You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Each instance of hydros should be considered single tenant.
We don't have sufficient security guarantees in place to prevent a user of hydros to escalating their permissions to be those of hydros. So anyone who can use hydros e.g. by submitting to a repository hydros has access to should be considered to at least have viewer permission on all repositories to which an instance of hydros has access.
For example, we don't ensure that the repository/person who created a ManifestSync has access to the repositories mentioned in the ManifestSync. So suppose we have the following 3 repositories on which an instance of hydros is installed
RepoA
RepoB
RepoC
So hydros has access to all three.
Now suppose we check into RepoA a ManifestSync that hydrates from RepoB to RepoC.
Then in principle someone with access to RepoA & RepoC but not RepoB could use hydros to exfiltrate code to RepoC.
We should update the documentation to make this clear
The text was updated successfully, but these errors were encountered:
Each instance of hydros should be considered single tenant.
We don't have sufficient security guarantees in place to prevent a user of hydros to escalating their permissions to be those of hydros. So anyone who can use hydros e.g. by submitting to a repository hydros has access to should be considered to at least have viewer permission on all repositories to which an instance of hydros has access.
For example, we don't ensure that the repository/person who created a ManifestSync has access to the repositories mentioned in the ManifestSync. So suppose we have the following 3 repositories on which an instance of hydros is installed
RepoA
RepoB
RepoC
So hydros has access to all three.
Now suppose we check into RepoA a ManifestSync that hydrates from RepoB to RepoC.
Then in principle someone with access to RepoA & RepoC but not RepoB could use hydros to exfiltrate code to RepoC.
We should update the documentation to make this clear
The text was updated successfully, but these errors were encountered: