Github and Bitbucket allow README files in formats such as Markdown or reStructuredText, but not in HTML format.
Is there a security risk in doing so?
Asked
Active
Viewed 597 times
1 Answers
8
HTML files can contain Javascript which browsers will run with permission to the domain it's displayed on. If github allowed arbitrary HTML uploaded by users to show on the github.com domain, then for example an attacker could create a repository that when viewed caused your browser to copy the readme into all of your own repositories (by making AJAX requests against github.com), which would then continue to spread across the site. (The code could also have other functionality, like making all of your private repositories public, changing your profile info, etc.)
Macil
- 1,492
- 9
- 11
-
2It goes a lot further than just forking a repo, though; you could do pretty much anything on the user's account that doesn't require a password reprompt. – Xiong Chiamiov Apr 05 '17 at 18:33
-
4@XiongChiamiov Even more devious: The malicious javascript could throw up a fake login prompt that looks like GitHub's, but scrapes the password. Most users would probably think that GitHub just randomly logged them out, and re-enter in their password, giving it to the attacker. Once the attacker can get their foot in the door with some malicious JS, there are a ton of tricks he can pull. – Colonel Thirty Two Apr 05 '17 at 19:20