Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In Git, there is a concept known as pull requests. This request is asking to merge code into the repository. A change is labeled via a hash called a commit hash. A named commit hash is a branch.

The author was messing around with Github and noticed that it was possible to replace the base branch on a pull request with a commit hash. This gives off funky error messages in the console, but the Github API appears to accept it. It should be noted that this was only possible via editing the pull request; this was not possible to set initially.

Github Actions is a feature of Github that allows for automatic operations, such as running tests, for something happening to the repository. When running in this isolated ENV, it is common for secrets to be needed. However, how do you give access to secrets but not leak them on the automatic operations? Github Actions does not allow access to secrets upon a Pull Request being made.

Here is where this all comes together! Github Actions dictates who to trust based upon the value of the main branch. If the value of the current branch (or commit) is the same as the pull request, then the secrets are accessible. But, we can set the value of the main branch to be our commit hash! By doing so, we have tricked Github Actions to think this is a trusted user.

By using the commit hash, we are able to steal arbitrary Github Action secrets from repositories on Github. That's an incredibly powerful bug! The default GITHUB_TOKEN is now retrievable, giving the attacker the ability to write to the Github repo.

Input validation is important, even if it does not feel that way. With loads of functionality being added daily, people do not understand the small/weird quirks of other parts of the code.