Skip to content

Instantly share code, notes, and snippets.

@anderssonjohan

anderssonjohan/eop_github_actions.svg

Created September 2, 2020 12:39
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anderssonjohan/59a72cc3de5be7a94eae7e96c1f972c5 to your computer and use it in GitHub Desktop.
Save anderssonjohan/59a72cc3de5be7a94eae7e96c1f972c5 to your computer and use it in GitHub Desktop.
Download ZIP
EOP with GitHub Actions and repository_dispatch + PAT
Raw
readme.md

Illustration of elevation of privilege vulnerability using GitHub Actions where GitHub Personal Access Tokens (PAT) are used to trigger the repository_dispatch event, which requires write access to the target repository. With write access to the repo, the access allows creating workflows that prints the secrets in the target repository, which may contain GitHub secrets on the repo level or org level secrets only given out to selected repositories.

Display the source blob
Display the rendered blob
Raw
eop_github_actions.svg
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="661px" height="850px" viewBox="-0.5 -0.5 661 850" content="&lt;mxfile host=&quot;app.diagrams.net&quot; modified=&quot;2020-09-02T12:36:31.280Z&quot; agent=&quot;5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36&quot; etag=&quot;JeMZGo3wOmovN3DgxlDv&quot; version=&quot;13.3.9&quot; type=&quot;device&quot;&gt;&lt;diagram id=&quot;aT7DcdpIFZVvwY9FCId_&quot; name=&quot;Page-1&quot;&gt;7VxZc9s4Ev41qtp9MIsEL+lRluXJVmY3qdhbmXlyQSQkoUwSXBCy5Pz6xUHwAmXJGUpyxvYLxSZx9df9deOgR+4s3f1GYb7+N4lRMgJ2vBu5NyMAHD+c8IuQPJcSewyUZEVxrGR2LbjDP5B+sZRucIyKUqZEjJCE4bwtjEiWoYi1ZJBSsm2/tiRJ3BLkcIUMwV0EE1P6HcdsraRjENbyTwiv1rplJyhHnEL9cjmSYg1jsm2I3PnInVFCmPqV7mYoEdpr6+V2z9OqYxRl7JgCfxQ7b/t5kmxZeo+c9C74lt1elZ19gsmmHHDZWfasNUDJJouRqMQZudfbNWboLoeReLrloHPZmqVJ+RjSqMQw4HcFo+Sx0hsf8XXZHKIM7faOw6m0w+0KkRQx+sxf0QW0QkuTcnWftzU+rjafdQMb1y6FsLSJVVV3rTb+o9TcK7To/3pa9Hzw1rToHNZiDIu1VKLNtUA2LMEZmlWeb3e0mOBVxn9HXCWIckECFyj5SgrMMGk9EJrE3Od/77ywIIyRtPHCtKySEYEY9+hcdCzdrQT7WVu0SMiKFNYKs/VmMQBKfhBawaTx18IMjG0Ds9A3IdOywREDBmLT73dccM/tNftVwYMiZFwvScZKH3S8gVwutC27+Re00PQ8YI0NPAPXCkxE/bHl9VU1OMJuj08G/9uImHW9htEjR6C6578ScV3QFu76sdDoVSFVOuUvOF6+U4Xq4itxnT9h0a3fMPskfMie5vkIzAaq/FpkBKLTNtoxlBXCVAarHKmeF2yzXBrWr+0NpzLjaNp6v4EetGvpEdcchJUMLjOSECrbcpfyj78iG5sWee1iUN8s8U4443XZn5s1YyKlmgp7AbdRnNkW5knVEvOwRa2ItwhuY8ggvwh5wa+PMEUJItnVkiJ0xaPZIxc6ImjcfpK2ceWAsZVnq9P4kxu2E4FgYtIh74DpPZVwcHcJDHdRoYDQFa+Popw8bLngoUARRcywEa4L1jYNFfs1tBnJhOkscZJ0RAZddm0qxXEsmulNPerkxB4GGn8ctrOLwMwuvJ7kApwqtwgNYL5xMIT2JRLFCaBI0JL9NSCkz5RdAieLSe0gZPf4UHBOpMYfWWAXJM50ltfMAr23lQbqaUIDsy+S8D58TD712lOty/uYc8RUy0gUGjDlBGdMdsq/Hvk3fV6m05ymPkEj3cCpMJAEL8QAiggifv2Mnq3iSWQLMaa8ceV+GaFCS0MgAQLHGneybtu1QgMOEFhg0pM4BJZ7KkjMTFvzh/11ej8StlAnqSrfzCnmGSdacXiAvZFpbQfEg5R2MAs1gD3ooiOxRHA9vwU93Ah/bCgqifEhIjHSxoTo/Akpm3JO5YWh5behd/ksyoDe73FE/2SO6L2YMKoZ1kOGtg9UUunfNV8E3dWoS+eLjpkwqqWNaRTxwZup+5vPSeSkrVzc4MIY8yYaLntzezO/mfeuNp7AGQMPWO0ZQmj3rX44XOr18HAtHh55MwGtlyI0+DOTjFOULuTCAlk2Vy+4I8MM/4ASN6OQmAxyYxGDptzNxHiiCBVFL90zkUspHrBFwSqz2vOqWOGgGZRLEog+Ye7Bv0Z8kKHsNEFg0p7uhDrKN3mmihPnCQFHbMGgLJ6KvSyh5wQWBY7a0HQ1tW/HAMXGZldHc7xZsqEReqHDZaLCIF0hdtCRTCiOjLUUJdxpntr97dN+2cJXkUY0Ikpnl8jp4KeGWRaqITTr6UyQr7xORUoPRkXSFqpR/4UFWDMv1EA17IPjKl34QJjZG+QpKjhHLWR9dm+C3zUxcX8LU5wIvfy+iXAMeZ94xCuIrHGvs5YbtWVjowqnpim+4Ch7XfvKtpzAc9pggUFsqUrOdbUOaFdBlssCnQR+YE6tT8AOXPH0+Q+BvQV8ff9nWVze3OxKy1B3z63U7xhaOUgXe9A9E1s4e5aSX0sXXjhu0044sSaTIAjHwLaDCdB55bnYw5xf9NjPe2CPxpGLfezh2f4gxuS4VtjmId/SUf4MjAEuyhj2AcZAO8xUuTFnVXUvmcaybX1fFxU3zZJfEcVcQcIcX8k/B9OayZE85V6Sp5x9W16vTmvs7mpI4HaC2qmpyTw0475TagIHqckJ26uWzjDW1JlDn5CUzCxWTIftfFOs5Z5zdwLLrzAV88tsUeTy3s6p6vzNv+6+Tu9nnx7uv3ye/8cwmTezqTCETf38JoOvd3uaq9pnXUIDR5yKawSiEgQDNx11nCP02NV7FWwagUYHrP1xRoe2KvltFhsgGb5Y8OhMif3umsbRSa57oKIThw5gHrMwLOvvuH3lB35n1fSt7F4Bc7n8w9cv6evG8d6fTRTD4EBFp/b1I86DfFjWBS3rp6NI17LOHkVet/D+YVnnzk9+mrO6+cm5OUs3P8RsZ/r97uFuPvs2v3/4PP/TMNB3OtvpHlu8/GzHPeJI1S+xUD/Y/p9/0SgF3M76Vuj4FhgHjuOHNrefSScVPppbOiQVnDlquebcxzMN7T0sm7kvUwT3ENtrz5aGWTUD1ri9HeiIb7TatZxuJU2v0p6YZ8rExGklJi/nJRegGLWbdimOcd3253hjW+zzBL7vhMBz3M43JscSTNBJXsLgzARjTuX9d0ow4EWCubItd+K3qcAdxLB8a9ImrivHs7rVnJBizCm3Y/H7LwsGcYaz1ahxTE2eNNtkraPIUB+Ts7FIe5tn4eTROZutxVE3lOYJeUbiZwqFYtfwSdzEIkEVLMEHslbNFZi/K4WbaK2UAOyErFbqscyuZU+ETWzRolCH6TaFel71AGZl/1DOVFelOlR/ckRTXIhPAotKBsXHh7y5R/n2klDLsnrz944ECIXNKIIMicoytJXjl32SEk6dBVO9K4/0yf5HsogYBKGPy4Rz+BGNuTU6RTWm6qOLSgswE0qGTxAn0hm42rmCSazbzmFRD7wubrb3jw0HDkr1cfdewkidiLSjDU10ZWSbNaEQj7nq/nnMcDwxnP8qNRE5Kqn8CkR1HL48AbnmtC6PXfLuxtyfMUyK+qlxqlL1jaki0h6l+qtHS8SkgdUf7LV00VSefL+0nKb1q1qr46CLZw2rQkEDW2j34BAUqO7HYf34Df0UjLNf1uqj8gM94PLkp9TlhhU4Rg1VnmsyqY6KHjeTfM36yV7Of8W+Wefkj540Nj/B7vs2x+keKDxiJiksqvp3H4qt6/+a4s7/Dw==&lt;/diagram&gt;&lt;/mxfile&gt;" style="background-color: rgb(255, 255, 255);"><defs><linearGradient x1="0%" y1="0%" x2="0%" y2="100%" id="mx-gradient-ffffff-1-dfdede-1-s-0"><stop offset="0%" style="stop-color:#ffffff"/><stop offset="100%" style="stop-color:#DFDEDE"/></linearGradient></defs><g><rect x="10" y="282" width="310" height="300" rx="18" ry="18" fill="#ffffff" stroke="#000000" stroke-width="2" pointer-events="all"/><rect x="342" y="282" width="310" height="300" rx="18" ry="18" fill="#ffffff" stroke="#000000" stroke-width="2" pointer-events="all"/><path d="M 495.29 315 C 473.17 315 457.7 296.97 457.7 277.79 C 457.7 254.85 476.17 240 495.57 240 C 514.26 240 532.7 255.33 532.7 277.49 C 532.7 297.34 516.91 315 495.29 315 Z" fill="#0d2636" stroke="none" pointer-events="all"/><path d="M 487.18 306.79 C 487.18 308.41 485.95 309.08 484.11 308.45 C 473.01 304.56 462.34 292.55 462.34 277.55 C 462.34 257.26 479.7 244.47 494.74 244.47 C 514.26 244.47 528.15 260.47 528.15 277.35 C 528.15 291.29 519.18 304.12 505.74 308.62 C 504.22 309.02 503.28 308.21 503.28 306.88 L 503.28 297.11 C 503.28 295.22 502.51 293.21 501.09 291.81 C 506.55 291.19 509.86 289.82 512.39 287.21 C 514.88 284.74 516 281.11 516.21 276.63 C 516.34 273.07 515.4 269.6 512.82 266.95 C 513.71 264.77 513.87 261.87 512.51 258.29 C 509.81 258.08 506.73 259.7 503.58 261.65 C 498.04 260.21 492.5 260.02 486.97 261.73 C 484.49 260.12 482.24 258.31 477.95 258.29 C 476.82 261.45 476.64 264.34 477.61 266.9 C 474.55 270.3 474.2 273.64 474.25 276.97 C 474.59 283.39 476.94 286.64 479.55 288.58 C 481.72 290.19 484.76 291.2 489.39 291.88 C 488.15 293.11 487.45 294.58 487.33 296.29 C 484.61 297.54 480.71 298.16 478.04 294.38 C 476.85 292.48 475.23 290.34 472.14 290.35 C 471.64 290.33 471.14 290.53 471.06 290.75 C 471 290.99 471.28 291.49 471.62 291.69 C 474.32 293.4 474.76 294.37 475.86 296.72 C 476.89 299.46 478.66 300.52 480.58 301.26 C 482.54 301.95 485.72 301.76 487.18 301.26 Z" fill="#ffffff" stroke="none" pointer-events="all"/><path d="M 360.5 409.04 L 376.13 403.84 L 391.89 409.18 L 407.93 403.7 L 422.62 409.38 L 422.52 429.38 L 406.9 434.37 L 406.97 454.84 L 391.76 459.5 L 376.06 454.02 L 376.13 433.69 L 360.64 428.9 Z" fill="#febe10" stroke="none" pointer-events="all"/><path d="M 365.14 409.13 L 376.72 412.81 L 387.86 409.15 L 376.62 405.69 Z M 375.29 432.51 L 375.29 415.04 L 362.89 411.03 L 362.89 428.44 Z M 378.17 432.58 L 390.41 428.46 L 390.41 411.08 L 378.17 415.11 Z M 405.72 432.48 L 405.72 415.04 L 393.49 411.12 L 393.49 428.44 Z M 407.26 412.77 L 418.6 409.14 L 407.36 405.7 L 396.1 409.14 Z M 408.69 432.63 L 421 428.52 L 421 411.13 L 408.69 415.06 Z M 392.06 438.02 L 403.11 434.36 L 391.92 430.94 L 380.77 434.38 Z M 393.49 457.81 L 405.72 453.76 L 405.72 436.3 L 393.49 440.32 Z M 378.17 453.76 L 390.41 457.81 L 390.41 440.3 L 378.17 436.35 Z M 375.29 455.65 L 375.29 435.39 L 360 430.39 L 360 407.73 L 376.65 402.8 L 391.94 407.45 L 407.43 402.8 L 423.6 407.8 L 423.6 430.46 L 408.69 435.46 L 408.69 455.72 L 392.07 461.2 Z" fill="#ffffff" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 468px; margin-left: 392px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: #000000; line-height: 