Skip to content

Instantly share code, notes, and snippets.

@anderssonjohan

anderssonjohan/eop_github_actions.svg

Created September 2, 2020 12:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anderssonjohan/59a72cc3de5be7a94eae7e96c1f972c5 to your computer and use it in GitHub Desktop.
Save anderssonjohan/59a72cc3de5be7a94eae7e96c1f972c5 to your computer and use it in GitHub Desktop.
Download ZIP
EOP with GitHub Actions and repository_dispatch + PAT
Raw
readme.md

Illustration of elevation of privilege vulnerability using GitHub Actions where GitHub Personal Access Tokens (PAT) are used to trigger the repository_dispatch event, which requires write access to the target repository. With write access to the repo, the access allows creating workflows that prints the secrets in the target repository, which may contain GitHub secrets on the repo level or org level secrets only given out to selected repositories.

Display the source blob
Display the rendered blob
Raw
eop_github_actions.svg
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment