> Those aren't exploitable XSS, but it doesn't hurt to have a second layer of defense.

The other suggests breaking clients that aren't using the more secure version of an OAuth method because

> I can't think of any OAuth client that would like to [use it]

That second one is a good idea, but the maintainer is also right to ask for some discussion before introducing a breaking change.

But crucially: neither of these are the kind of significant security issues you've found. Maybe lead with an actual bug?

A cryptographer friend tells the story of an amateur who kept bothering him with the cipher he invented. The cryptographer would break the cipher, the amateur would make a change to “fix” it, and the cryptographer would break it again. This exchange went on a few times until the cryptographer became fed up. When the amateur visited him to hear what the cryptographer thought, the cryptographer put three envelopes face down on the table. “In each of these envelopes is an attack against your cipher. Take one and read it. Don’t come back until you’ve discovered the other two attacks.” The amateur was never heard from again.

https://www.schneier.com/crypto-gram/archives/1998/1015.html

> The author of the recent 'Carrot disclosure' blog post has contacted the Forgejo Security team with their findings. The issues raised concern defence-in-depth improvements and denial-of-service risks. There is no known RCE exploit possible without internal server credentials.

> We believe these findings can be addressed publicly. The security team will open issues where approaches to implement new defensive measurements will be discussed, we believe there's no single answer and as such appreciate the opinion of other Forgejo contributors on this matter.

https://floss.social/@forgejo/116494295922963052

> But given the sorry state of the codebase

I honesty want a refund on the 10 minutes I wasted reading this.

It doesn't appear like the author is acting in good faith, instead grandstanding in public because they feel superior.

Getting HTML building right is a pretty basic building block of web apps, Forgejo can't have great security practices if they aren't doing that. So I can easily imagine the OP is correct in their assessment of Forgejo code security.

>Just thinking something not being used is not enough, even if it's a security sensitive topic

Linux kernel seems to disagree. This is a dangerously naive way to think of networked software in the AI age.

---

edit: I got hit with the "posting too fast" block again, so I'll reply to dangus here:

>While a remote host would further prove the claim, the person clearly claims it is RCE, not just CE. It would be quite the pie in the face if the author wrote a python script to take in an IP address but modified system files on the backend to create a stunt.

What happens if they treat every single report with the same effort and seriousness regardless of how it is reported? What happens if they dedicate too much effort in wild goose hunts while disregarding the more mundane/concrete security and maintenance work? How would an attacker take advantage of this process?

If you work in software, maybe you've encountered this yourself, in orgs where they don't have good processes around reporting bugs/issues. You essentially get DoSed by noise. You get tons of issues from customers (or internal stakeholders representing them), some barely describing stuff like "hey X can access Y, don't think they should" without any context (or even refusing to provide further information even after you ask), forcing you/CS to prune down all possible paths based on audit logs and their permission settings and so on.

Customers (in this case I'd say OSS users are customers too) can say "yeah this is the responsibility of the maintainers/vendors, why should I even care to report things a certain way, be glad I even told you at all" but IME this social posture is terrible for both parties. Even in commercial relationships, the best customers I've had were ones that reported issues that were concrete and reproducible. The chances I can fix it almost immediately goes up in orders of magnitude. The customer gets what they want and my job is simpler.

Even the core claim of the article, "this is a systemic issue", isn't fixed by a carrot disclosure. They don't imply an organizational/structural issue, merely a legacy one (inheriting stuff from gitea/gogs). What do you gain more by putting social-political pressure on an OSS project, if it's not a social-political problem?

The post reads more like an emotional response (frustration) rather than a productive one.

The Forgejo disclosure process looked pretty simple and straightforward to me. The bold and all-caps words that bothered the author are just making sure you know how to disclose vulnerabilities safely without leaking zero-day exploits to a wider audience than necessary.

I'm also not impressed with a carrot disclosure that looks like this. Running a python script to compromise a locally hosted instance? Bruh, you have physical hardware and host shell access. That python script could be doing anything including running as root.

Show us the exploit hitting a remote server.

> Failure to comply with these rules will be criticized publicly, and we reserve the right to no longer coordinate with you or your project in the future.

lol

"I found performance problems in your software, but I won't disclose them until you fix them."

"I'm a designer, but I won't disclose my improvement to your project until you adjust all the CSS bugs in your project."

If that person is skilled with finding security bugs, then that could be their contribution to that open-source project, like any other contribution.