1.2; pointer-events: all; white-space: nowrap; ">AWS Token</div></div></div></foreignObject><text x="392" y="482" fill="#000000" font-family="Helvetica" font-size="14px" text-anchor="middle">AWS Token</text></switch></g><image x="259.5" y="649.5" width="128" height="128" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAYAAADDPmHLAAARP0lEQVR4Xu1deXRURdb/1eushE2WwAeBKCAKKsjwqUD6ve4QmSOyOEdxlCGeGZX4oaAsE4ko4LCMIMywfIozEgV02BQJBuJEskDndcIACkIgURFBxhggyjokZOtXc+oFQgih3+uXXl53vzqHf+hbt+r+7q9vV926VSEwWlAjQILaesN4GAQIchIYBDAIEOQIBLn5RgQwCBDkCAS5+UYEMAgQ5AgEuflGBDAIEOQIBLn5RgQwCBDkCAS5+UYEMAgQ5AgEuflGBDAIEOQIBLn5RgQwCBDkCAS5+UYEMAgQ5AgEuflGBDAIEOQIBLn5RgQwCBDkCAS5+UYEMAgQ5AgEuflGBDAIEOQIBLn5RgQwCBDkCAS5+UYEMAgQnAgMGTIk2mQKEyhFZUREiD0nJ+dCMCIRVBHAYrHcJ0n4DcdhBKXoB9Rdj5ckyUEIt5fjkCFJ0qd2u704WMgQ8AQQBOF2gPu9w+EYZzJxt6pxLCEoopSsdThqPiwoKChV08dfZQKVAITn40cTIr0EYKhW57DIwHHcVoAuE0VR1KpHz/0CjQCE561PUEpncxz6uBd4uhvA66IoZrlXr2+1BQwBLBbLYABvUYqBnoRUkpDNcXSyKIpfe3Icb+n2ewIMHjw4MiQk5E1CuElXF3VeAK+aEMyJjo5+c9OmTQ4vjOexIfyaAGazuYfJZEqjFP09hpBTxTSX47gnbTbbL74Zv/mj+i0BzOb4/kDNdo4zdWo+DNo1EIJva2trf11QUPBv7Vp819MvCRAXF38HIbX5HMd18B1010amVDrqcDjidu3aVaaH+bgyB78jQFxcXBeO43YRwsW6YqinZQnBPkKI1WazXfL0WO7U71cEsFqtbWtrqchxuMedILhLF6VSTkVFxcP79u2rcZdOT+vxJwIQQbCkAxjlaVCao59S6S273c4SUH7R/IYAPG95mRAsUovqPffcg4SEBHSNiUGLyEi5W3VNNS5fviz/q6ysROXlShQeOoSQEBPCwsIQERGB8PAIhIaGQJKAy5crcOrkKRQXF+H8+fNqhwal5HG73faJ6g4+FPQLAgiCMESSaB7HcSFKWPG8GdOmTUO7du2URNkhEH46eUqV3JdffIl169bizC+qdnwXOY4MtNlsRxWV+1hA9wQYOHBgaGRkZCHHme5UwmrSpEkYM+YxEKLOLLUEuDpuRUUFli9biqLDRUpTYRFkZ35+nuZzCMUB3CSgDik3DaZFDc9bZhCCN5T6Jj71FJLGPyuL7d69Gxs2bMTFixfRp08fPProo+jVq+cNKpwR4PChQ8jNyUVJyY9o1749xowZg9t790Z1dTXmzpmDH44fV5oSAJooiuI6FYI+E9E1AQRB6AaQbwC0cIZQ99hYfLBmNTiOw/79+7F48V9QVlaG2tpauRv7/8ceexQTJkxASMi1X5GmCFBeXo73U1Oxd+/e+iHZ+iA6OhoTX3wR3bp1Q1nZaUxPfrle/83mJkmO0zU1Nb337Nlz0WceVhhY1wTgef7/CeFeVAJv5cqVuOOO3teJVVVV4eDBQuzYkYudO23yoq9fv35YsOANtGzZUpZtTABGmjcXLMDp06dlmSFxZgwa9AB69uoFk8kESmn9z8uG9evwWcZnSlNjUeAVURTfVCHoExHdEsBqtXaQJHpC6dvfoUMHfPLJJqe/+5cuXcK2bdvw8cebwOSXLl0iO7ghAZjz582Zg/DwcIwYOQJxZl7eGdys/VxWhj9OmybrcNZYFAgJCbnVZrNV+sTD/hoBBEF4DSDzlUB7/vnn8eSTTyiJyZ+zqJCevhWFhYV4/fXZ8rea7QIuXriAFStWQBB4DB4SJ/9kqGmzZ87CsWPfK4oSgufy8vJSFQV9IKDbCGA2mw9xnOluJUxS30tF79tvVxK77nP2O19W9jNiY7vLBDh+/Bi6det+3fpAjcKNGzYgY9s2RVE97wh0SQB22GMySWzxp9hYaG/dupWiXFMCrm4DG+soyLfjb+/8TXFsVlomSY4uejws0iUBeN46hRC6VBFZALm5uXImT0trLgGOfHsEc+f8SdXQlJKn7XbbGlXCXhTSJQEEwboWoOPU4GCz7bzpArC4+GsUFOTj6NHvUVNTjdjYWzFq1Ej06NFDVt2YAMVFRbDb7fIWMjIyAj169MT9D9yPmJhuTU7lp5ISpEyfrmaarFhphSjaWNWSrpouCWA2W4rVFHWyVXp29o01mnv3foH33kvFt98euQFstvCbMmUyRo8eXU8Atr1bt3YtPs/MbNI5ffv2xRNjx6Jnz+uTSSwtPPkltec+dI8oioN05X0v1tC5ZLcgWMqVtn9MIXMm2+dfbSzzt3TpMuzYscPpeCxVvGzZUjkvwBaBuTk5WL1qlWKfYb8ehifH/q5+e8gixbQpU9Ta9rMo5kWrFfaWnO4iwPDhw8PLyytU75kb/gQUFRXh1KnTqrDr1Cka7JvNCFBYeBDllypU9esa0xXdu3eXZVma+JXpKar6sYVgfr49lGWGVHXwkpDuCMDzfEdCONWlVTk52QgNZbi63pq7CCwuLsYb8xVTFfUTq6qqbKO3tLDuCGC1WltKEv2PWnduy9iG1q18sw3ctasA77y9Qu1UERXVIiIzM7NKdQcvCOqOAGxdIggWdoqjKh33j398WB+SXcWruRFgS1oaNn+iuu6jRhTzbp5bdnXybpLXIwEgCBZ2IfN/1Ni4cOFCDB6sbXHdXAKsePtt/GvXLjXTZDKlopjXVa2wt+R0SQCe57MJ4R5UA0LDOgA18g1lmkuAl5OTcbJU3eVhVjBqt9uHuTpHT8vrkgAWi2UJpZiqxvjbbrsNa9asViN6g0xzCMDqCv8vKUnxNPDaoPINY1U2aTJGYyddEkAQhNEAYRXAqlpW1nb5GDczMxPHjh3HM888jcgrhaCNFbCtYmbm5zh37qx8vl9ZVbcma9u2LXjB2mTlEPv8ckUF0tI2y9lEM8/LW8dFC9Uf81PK/cZu36naJlWGu0FIlwS4shM4C0DV/u79Ve+jV8+eYKd848cnweFwICUlBQMH/kqGiP3/9u1ZyMjIwPffXzu+vVo7yIhwtbETwvihCYiLi0Nki7pCJFYelrpypZwAmjt/vkyujRs2ImPbVrUuqHE4atsXFBSo3t2oVdxcOV0SgBnF85bPCMHDagxMei4JiePqjg6OHDmCF16YKJdrjRgxAg5HbX1FUGNdiYmJOHvuHP752Y2VPSyiPDBokFwbYNu5U841/GnuPPkImbXXZszAiROsXkVNo9tFUXxIjaS3ZXRMgPjHCJFU7bE6duyITawq6Ap66enpWLLE+WFi//79sWTJX1FSehLz587Fd9995xT7Z5OSEB8fL8ucO3cOL06c6IKv6BOiKH7sQgevieqWAFfKwX9Ue/t38+bN6NChfT1wWVlZWL9+A0pLS29YqLVp0wbvvvt3+e4ASwWfOXMGrLqnvPz6a33s29+5c2eMGj0ag4cMqdedk52NNavVLTwlSfrl7NkzXYuLi6u95lUXBtItAZgNgiCkAGShGnuSk/+IUaNcuzWmdRfw53nz8PXXah8IoTNFUfyzGht8IaNrAsTFxbUymULYD+0