0 Replies Latest reply on Jun 30, 2016 5:24 PM by Regis

    github.com  - controlling uploads,  allowing downloads, yet POSTs seem to be involved in downloads?




      Anyone else in an organization wherein you have audit drivers to prevent the upload of code to github,  but leverage open source that originates from github (so downloads, and functions with git and all need to be allowed)?

      I ask as Github appears to leverage POST requests even in operations that  seem to be read only conceptually which makes this an interesting challenge.

      I'm curious to hear of any experience from folks who've had to tackle a similar set of requirements.


      As an example, here's a component that led to adding some rather uncomfortable whitelisting past some rules preventing the upload of many archive file types:

      GitHub - real-logic/Agrona: High Performance data structures and utility methods for Java and C++


      Here's an example of some unique github POSTS from logs

      200 "POST https://github.com/real-logic/Agrona.git/git-upload-pack HTTP/1.1"  (successful, after whitelisting)

      403 "POST https://github.com/real-logic/Agrona.git/git-upload-pack HTTP/1.1"  (this was from before a whitelisting past an upload rule)

           and then there's the codeload.github.com  components under that

      200 "POST https://github.com/repositories/check-name HTTP/1.1"

      200 "POST https://github.com/users/set_protocol?protocol_selector=https&protocol_type=clon e HTTP/1.1"

      200 "POST https://github.com/users/set_protocol?protocol_selector=ssh&protocol_type=clone HTTP/1.1"

      200 "POST https://github.com/dashboard/dismiss_bootcamp HTTP/1.1"

      200 "POST https://github.com/FreeCodeCamp/FreeCodeCamp/star HTTP/1.1"

      200 "POST https://github.com/login/oauth/authorize HTTP/1.1"

      200 "POST https://github.com/real-logic/Agrona.git/git-upload-pack HTTP/1.1"  (successful, after whitelisting)