Threat Model-Access Level Controls Defined on the model file -Github

Question

Threat Model-Access Level Controls Defined on the model file -Github

johocurtest opened this issue 5 years ago · 2 comments

johocurtest commented 5 years ago

It seems there is no ACL on the threat model file created in GitHub

Steps:

Login as User A using your GitHub account
Create a model
Share the link with User B
User B logins in to GitHub and opens model file from User A GitHub repo hyperlink

Result:
User B can change file from User A (no Read/Edit/Modify ACL)

Answer 1 · 2020-03-01T23:04:21.000Z

Hello @johocurtest - agreed that anyone who has read access to the github repo can see the threat model, and indeed if they have write access then they can modify it, which is a consequence of the permissions on the github repo that is being used.

There are two use cases that I see for TD:

web app access to a shared github repo, with access control determined by the repo
desktop app used to create / read / update the json file in a source tree stored in a repo

The company I work for uses TD desktop and an Atlassian repo, which seems to work well. If you want to use the web app then access control is needed on the github repo.

There is a gitlab integration for TD on a fork that may be of interest:
#68 (comment)

Answer 2 · 2020-06-05T06:31:03.000Z

Migrated to new issue in the OWASP area repo : OWASP/threat-dragon#10