tSuCwb+rGjRtUXwph+rQQgEWLqZMnq9r+ORzShcjI8Fg9v0GoawLURQFrMkAXKxGAfb5+/Tp07ao+2aaFAFvTP8XHH6n7OacUr9rteQvUzN1XMronQN++fcPat29fRAjXSwmkx3/7W0ya+IKSWP3nrhKAbReTp02T7w2oaMeiolr01dvhT+N5654AbMJWq/UhSaJNl+s0sIgt2jI/z0REeLhT/5w8eRIHDhyUE0Hnzte9EHvvgHvRunVrp/1cSf5IEhmVn2/LUEEUn4r4BQEYQjzPf0gI95QSWjNnzsSwYc6PEUpKSjBuXGK9KnZd7N3UVDmb6Kz9ZdEiHDhwQGkK7EBznSjarg2gooevRPyGAGaz+RaOMx0G0MUZWGyLt2VLmlwu5qyNHfs7eYvI2l13340Zr77qVJ6RZkZKihw1nDVJkk6Fh4fdnZube8ZXTnVlXL8hADPKYrHEU4ocpVqB+bNmgX8wwSkOy5cvR1raFllmXGIihj/sPOmY+s47yMvPV8JWAugwURSdFyUqafHi535FgLqfAsscQjDbGUbtoqKwMmU6OgoCcJO3AtgV8pSUV2Q1ixYvRpeb7B4khwPfbd+ORRs3ourKbeObj03ni6I4y4v+a/ZQfkcA9u0XBAtbXA13Zv38xHG4t3dvtLjvPpiuHOo0lGe3hUeOHIXWbdpg2fLlTeYPKi5cQOUXe5F74CDS9+93Cjal0ud2u30ESy802yteVOCPBGC7graSRAsBNH1jA0DLiAikzZ4lnw/UdO6MqEY1/Qzj5ORkmQBPP1P3sETDVnr4MGIunEd1TQ2S3l+FGofTF2F/5DjSz2azqX9IyItOdjaU3xAgISGhfU1NTQIhZFhtrfSgmrf/Xxo5Eo8IvGx/eVUVogYMQEiDAtJNmzYhLDwCvxp47X3p8rNncXHfl+jXsaPcb156OvKbuGDSGFSHQ/qB45BNCMkJDQ3NNRaBzWS41WqNAGB2OOgwQsD2dQNcvcjC8gKfzpqJqKgoeTZsBX+pthatBwyAKSoKbGV/uapafh2s/Px5nNm/D31btULklTLzr078G6989JEWSyRC8BWlJIdSkt2yZUS+XhNCeooAhOf5ARzHPShJ0jBKYeY4jpGgWS2uTx/M/cPvr1sMMiKwiGCKicE3x3+AVFKCO29pi/AGz8ewkD9h9RqUnGV1Kc1ulyUJ+YSwCEFzRFFkyQRdXBDRBQF4nr+fEI49oMD+jo/b21+feRr33tn0I2O1N3n2bZUo4qPde9w+F6bQ4cBXhHBJ+fk793lkABeU+pwAgiA8LEk0jeM452k4F4xqLBoRFobNr72KiCbqBJsiwDelpZi6bj0khaRPM6bEThMrOY484uu/QOJTAgwdOjS2ttZxCIC2qz0ueOB/e/XCwqTxN2z3GhOA/TS8sOYDnLrg+b8ix46Lw8ND79qxY8dPLpjiVlGfEkAQrO8B9MY9mFtNvKZswkMP4fGhdWVdV1tDArC1wZwtn+JfR735wCf9uyiKz3vIZEW1PiMA+1MvoaFh7FzV49/+higsGf8s+ve+9qRcQwKsFkVs9NDv/s08IUnS+VatWnb21S7BZwSwWCxjKcV6RYp6QOCDaVMR07mzrPkqATIOHMBbWdkeGE1ZpS8fl/YZAQTB8k+ldK4ydNokTCYOa6ZMRZdO0TIBMg8WYnlWluJJn7bRlHtRiq12e94jypLul/AJARISEjpVVVX/xHGctted3IADSxK99VwSvigqwhq74imfG0Z0qqKG40gXX/zxKZ8QwJVXwDyNvH7000miKKp/bMBNE/cJAQTBwhIgdfe2jHYFAd88IuV1AsTFxd9lMkmsssdojRCQJMcd+fn5Nz5t5kGkvE4AQbAuBKi6l5U8aLg+VXu/oMTbBODMZv4Ex3Ex+nSAb2fFjpQLCuzsFUuvHRR5lQCCIAwFyLWH/XyLty5HJwRCXl6e3VuT8yoBLBbLakrxB28Z54/jUCql2u3257w1d68RwFepX28B6a5xvJ0a9hoB2Ksf7AKOu4AKZD1hYWFfZWVlsedyPd68RgCPW2IMoAkBgwCaYAucTgYBAseXmiwxCKAJtsDpZBAgcHypyRKDAJpgC5xOBgECx5eaLDEIoAm2wOlkECBwfKnJEoMAmmALnE4GAQLHl5osMQigCbbA6WQQIHB8qckSgwCaYAucTgYBAseXmiwxCKAJtsDpZBAgcHypyRKDAJpgC5xOBgECx5eaLDEIoAm2wOlkECBwfKnJEoMAmmALnE4GAQLHl5osMQigCbbA6WQQIHB8qckSgwCaYAucTv8FZEYD28vAhR8AAAAASUVORK5CYII=" preserveAspectRatio="none"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 785px; margin-left: 324px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: #000000; line-height: 1.2; pointer-events: all; background-color: #ffffff; white-space: nowrap; ">"hacker"<br style="font-size: 14px" />Evil GitHub App,<br style="font-size: 14px" />Browser extension,<br style="font-size: 14px" />evil stuff</div></div></div></foreignObject><text x="324" y="799" fill="#000000" font-family="Helvetica" font-size="14px" text-anchor="middle">"hacker"...</text></switch></g><rect x="477" y="322" width="40" height="20" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 332px; margin-left: 478px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: #000000; line-height: 1.2; pointer-events: all; white-space: normal; word-wrap: normal; ">githuborg/repo_with_secret</div></div></div></foreignObject><text x="497" y="336" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">github...</text></switch></g><rect x="360" y="360" width="160" height="20" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 158px; height: 1px; padding-top: 370px; margin-left: 362px;"><div style="box-sizing: border-box; font-size: 0; text-align: left; "><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: #000000; line-height: 1.2; pointer-events: all; font-style: italic; white-space: normal; word-wrap: normal; ">Repo secrets</div></div></div></foreignObject><text x="362" y="374" fill="#000000" font-family="Helvetica" font-size="14px" font-style="italic">Repo secrets</text></switch></g><path d="M 165.09 315 C 142.97 