From 7415196c07502c1b26c9d75a22b561148eba7e6a Mon Sep 17 00:00:00 2001
From: oreenlivnicode <oreen@cycode.com>
Date: Sun, 13 Oct 2024 17:29:47 +0300
Subject: [PATCH 1/2] Add gh custom action docs, and links to scanner tools
 Update CICD Pipelines doc

---
 .../abusing-github-actions/README.md          | 18 ++--
 .../gh-actions-context-script-injections.md   | 40 ++++++---
 .../gh-actions-custom-actions.md              | 90 +++++++++++++++++++
 .../pentesting-ci-cd-methodology.md           |  6 +-
 4 files changed, 132 insertions(+), 22 deletions(-)
 create mode 100644 pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-custom-actions.md

diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/README.md b/pentesting-ci-cd/github-security/abusing-github-actions/README.md
index 73ed34e5f8..7d49cad2b1 100644
--- a/pentesting-ci-cd/github-security/abusing-github-actions/README.md
+++ b/pentesting-ci-cd/github-security/abusing-github-actions/README.md
@@ -31,16 +31,14 @@ In this page you will find:
 
 For an introduction about [**Github Actions check the basic information**](../basic-github-information.md#github-actions).
 
-In case you can **execute arbitrary Github actions/inject code** in a **repository**, you could be able to:
+If you can **execute arbitrary code in GitHub Actions** within a **repository**, you may be able to:
+
+* **Steal secrets** mounted to the pipeline and **abuse the pipeline's privileges** to gain unauthorized access to external platforms, such as AWS and GCP.
+* **Compromise deployments** and other **artifacts**.
+  * If the pipeline deploys or stores assets, you could alter the final product, enabling a supply chain attack.
+* **Execute code in custom workers** to abuse computing power and pivot to other systems.
+* **Overwrite repository code**, depending on the permissions associated with the `GITHUB_TOKEN`.
 
-* **Steal** the **secrets** from that repo/organization.
-  * If you can only inject, you can steal whatever is already present in the workflow.
-* Abuse **repo privileges** to access other platforms such as AWS and GCP.
-* **Execute code in custom workers** (if custom workers are used) and try to pivot from there.
-* **Overwrite** repository **code**.
-  * This depends on the privileges of the `GITHUB_TOKEN` (if any).
-* **Compromise** **deployments** and other **artifacts**.
-  * If the code is deploying or storing something you could modify that and obtain some further access.
 
 ## GITHUB\_TOKEN
 
@@ -598,6 +596,8 @@ The only way for an organization to figure out they have been targeted is to che
 The following tools are useful to find Github Action workflows and even find vulnerable ones:
 
 * [https://github.com/CycodeLabs/raven](https://github.com/CycodeLabs/raven)
+* [https://github.com/praetorian-inc/gato](https://github.com/praetorian-inc/gato)
+* [https://github.com/AdnaneKhan/Gato-X](https://github.com/AdnaneKhan/Gato-X)
 * [https://github.com/carlospolop/PurplePanda](https://github.com/carlospolop/PurplePanda)
 
 {% hint style="success" %}
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
index 01cb469db3..786a1de67a 100644
--- a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
+++ b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
@@ -17,17 +17,31 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png"
 
 ## Basic Information
 
-Note that there are certain [**github contexts**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context) whose values are **controlled** by the **user** creating the PR. If the github action is using that **data to execute anything**, it could lead to **arbitrary code execution**. These contexts typically end with `body`, `default_branch`, `email`, `head_ref`, `label`, `message`, `name`, `page_name`,`ref`, and `title`. For example (list from this [**writeup**](https://medium.com/tinder/exploiting-github-actions-on-open-source-projects-5d93936d189f)):
+To run a GitHub Action pipeline, a specific trigger (event) must occur in the system. Some of these triggers can be initiated by any user on GitHub, allowing them to control certain parameters that the pipeline will use. These parameters are referred to as [**contexts**](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#github-context). In the case these values are utilized for command execution in the pipeline without proper sanitization of user-controlled input, it may lead to **arbitrary code execution**.
+
+For instance, imagine a GitHub Action that is triggered when a pull request is created. This action includes a Bash command that uses the branch name and logs it with the `echo` command. In this case, the user who creates the pull request has control over the branch name and can craft a malicious branch name to escape the context of the `echo` command. This manipulation could result in **arbitrary code execution** via Bash Injection.
+
+Here is a list of contexts that a user could control. If a pipeline uses them insecurely, any user on GitHub could exploit this vulnerability to run code within the pipeline. This list is derived from [**Raven**](https://github.com/CycodeLabs/raven), an open-source GitHub Actions vulnerability scanner:
+
+* `github.event.issue.title`
+* `github.event.issue.body`
+* `github.event.pull_request.title`
+* `github.event.pull_request.body`
+* `github.event.comment.body`
+* `github.event.review.body`
+* `github.event.review_comment.body`
+* `github.event.pages.*.page_name`
+* `github.event.commits.*.message`
+* `github.event.head_commit.message`
+* `github.event.head_commit.author.email`
+* `github.event.head_commit.author.name`
+* `github.event.commits.*.author.email`
+* `github.event.commits.*.author.name`
+* `github.event.pull_request.head.ref`
+* `github.event.pull_request.head.label`
+* `github.event.pull_request.head.repo.default_branch`
+* `github.head_ref`
 
