Have you attached files(images, movies etc) on GitHub? They can be viewed by anyone.
Until around May 9, 2023, every file such as images and movies that you uploaded on GitHub has been public and could be viewed by anyone in the world. It does not matter even if the repository is private, for example, the repository accessed using a company’s account.
This could potentially lead to security incidents as these files may contain sensitive information for you or your company.
This article explains how to revoke access to these files on GitHub.
Even though the system has been changed on May 9, 2023 (More secure private attachments), the previously attached files still remain accessible to the public.
Regardless of whether you are logged in or logged out from GitHub, anyone can view the images or movies you have uploaded.
What steps should be taken to delete all files from GitHub?
- Write a script that scrapes the URLs of all attachments in your (or your company’s) repositories using the GitHub API.
- Send a message to the GitHub company along with the URL list.
Write a script that scrapes the URLs of all attachments in your (or your company’s) repositories using the GitHub API.
The files that need to be deleted should have been uploaded as comments on Pull Requests or Issues. While there are several GitHub APIs available for developers to utilize, in this case, we will only be using the APIs for Issues and Issues’ Comments. The reason for not using the Pulls API is that Issues contains Pull Requests. For more information on this, please refer to this resource.
By utilizing these APIs, you can retrieve all the URL links. This can be achieved using shell scripting or other methods.
#!/bin/bash
DATE=`date +%Y%m%d-%T%S`
owner="owner_name"
# Get a repository list in your Organization then loop them.
gh api --paginate "/orgs/$owner/repos" -q '.[].name' | while read -r repo
do
echo repository-name: $repo >> $DATE-github-png-mov-links.json
# Extract data containing files' url from Issues and Pull Requests.
# Get a Issues and Pull Requests list then export the line having "body" param.
gh api --paginate --header 'Accept: application/vnd.github+json' --method GET /repos/$owner/$repo/issues -F filter=repos -F state=all -q ".[] | {body}" >> $DATE-github-png-mov-links.json
# Extract data containing files' url from Issues comments and Pull Requests comments.
gh api --paginate --header 'Accept: application/vnd.github+json' --method GET /repos/$owner/$repo/issues/comments -F filter=repos -F state=all -q ".[] | {body}" >> $DATE-github-png-mov-links.json
doneNote: — —pagenate is essential; otherwise, only limited data will be scraped. This option enables the API to read the entire data.
Send a message to the GitHub company along with the URL list.
For each line in the JSON file (e.g., $DATE-github-png-mov-links.json in the above example), extract the file URL link using any other language such as Ruby, shell, or JavaScript.
Here is an example using Ruby.
date = Time.now
re = Regexp.new('((https\:\/\/user-images.*?(\.mov|\.png)))')
# Replace a json file name.
File.open("2023xxxx-xx:xx:xxxx-png-mov-links.json", mode = "rt"){|f|
f.each_line{|line|
urls = line.scan(re)
urls.each{|url|
if url != nil
# p url[0]
File.open("#{date}.txt", mode = "a"){|f|
f.write("#{url[0]}\n")
}
end
}
}
}
# There might be the same url several times due to the quote reply comments.
# It would be better to remove them for GitHub staff.
final_arr = []
File.open("#{date}.txt", mode = "rt"){|f|
f.each_line{|line|
final_arr.push(line)
}
}
# Remove the boule links.
final_arr.uniq!
final_arr.each{|line|
File.open("#{date}-result.txt", mode = "a"){|f|
f.write("#{line}")
}
}The result should be like that.
...
https://user-images.githubusercontent.com/xxxxxxxx/yyyyy.png
https://user-images.githubusercontent.com/xxxxxxxx/yyyyy.mov
...Finally, you will send a message to GitHub with your account information.
Note: The person who uploaded the file links must report them.