315 127.5 296.97 127.5 277.79 C 127.5 254.85 145.97 240 165.37 240 C 184.06 240 202.5 255.33 202.5 277.49 C 202.5 297.34 186.71 315 165.09 315 Z" fill="#0d2636" stroke="none" pointer-events="all"/><path d="M 156.98 306.79 C 156.98 308.41 155.75 309.08 153.91 308.45 C 142.81 304.56 132.14 292.55 132.14 277.55 C 132.14 257.26 149.5 244.47 164.54 244.47 C 184.06 244.47 197.95 260.47 197.95 277.35 C 197.95 291.29 188.98 304.12 175.54 308.62 C 174.02 309.02 173.08 308.21 173.08 306.88 L 173.08 297.11 C 173.08 295.22 172.31 293.21 170.89 291.81 C 176.35 291.19 179.66 289.82 182.19 287.21 C 184.68 284.74 185.8 281.11 186.01 276.63 C 186.14 273.07 185.2 269.6 182.62 266.95 C 183.51 264.77 183.67 261.87 182.31 258.29 C 179.61 258.08 176.53 259.7 173.38 261.65 C 167.84 260.21 162.3 260.02 156.77 261.73 C 154.29 260.12 152.04 258.31 147.75 258.29 C 146.62 261.45 146.44 264.34 147.41 266.9 C 144.35 270.3 144 273.64 144.05 276.97 C 144.39 283.39 146.74 286.64 149.35 288.58 C 151.52 290.19 154.56 291.2 159.19 291.88 C 157.95 293.11 157.25 294.58 157.13 296.29 C 154.41 297.54 150.51 298.16 147.84 294.38 C 146.65 292.48 145.03 290.34 141.94 290.35 C 141.44 290.33 140.94 290.53 140.86 290.75 C 140.8 290.99 141.08 291.49 141.42 291.69 C 144.12 293.4 144.56 294.37 145.66 296.72 C 146.69 299.46 148.46 300.52 150.38 301.26 C 152.34 301.95 155.52 301.76 156.98 301.26 Z" fill="#ffffff" stroke="none" pointer-events="all"/><rect x="32" y="360" width="160" height="20" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 158px; height: 1px; padding-top: 370px; margin-left: 34px;"><div style="box-sizing: border-box; font-size: 0; text-align: left; "><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: #000000; line-height: 1.2; pointer-events: all; font-style: italic; white-space: normal; word-wrap: normal; ">Org/Repo secrets</div></div></div></foreignObject><text x="34" y="374" fill="#000000" font-family="Helvetica" font-size="14px" font-style="italic">Org/Repo secrets</text></switch></g><image x="156.36" y="358.21" width="16.3" height="26.29" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMS4wMDMiIGhlaWdodD0iNTAuMDAxIj48cGF0aCBkPSJNMjkuMzM3IDE5LjUyNWE1LjY5IDUuNjkgMCAwIDAgMC04LjA0NWwtOS44MTItOS44MTNhNS42OSA1LjY5IDAgMCAwLTguMDQ2IDBMMS42NjYgMTEuNDhhNS42OSA1LjY5IDAgMCAwIDAgOC4wNDVsOC42MzMgOC42MzNWNDQuOEwxNS41IDUwbDQuNTItNC41MnYtLjAzM2wyLjY1Mi0yLjY1My0yLjYzLTIuNjMgMi42My0yLjYzLTIuNjMtMi42MyAyLjYzLTIuNjMtMi42NTItMi42NTN2LS43ODR6TTE1LjUwMiA0LjA0YTMuMjMgMy4yMyAwIDAgMSAzLjIyOSAzLjIyOSAzLjIzIDMuMjMgMCAwIDEtMy4yMjkgMy4yMjkgMy4yMyAzLjIzIDAgMCAxLTMuMjI5LTMuMjI5IDMuMjMgMy4yMyAwIDAgMSAzLjIyOS0zLjIyOXoiIGZpbGw9IiNmY2QxMTYiLz48cGF0aCBkPSJNMTQuNzU4IDMwLjAwOGwtMi4wMy0xVjQzLjk2bDIuMDMgMnoiIG9wYWNpdHk9Ii40IiBmaWxsPSIjZmY4YzAwIi8+PHBhdGggZD0iTTUuODY4IDEzLjYxNmgxOC42NHYyLjY4SDUuODY4em0wIDQuMzZoMTguNjR2Mi42OEg1Ljg2OHoiIG9wYWNpdHk9Ii41IiBmaWxsPSIjZmZmIi8+PC9zdmc+" transform="rotate(270,165.01,371.85)"/><rect x="37.5" y="398.4" width="50" height="50" fill="none" stroke="none" pointer-events="all"/><path d="M 37.5 423.4 C 37.5 409.59 48.69 398.4 62.5 398.4 C 76.31 398.4 87.5 409.59 87.5 423.4 C 87.5 437.21 76.31 448.4 62.5 448.4 C 48.69 448.4 37.5 437.21 37.5 423.4 Z M 39.9 423.4 C 39.84 433.41 46.4 442.25 56 445.1 L 56 440.75 C 56.09 439.19 56.91 437.77 58.2 436.9 C 54.4 436.48 50.97 434.8 48.72 432.25 C 46.48 429.7 45.6 426.5 46.3 423.4 C 46.66 421.25 47.57 419.24 48.95 417.55 C 48.1 415.38 48.17 412.96 49.15 410.85 C 51.68 410.95 54.1 411.92 56 413.6 C 60.21 412.14 64.78 412.12 69 413.55 C 70.93 411.87 73.39 410.91 75.95 410.85 C 76.94 413.05 77.02 415.55 76.15 417.8 C 77.45 419.43 78.33 421.35 78.7 423.4 C 79.4 426.49 78.53 429.68 76.29 432.23 C 74.05 434.78 70.64 436.47 66.85 436.9 C 68.07 437.68 68.89 438.96 69.1 440.4 L 69.1 445.2 C 78.71 442.32 85.26 433.43 85.15 423.4 C 85.15 417.41 82.76 411.66 78.51 407.44 C 74.25 403.21 68.49 400.86 62.5 400.9 C 56.52 400.87 50.77 403.23 46.53 407.45 C 42.28 411.68 39.9 417.42 39.9 423.4 Z" fill="#00bef2" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 455px; margin-left: 63px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: #000000; line-height: 1.2; pointer-events: all; white-space: nowrap; ">github PAT <br />privileged user</div></div></div></foreignObject><text x="63" y="469" fill="#000000" font-family="Helvetica" font-size="14px" text-anchor="middle">github...