Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

When searching for issues, I'm receiving issues from orgs/repos the app is not installed

See original GitHub issue

I’m writing a small bot forgetful to send a slack notification at pre-defined times for PRs which have not been reviewed. I’m taking a lot of inspiration (copying madly) from both https://github.com/probot/stale and https://github.com/probot/scheduler. However, the main difference is that my solution is based on cron expressions using node-cron rather than intervals.

I’ll try to explain my current setup. I’m using GitHub Enterprise which is hosted on-premise at my company. I created a GitHub App under my personal developer settings. I’ve only granted read permissions to metadata, issues, and the single config file. I’m pushing the events to smee.io and I’m reading them locally. Since I only develop locally right now, I’ve dropped the .pem file to the root of my project. I’m using all the latest version of all my dependencies.

Following the examples from scheduler, I’m dispatching a custom event to my bot.

During initialization, the bot queries github.apps.listInstallations and for each installation github.apps.listRepos get all its repos. For each repo, I’m dispatching the following event to the bot:
```
this.app.receive({
  id: 'forgetful', // not sure what id is, documentation is lacking
  name: 'schedule',
  payload: { action: 'init', installation, repository }
})
```

The main bot code is then reacting to this event like so

app.on('schedule.init', async (context: Context<SchedulerInit>) => {
  const config: ForgetfulConfig = {
    ...defaultConfig, ...(await context.config('forgetful.yml'))
  }
  scheduler.add(context, config)
})

The scheduler’s #add method it creating a new cronjob

 ...
 return cron.schedule(
   config.crontab,
   async () => {
     const params = context.repo({ q: `is:pr is:open` })
     const results =
       await context.github.search.issuesAndPullRequests(params)

     context.log(results.data.items)
   },
   { timezone: config.timezone }
 )

Now, I might be using the API wrong or my configuration might be weird but that issuesAndPullRequests is returning issues from repos which have not granted access to my App. I find this very strange. The issues I’m getting access to are public given an authenticated user.

I find the following snippet quite suspicious of being wrong, but I cannot figure it out either. Also, I’m not sure if, given a fake event, my context is not correct.

const params = context.repo({ q: `is:pr is:open` })
const results =
  await context.github.search.issuesAndPullRequests(params)

Can you please tell me if I’m doing something wrong or if this is a security concern?

Issue Analytics

State:
Created 4 years ago
Comments:8 (3 by maintainers)

Top GitHub Comments

1reaction

issue-label-bot[bot]commented, Oct 7, 2019

Issue-Label Bot is automatically applying the label question ❓ to this issue, with a confidence of 0.72. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.

0reactions

dimi-nkcommented, Oct 7, 2019

@gr2m reading https://github.com/octokit/octokit.net/blob/master/docs/github-apps.md and https://developer.github.com/v3/apps/permissions/#metadata-permissions I’m assuming search has access to anything public inside the domain 🤔 Thanks for your time 😃

<div> GitHub</div><div>octokit/octokit.net</div><div>A GitHub API client library for .NET . Contribute to octokit/octokit.net development by creating an account on GitHub.</div>

<div>GitHub Developer</div><div>GitHub App Permissions</div><div>Get started with one of our guides, or jump straight into the API documentation.</div>