-* github.event.comment.body
-* github.event.issue.body
-* github.event.issue.title
-* github.head\_ref
-* github.pull\_request.\*
-* github.\*.\*.authors.name
-* github.\*.\*.authors.email
-
-Note that here are **less obvious sources** of potentially untrusted input, such as branch names and email addresses, which can be **quite flexible in terms of their permitted content**. For example, `zzz";echo${IFS}"hello";#` would be a valid branch name and would be a possible attack vector for a target repository.
 
 ### Example of a script injection attack <a href="#example-of-a-script-injection-attack" id="example-of-a-script-injection-attack"></a>
 
@@ -52,6 +66,12 @@ To inject commands into this workflow, the attacker could create a pull request
 
 In this example, the **`"`** character is used to interrupt the `title=`**`"${{ github.event.pull_request.title }}"`** statement, allowing the `ls` command to be executed on the runner.
 
+### Github Actions Scanning Tools
+- [Raven](https://github.com/CycodeLabs/raven) - [Release blog](https://cycode.com/blog/introducing-raven/)
+- [Gato](https://github.com/praetorian-inc/gato)
+- [Gato-X](https://github.com/AdnaneKhan/Gato-X)
+- [PurplePanda](https://github.com/carlospolop/PurplePanda)
+
 {% hint style="success" %}
 Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">\
 Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-custom-actions.md b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-custom-actions.md
new file mode 100644
index 0000000000..9e3f520f7a
--- /dev/null
+++ b/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-custom-actions.md
@@ -0,0 +1,90 @@
+# Gh Actions - Custom Actions
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
+
+## What are Custom Actions?
+
+Custom Actions in GitHub Actions are a popular option that allows users to encapsulate reusable tasks and streamline workflows, similar to dependencies in programming. The `uses` keyword is employed to import different actions, while the `with` keyword passes parameters to the custom action.
+
+```yaml
+- uses: actions/custom-action@4
+  with:
+    token: ${{ github.token }}
+```
+
+Workflows can pass information to custom actions, which may utilize user-controlled contexts (see [related resources](/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md)). If you identify a vulnerable usage of a user-controlled context within a custom action, investigate all the pipelines that include this action in their import chain for potential exploitation. This approach was highlighted in [this blog post](https://cycode.com/blog/cycode-discovers-a-supply-chain-vulnerability-in-bazel/) regarding a vulnerability found in Google's Bazel project.
+
+For more information about custom actions checkout [Github's documentation](https://docs.github.com/en/actions/sharing-automations/creating-actions/about-custom-actions#about-custom-actions)
+
+## Custom Action Types
+
+Each type of custom action can execute shell code using parameters passed from the workflow, which makes every dependency in a pipeline a potential exploitation point :)
+
+### Composite Actions
+
+Composite Actions combine multiple workflow steps into a single action. Each step can invoke shell commands or call other actions.
+
+```yaml
+name: example
+description: Example of a Composite Action
+runs:
+  using: "composite"
+  steps:
+    - run: printenv
+      shell: bash
+```
+
+### Docker Actions
+
+Docker Actions run inside a Docker container and can be configured using a Dockerfile or an image.
+
+```yaml
+name: example
+description: Example of a Docker Action
+runs:
+  using: docker
+  image: Dockerfile
+  env:
+    INPUT_NAME: ${{ inputs.name }}
+    INPUT_VERSION: ${{ inputs.version }}
+```
+
+### JavaScript Actions
+
+JavaScript Actions are similar to Node.js programs that execute code and call different functions, utilizing the GitHub Actions Toolkit to interact with the workflow.
+
+```yaml
+name: example
+description: Example of a JavaScript Action
+runs:
+  using: "node16"
+  main: "dist/index.js"
+``` 
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image (1).png" alt="" data-size="line">\
+Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
+
+<details>
+
+<summary>Support HackTricks</summary>
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+</details>
+{% endhint %}
diff --git a/pentesting-ci-cd/pentesting-ci-cd-methodology.md b/pentesting-ci-cd/pentesting-ci-cd-methodology.md
index 81bb14ef7c..3bde5f609f 100644
--- a/pentesting-ci-cd/pentesting-ci-cd-methodology.md
+++ b/pentesting-ci-cd/pentesting-ci-cd-methodology.md
@@ -27,11 +27,11 @@ VCS stands for **Version Control System**, this systems allows developers to **m
 * Gitea
 * Cloud providers (they offer their own VCS platforms)
 
