Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The check spelling Github Actions workflow is a spell checker on Github commits. This functionality happens whenever a PR is made on a repository. Afterwards, with advice on how to fix the mistake in updated in another PR.

When using the check spelling workflow, there is a file called advice.md that holds information about how to handle mistakes and on symlinked files themselves being spellchecked. Instead of having this be a regular file, the author made this into a symbolic link. By placing this symbolic link to /proc/self/environ, we can leak a secret and gain write privileges to the repository.

The GITHUB_TOKEN can be used to write to the repository silently. However, the token is invalidated as soon as the workflow finishes executing. But, this can be raced! By constantly pulling the comments of a PR that we have made programmatically, we can reliability get the token and make a request before anything has happened.

To fix this vulnerability, the symlinks will NOT be followed when anything goes into .git. The author of the bugs also mentions the scoping of the tokens being as small as possible.

Overall, interesting finding with a large amount of background and interesting scripts for the research. Symlinks are an awesome attack vector that is often overlooked.