Slack: Confusing/Concerning message to "re-enable the subscription"

Created on 9 Feb 2019 · 6Comments · Source: integrations/slack

I recently disconnected my github account from the slack app (I was trying to see if there was any way to sign out of my github account in slack after integrating) and it removed the integration from our channels. What was really weird though is that it displayed this message:

Use the following slash command to re-enable the subscription:
/github subscribe [a real repo that i did not own and had never heard of but am omitting here]

I can't imagine how this would be intentional behavior, if it is, it's extremely confusing to suggest a random repo. I'm also wondering if this may indicate a security concern since it appears like I'm possibly receiving a suggestion for someone else's configuration.

Source

dgollahon

All 6 comments

Thanks for opening this issue! If you would like to help implement an improvement, read more about contributing and consider submitting a pull request.

welcome[bot] on 9 Feb 2019

Thanks for reporting this. I think it would help to know more about the Slack workspace you're using and which repository/organization to look into this further. Would you mind sending us the information you have through our Support Form?

tcbyrd on 9 Feb 2019

👍1

@tcbyrd Sure, will do.

dgollahon on 9 Feb 2019

👍1

I believe this was addressed in #785. Thanks!

dgollahon on 11 Feb 2019

Yes, @dgollahon we deployed a fix on that PR. Thanks for reporting the problem and sorry for the inconvenience.

We figured out that it only happened when there were public repositories that had database IDs that matched your Organization’s database IDs, because the API calls to those repositories always succeeds and the code assumed that all subscriptions were repository subscriptions. It didn’t work if the repository was private, so there was no sensitive/private information to be leaked.