How to securely associate a Github App Install ID with the account of a website integrating with the GitHub App?
Asked Answered
M

1

10

I'm in the process of building a website integrated around a GitHub App of mine.

This website has its own users (from Google oAuth), who can connect their account to their GitHub account by installing my GitHub application.

There's something in the GitHub App install process I cannot wrap my head around:

After a user installs my App on GitHub:

  • their browser is redirected to a URL ("Post install Setup URL"), with the install ID in the URL.

  • GitHub calls my webhook to declare the install

The install ID is a sensible info, as if a malicious user of my website (the attacker) can trick my website into associating their account with the GitHub Install ID of somebody else (the victim), my website would operate on the GitHub API of the victim on behalf of the attacker (which is bad!).

Now, my goal is to securely bind this install ID to the user of my website. By secure, I mean that it is impossible for my website to grant an attacker permissions on a victim GitHub install of my app.

Using the GitHub install ID provided in the "Post install Setup URL" to bind this install to an account of my website is insecure, as I have no way to validate that this install ID "belongs" to the user of my website, as the URL can be forged by an attacker knowing a valid install ID of a victim.

Imperfect mitigations:

  • assert that the install ID is not bound to any other user account of my website

    • bad as it could be circumvented if for some reason the legit user was never redirected to my website using the "Post install Setup URL" to bind this GitHub install ID to his account

    • bad as in any case, this would be vulnerable to a "race" (or timing?) attack on the confirmation (if the attacker manages to confirm the valid install ID before the victim)

  • use in conjunction of a GitHub API Event event received on a webhook

    • the webhook is triggered by the Github backend, and thus can't identify of the logged-in website user, which does not help us to bind github install ID to the proper website user.

Am I missing something, or is this a flaw of the App authorization model ?

Mcafee answered 4/12, 2020 at 14:26 Comment(0)
M
6

Found the answer:

I needed to activate "Request user authorization (OAuth) during installation". This way, GitHub answers with a secure token that I can use to validate the installation instead of just the installation ID.

Documentation: https://docs.github.com/en/free-pro-team@latest/developers/apps/identifying-and-authorizing-users-for-github-apps#web-application-flow

Mcafee answered 4/12, 2020 at 14:54 Comment(1)
Thanks @netgusto! Once you have the user access token, how d you validate that the installation is associated with that user?Viper

© 2022 - 2024 — McMap. All rights reserved.