</text></switch></g><rect x="142" y="322" width="40" height="20" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 332px; margin-left: 143px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 12px; font-family: Helvetica; color: #000000; line-height: 1.2; pointer-events: all; white-space: normal; word-wrap: normal; ">githuborg/hacker_new_repo</div></div></div></foreignObject><text x="162" y="336" fill="#000000" font-family="Helvetica" font-size="12px" text-anchor="middle">github...</text></switch></g><path d="M 543.7 765.2 C 540.78 765.2 537.98 764.03 535.92 761.96 C 533.86 759.88 532.7 757.07 532.7 754.13 L 532.7 673.87 C 532.7 670.93 533.86 668.12 535.92 666.04 C 537.98 663.97 540.78 662.8 543.7 662.8 L 624.1 662.8 C 627.02 662.8 629.82 663.97 631.88 666.04 C 633.94 668.12 635.1 670.93 635.1 673.87 L 635.1 754.13 C 635.1 757.07 633.94 759.88 631.88 761.96 C 629.82 764.03 627.02 765.2 624.1 765.2 Z" fill="url(#mx-gradient-ffffff-1-dfdede-1-s-0)" stroke="none" pointer-events="all"/><path d="M 552.57 691.73 L 568.2 686.49 L 583.96 691.87 L 600 686.35 L 614.7 692.08 L 614.6 712.24 L 598.97 717.27 L 599.04 737.9 L 583.83 742.59 L 568.13 737.07 L 568.2 716.58 L 552.71 711.75 Z" fill="#febe10" stroke="none" pointer-events="all"/><path d="M 557.21 691.83 L 568.79 695.53 L 579.93 691.84 L 568.69 688.36 Z M 567.36 715.39 L 567.36 697.78 L 554.95 693.74 L 554.95 711.29 Z M 570.24 715.46 L 582.48 711.3 L 582.48 693.79 L 570.24 697.85 Z M 597.79 715.36 L 597.79 697.78 L 585.56 693.83 L 585.56 711.29 Z M 599.33 695.49 L 610.67 691.84 L 599.43 688.37 L 588.17 691.83 Z M 600.77 715.51 L 613.07 711.37 L 613.07 693.84 L 600.77 697.8 Z M 584.13 720.95 L 595.18 717.26 L 583.99 713.8 L 572.83 717.27 Z M 585.56 740.89 L 597.79 736.8 L 597.79 719.2 L 585.56 723.26 Z M 570.24 736.8 L 582.48 740.89 L 582.48 723.24 L 570.24 719.26 Z M 567.36 738.72 L 567.36 718.29 L 552.07 713.25 L 552.07 690.41 L 568.72 685.44 L 584.01 690.14 L 599.5 685.44 L 615.67 690.48 L 615.67 713.32 L 600.77 718.36 L 600.77 738.78 L 584.14 744.3 Z" fill="#ffffff" stroke="none" pointer-events="all"/><path d="M 532.7 673.87 C 532.7 670.93 533.86 668.12 535.92 666.04 C 537.98 663.97 540.78 662.8 543.7 662.8 L 624.1 662.8 C 627.02 662.8 629.82 663.97 631.88 666.04 C 633.94 668.12 635.1 670.93 635.1 673.87 L 635.1 700.85 C 602.78 716.72 565.02 716.72 532.7 700.85 Z" fill-opacity="0.2" fill="#ffffff" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 772px; margin-left: 584px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: #000000; line-height: 1.2; pointer-events: all; white-space: nowrap; ">AWS Account</div></div></div></foreignObject><text x="584" y="786" fill="#000000" font-family="Helvetica" font-size="14px" text-anchor="middle">AWS Account</text></switch></g><path d="M 93.58 703.39 C 93.51 699.61 94.78 695.96 97.11 693.25 C 99.44 690.55 102.63 689.01 105.96 689 C 113.4 689.08 119.47 695.48 119.74 703.54 C 120.02 707.24 118.9 710.91 116.63 713.69 C 114.37 716.46 111.16 718.1 107.75 718.23 C 100.22 718.39 93.94 711.81 93.58 703.39 Z M 80 739 C 80.3 731.97 82.91 725.42 87.21 720.94 C 90.62 717.56 95.37 717.36 98.95 720.44 C 101 721.95 103.24 723.17 105.62 724.06 C 108.06 725.12 110.74 724.94 113.08 723.56 C 114.36 722.94 115.5 722.04 116.41 720.94 C 117.31 719.86 118.88 719.64 120.04 720.44 C 122.09 721.81 123.92 724.24 125.36 727.48 C 126.75 731.16 127.48 735.05 127.5 738.99 Z" fill="#00bef2" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 746px; margin-left: 104px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Helvetica; color: #000000; line-height: 1.2; pointer-events: all; white-space: nowrap; ">GitHub Account,<br />member of GitHub organization<br />without write access <br />to repo with secret<br />to external service</div></div></div></foreignObject><text x="104" y="760" fill="#000000" font-family="Helvetica" font-size="14px" text-anchor="middle">GitHub...