Security News > 2024 > July > FYI: Data from deleted GitHub repos may not actually be deleted

Researchers at Truffle Security have found, or arguably rediscovered, that data from deleted GitHub repositories and from deleted copies of repositories isn't necessarily deleted.

The firm showed how one can fork a repository, commit data to it, delete the fork, and then access the supposedly deleted commit data via the original repository.

The key had been publicly committed to a GitHub repository.

"They immediately deleted the repository, but since it had been forked, I could still access the commit containing the sensitive data via a fork, despite the fork never syncing with the original 'upstream' repository," Leon explained.

"It's not a GitHub primitive. So a dangling commit can exist in any git platform - Bitbucket, GitLab, GitHub, etc. And a dangling commit is basically within a given code repository, you have a tree and that tree represents the history for that project, so all the old versions of the code that are linked together."

While deleting a branch, for example, removes the reference to a particular commit chain, the commits themselves are not deleted from the repository's object database.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/25/data_from_deleted_github_repos/