Created
September 2, 2020 12:39
Revisions
-
anderssonjohan created this gist
Sep 2, 2020 .There are no files selected for viewing
LoadingSorry, something went wrong. Reload?Sorry, we cannot display this file.Sorry, this file is invalid so it cannot be displayed.This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,4 @@ Illustration of elevation of privilege vulnerability using GitHub Actions where GitHub Personal Access Tokens (PAT) are used to trigger the repository_dispatch event, which requires write access to the target repository. With write access to the repo, the access allows creating workflows that prints the secrets in the target repository, which may contain GitHub secrets on the repo level or org level secrets only given out to selected repositories.