</text></switch></g><path d="M 260 714 L 135.74 714" fill="none" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 129.74 714 L 137.74 710 L 135.74 714 L 137.74 718 Z" fill="#000000" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 701px; margin-left: 193px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Lucida Console; color: #000000; line-height: 1.2; pointer-events: all; background-color: #ffffff; white-space: nowrap; ">1</div></div></div></foreignObject><text x="193" y="705" fill="#000000" font-family="Lucida Console" font-size="14px" text-anchor="middle">1</text></switch></g><path d="M 100 650 L 88.99 590.1" fill="none" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 87.9 584.2 L 93.28 591.34 L 88.99 590.1 L 85.42 592.79 Z" fill="#000000" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 626px; margin-left: 109px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Lucida Console; color: #000000; line-height: 1.2; pointer-events: all; background-color: #ffffff; white-space: nowrap; ">2</div></div></div></foreignObject><text x="109" y="630" fill="#000000" font-family="Lucida Console" font-size="14px" text-anchor="middle">2</text></switch></g><path d="M 262.03 582.9 L 288.64 642.48" fill="none" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 291.09 647.96 L 284.17 642.29 L 288.64 642.48 L 291.48 639.02 Z" fill="#000000" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 612px; margin-left: 290px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Lucida Console; color: #000000; line-height: 1.2; pointer-events: all; background-color: #ffffff; white-space: nowrap; ">3</div></div></div></foreignObject><text x="290" y="616" fill="#000000" font-family="Lucida Console" font-size="14px" text-anchor="middle">3</text></switch></g><rect x="32" y="535" width="240" height="20" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 238px; height: 1px; padding-top: 545px; margin-left: 34px;"><div style="box-sizing: border-box; font-size: 0; text-align: left; "><div style="display: inline-block; font-size: 14px; font-family: Lucida Console; color: #000000; line-height: 1.2; pointer-events: all; white-space: normal; word-wrap: normal; ">on push:<br />  print DISPATCH_TOKEN</div></div></div></foreignObject><text x="34" y="549" fill="#000000" font-family="Lucida Console" font-size="14px">on push:...</text></switch></g><path d="M 10 510 L 320 510" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><image x="460.19" y="358.21" width="16.3" height="26.29" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIzMS4wMDMiIGhlaWdodD0iNTAuMDAxIj48cGF0aCBkPSJNMjkuMzM3IDE5LjUyNWE1LjY5IDUuNjkgMCAwIDAgMC04LjA0NWwtOS44MTItOS44MTNhNS42OSA1LjY5IDAgMCAwLTguMDQ2IDBMMS42NjYgMTEuNDhhNS42OSA1LjY5IDAgMCAwIDAgOC4wNDVsOC42MzMgOC42MzNWNDQuOEwxNS41IDUwbDQuNTItNC41MnYtLjAzM2wyLjY1Mi0yLjY1My0yLjYzLTIuNjMgMi42My0yLjYzLTIuNjMtMi42MyAyLjYzLTIuNjMtMi42NTItMi42NTN2LS43ODR6TTE1LjUwMiA0LjA0YTMuMjMgMy4yMyAwIDAgMSAzLjIyOSAzLjIyOSAzLjIzIDMuMjMgMCAwIDEtMy4yMjkgMy4yMjkgMy4yMyAzLjIzIDAgMCAxLTMuMjI5LTMuMjI5IDMuMjMgMy4yMyAwIDAgMSAzLjIyOS0zLjIyOXoiIGZpbGw9IiNmY2QxMTYiLz48cGF0aCBkPSJNMTQuNzU4IDMwLjAwOGwtMi4wMy0xVjQzLjk2bDIuMDMgMnoiIG9wYWNpdHk9Ii40IiBmaWxsPSIjZmY4YzAwIi8+PHBhdGggZD0iTTUuODY4IDEzLjYxNmgxOC42NHYyLjY4SDUuODY4em0wIDQuMzZoMTguNjR2Mi42OEg1Ljg2OHoiIG9wYWNpdHk9Ii41IiBmaWxsPSIjZmZmIi8+PC9zdmc+" transform="rotate(270,468.84,371.85)"/><path d="M 342 350 L 652 350" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 342 510 L 652 510" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 10 350 L 320 