search

blacklanternsecurity / bbot

A recursive internet scanner for hackers.
https://www.blacklanternsecurity.com/bbot/
GNU General Public License v3.0
4.19k stars 380 forks source link

Module Enhancement: `github_orgs` raise github actions logs as `HTTP_RESPONSE` #1305

Closed domwhewell-sage closed 2 months ago

domwhewell-sage commented 3 months ago

Github actions logs could be a great source of plaintext secrets, use the API_KEY to make a request to the github api and grab the action logs

TheTechromancer commented 3 months ago

Wow good idea.

domwhewell-sage commented 3 months ago

Damn, it has to be an admin api_key even for a public repository.

Or using the html_url you have to have a valid user_session cookie.

domwhewell-sage commented 3 months ago

Error message wasn't helpful but it appears you can download log .zip files for public repo's w/o admin rights 🥳

So this module will instead be emitting FILESYSTEM events, and a further enhancement can be made to trufflehog to consume these events

domwhewell-sage commented 2 months ago

Incase anyone gets this error for a public repository:

2024-05-14 00:02:46,662 [VERBOSE] bbot.core.helpers.web web.py:304 Failed to download https://api.github.com/repos/<ORG>/<repo>/actions/runs/<run_id>/logs: Client error '403 Forbidden' for url 'https://api.github.com/repos/<ORG>/<repo>/actions/runs/<run_id>/logs'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403
2024-05-14 00:02:46,662 [WARNING] bbot.modules.github_workflows base.py:1326 The current access key does not have access to workflow <ORG>/<repo>/<run_id> (status: 403)
2024-05-14 00:02:46,662 [TRACE] bbot.modules.github_workflows base.py:1377 Traceback (most recent call last):
  File "/usr/local/lib/python3.10/dist-packages/bbot/modules/github_workflows.py", line 115, in download_run_logs
    await self.helpers.download(
  File "/usr/local/lib/python3.10/dist-packages/bbot/core/helpers/web.py", line 287, in download
    response.raise_for_status()
  File "/usr/local/lib/python3.10/dist-packages/httpx/_models.py", line 759, in raise_for_status
    raise HTTPStatusError(message, request=request, response=self)
httpx.HTTPStatusError: Client error '403 Forbidden' for url 'https://api.github.com/repos/<ORG>/<repo>/actions/runs/<run_id>/logs'
For more information check: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403

The documentation says:

If the repository is private, OAuth tokens and personal access tokens (classic) need the repo scope to use this endpoint.

However I have found even for public repositories personal access tokens (classic) must have the repo scope image