Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
content-only allow/deny is insecure #83
(firstly, this project is great - I was thinking about implementing almost exactly this the other day, glad to see it already exists).
I'm happy to see the allow/deny system, but I don't think it's sufficient. For example, if
So perhaps the auth needs to contain the full path, as well as just the content.
Hi Tim, thanks for the kind words!
How likely is it that the attacker knows what .envrc you allowed and that
I don't think security is an absolute, we certainly increase the attack
That being said if a pull request was being submitted I would gladly accept