350" fill="none" stroke="#000000" stroke-miterlimit="10" pointer-events="stroke"/><rect x="360" y="535" width="240" height="20" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe flex-start; width: 238px; height: 1px; padding-top: 545px; margin-left: 362px;"><div style="box-sizing: border-box; font-size: 0; text-align: left; "><div style="display: inline-block; font-size: 14px; font-family: Lucida Console; color: #000000; line-height: 1.2; pointer-events: all; white-space: normal; word-wrap: normal; ">on push:<br />  print AWS_SECRET_KEY</div></div></div></foreignObject><text x="362" y="549" fill="#000000" font-family="Lucida Console" font-size="14px">on push:...</text></switch></g><path d="M 370.3 650 L 414.67 588.67" fill="none" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 418.19 583.81 L 416.74 592.64 L 414.67 588.67 L 410.26 587.95 Z" fill="#000000" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 626px; margin-left: 403px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Lucida Console; color: #000000; line-height: 1.2; pointer-events: all; background-color: #ffffff; white-space: nowrap; ">4</div></div></div></foreignObject><text x="403" y="630" fill="#000000" font-family="Lucida Console" font-size="14px" text-anchor="middle">4</text></switch></g><path d="M 388 714 L 524.46 714" fill="none" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="stroke"/><path d="M 530.46 714 L 522.46 718 L 524.46 714 L 522.46 710 Z" fill="#000000" stroke="#000000" stroke-width="2" stroke-miterlimit="10" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 1px; height: 1px; padding-top: 697px; margin-left: 438px;"><div style="box-sizing: border-box; font-size: 0; text-align: center; "><div style="display: inline-block; font-size: 14px; font-family: Lucida Console; color: #000000; line-height: 1.2; pointer-events: all; background-color: #ffffff; white-space: nowrap; ">5</div></div></div></foreignObject><text x="438" y="701" fill="#000000" font-family="Lucida Console" font-size="14px" text-anchor="middle">5</text></switch></g><rect x="0" y="0" width="660" height="110" fill="none" stroke="none" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject style="overflow: visible; text-align: left;" pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe flex-start; justify-content: unsafe flex-start; width: 658px; height: 1px; padding-top: 7px; margin-left: 2px;"><div style="box-sizing: border-box; font-size: 0; text-align: left; "><div style="display: inline-block; font-size: 14px; font-family: Lucida Console; color: #000000; line-height: 1.2; pointer-events: all; white-space: normal; word-wrap: normal; ">1. Obtaining access to unprivileged account in GitHub org, the employee may have done something simple such as logging on to a website using GitHub and accepted all the permissions the app asked for...<br /><br />2. Creates new or uses existing repo to create workflow<br /><br />3. Obtains all secrets using any available method to pass the secrets <br />(upload artifact, curl to own website, ...)<br /><br />4. Uses obtained GitHub PAT with higher credentials with write access to other org repos to fetch org/repo secrets available to the privileged org member by creating workflows in those repos<br /><br />5. Uses stolen secrets to access services outside GitHub</div></div></div></foreignObject><text x="2" y="21" fill="#000000" font-family="Lucida Console" font-size="14px">1. Obtaining access to unprivileged account in GitHub org, the employee may have done somethin...</text></switch></g></g><switch><g requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility"/><a transform="translate(0,-5)" xlink:href="https://desk.draw.io/support/solutions/articles/16000042487" target="_blank"><text text-anchor="middle" font-size="10px" x="50%" y="100%">Viewer does not support full SVG 1.1</text></a></switch></svg>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment