_anchors serve stale metadata for repos made private after push (no index reconciliation on visibility downgrade)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#136 In Gitlawb/node;GET /ipfs/{cid} serves tree/commit objects of withheld subtrees, leaking structure get_tree protects (KTD3)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#135 In Gitlawb/node;MCP/CLI repo read tools serialize the node's error body as a fabricated result (no HTTP status check)
crate:glgl — the contributor CLIgl — the contributor CLIkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfaceStatus: Open.#123 In Gitlawb/node;Unauthenticated metadata indexes leak private-repo data: /ipfs/pins and /arweave/anchors
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#121 In Gitlawb/node;git-remote-gitlawb deadlocks on incremental (multi-round) fetch
crate:git-remotegit-remote-gitlawb — the git remote helpergit-remote-gitlawb — the git remote helperkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfaceStatus: Open.#117 In Gitlawb/node;Owner-push enforcement is opt-in (off by default): decide the default write posture
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:identityDID/UCAN, http-sig auth, push authorizationDID/UCAN, http-sig auth, push authorizationStatus: Open.#118 In Gitlawb/node;