-
Notifications
You must be signed in to change notification settings - Fork 24
Issues
is:issue state:open
is:issue state:open
Issue creation is restricted in this repository
Search results
list_ref_certificates fetches a repo's entire cert set with no LIMIT (permissionless read amplification on public repos)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:highMajor break or real security/trust risk, no easy workaroundMajor break or real security/trust risk, no easy workaroundsubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:attestationCertificates, anchoring, per-ref attestationCertificates, anchoring, per-ref attestationStatus: Open.#147 In Gitlawb/node;Ref-update feeds over-drop distinct-owner remote rows because the wire slug is method-lossy
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:lowCosmetic, cleanup, or nice-to-haveCosmetic, cleanup, or nice-to-havesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#144 In Gitlawb/node;list_pins / list_anchors serve stale metadata for repos made private after push (no index reconciliation on visibility downgrade)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#136 In Gitlawb/node;GET /ipfs/{cid} serves tree/commit objects of withheld subtrees, leaking structure get_tree protects (KTD3)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#135 In Gitlawb/node;MCP/CLI repo read tools serialize the node's error body as a fabricated result (no HTTP status check)
crate:glgl — the contributor CLIgl — the contributor CLIkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfaceStatus: Open.#123 In Gitlawb/node;Unauthenticated metadata indexes leak private-repo data: /ipfs/pins and /arweave/anchors
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#121 In Gitlawb/node;Repo-scoped read surfaces gated by existence only, not visibility (certs, issues, labels, bounties, stars)
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:highMajor break or real security/trust risk, no easy workaroundMajor break or real security/trust risk, no easy workaroundsubsystem:apiNode REST API request/response surfaceNode REST API request/response surfacesubsystem:visibilityPath-scoped visibility and content withholdingPath-scoped visibility and content withholdingStatus: Open.#120 In Gitlawb/node;git-remote-gitlawb deadlocks on incremental (multi-round) fetch
crate:git-remotegit-remote-gitlawb — the git remote helpergit-remote-gitlawb — the git remote helperkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfaceStatus: Open.#117 In Gitlawb/node;Owner-push enforcement is opt-in (off by default): decide the default write posture
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:identityDID/UCAN, http-sig auth, push authorizationDID/UCAN, http-sig auth, push authorizationStatus: Open.#118 In Gitlawb/node;gl/MCP read commands send unsigned requests to visibility-gated endpoints, breaking them for private-repo owners
crate:glgl — the contributor CLIgl — the contributor CLIkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:mediumDegraded but workaround existsDegraded but workaround existssubsystem:apiNode REST API request/response surfaceNode REST API request/response surfaceStatus: Open.#115 In Gitlawb/node;Smart-HTTP git endpoints leak absolute server path in 500 body
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:securityVulnerability fix or hardeningVulnerability fix or hardeningsev:lowCosmetic, cleanup, or nice-to-haveCosmetic, cleanup, or nice-to-havesubsystem:apiNode REST API request/response surfaceNode REST API request/response surfaceStatus: Open.#106 In Gitlawb/node;Paged repo-list owner filter misses bare-owner mirror rows when given a full DID
crate:nodegitlawb-node — the serving node and REST APIgitlawb-node — the serving node and REST APIkind:bugDefect fix — wrong or unsafe behaviorDefect fix — wrong or unsafe behaviorsev:lowCosmetic, cleanup, or nice-to-haveCosmetic, cleanup, or nice-to-havesubsystem:replicationMirror, replica, and cross-node syncMirror, replica, and cross-node syncStatus: Open.#102 In Gitlawb/node;