-## Pipelines
+## CI/CD Pipelines
 
-Pipelines allow developers to **automate the execution of code** (for building, testing, deploying... purposes) after certain actions occurs: A push, a PR, cron... They are terrible useful to a**utomate all the steps from development to production**.
+CI/CD pipelines enable developers to **automate the execution of code** for various purposes, including building, testing, and deploying applications. These automated workflows are **triggered by specific actions**, such as code pushes, pull requests, or scheduled tasks. They are useful for streamlining the process from development to production.
 
-However, these systems need to be **executed somewhere** and usually with **privileged credentials to deploy code**.
+However, these systems need to be **executed somewhere** and usually with **privileged credentials to deploy code or access sensitive information**.
 
 ## VCS Pentesting Methodology
 

From b98ba26d4219dfb4a1b23c78e1a9bc12217a9b9e Mon Sep 17 00:00:00 2001
From: oreenlivnicode <oreen@cycode.com>
Date: Mon, 14 Oct 2024 16:32:42 +0300
Subject: [PATCH 2/2] Number gh actions doc pages by logical order

---
 ...pt-injections.md => 1-gh-actions-context-script-injections.md} | 0
 ...h-actions-custom-actions.md => 2-gh-actions-custom-actions.md} | 0
 ...s-artifact-poisoning.md => 3-gh-actions-artifact-poisoning.md} | 0
 ...actions-cache-poisoning.md => 4-gh-actions-cache-poisoning.md} | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 rename pentesting-ci-cd/github-security/abusing-github-actions/{gh-actions-context-script-injections.md => 1-gh-actions-context-script-injections.md} (100%)
 rename pentesting-ci-cd/github-security/abusing-github-actions/{gh-actions-custom-actions.md => 2-gh-actions-custom-actions.md} (100%)
 rename pentesting-ci-cd/github-security/abusing-github-actions/{gh-actions-artifact-poisoning.md => 3-gh-actions-artifact-poisoning.md} (100%)
 rename pentesting-ci-cd/github-security/abusing-github-actions/{gh-actions-cache-poisoning.md => 4-gh-actions-cache-poisoning.md} (100%)

diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md b/pentesting-ci-cd/github-security/abusing-github-actions/1-gh-actions-context-script-injections.md
similarity index 100%
rename from pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-context-script-injections.md
rename to pentesting-ci-cd/github-security/abusing-github-actions/1-gh-actions-context-script-injections.md
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-custom-actions.md b/pentesting-ci-cd/github-security/abusing-github-actions/2-gh-actions-custom-actions.md
similarity index 100%
rename from pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-custom-actions.md
rename to pentesting-ci-cd/github-security/abusing-github-actions/2-gh-actions-custom-actions.md
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md b/pentesting-ci-cd/github-security/abusing-github-actions/3-gh-actions-artifact-poisoning.md
similarity index 100%
rename from pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-artifact-poisoning.md
rename to pentesting-ci-cd/github-security/abusing-github-actions/3-gh-actions-artifact-poisoning.md
diff --git a/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md b/pentesting-ci-cd/github-security/abusing-github-actions/4-gh-actions-cache-poisoning.md
similarity index 100%
rename from pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md
rename to pentesting-ci-cd/github-security/abusing-github-actions/4-gh-actions-cache-poisoning.md