File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ # Intentionally insecure test fixture. Do not use in production.
2+ on :
3+ pull_request_target :
4+ workflow_dispatch :
5+ inputs :
6+ cmd :
7+ required : true
8+ default : " echo hello"
9+
10+ permissions : write-all
11+
12+ jobs :
13+ bad :
14+ runs-on : ubuntu-latest
15+ env :
16+ AWS_SECRET_ACCESS_KEY : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
17+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
18+
19+ steps :
20+ - uses : actions/checkout@v4
21+ with :
22+ persist-credentials : true
23+ ref : ${{ github.event.pull_request.head.ref }}
24+
25+ - uses : actions/setup-node@v4
26+
27+ - uses : docker://alpine:latest
28+
29+ - name : Cache untrusted dependency path
30+ uses : actions/cache@v4
31+ with :
32+ path : node_modules
33+ key : ${{ github.event.pull_request.title }}
34+
35+ - name : Template injection via PR title
36+ run : |
37+ echo "PR title: ${{ github.event.pull_request.title }}"
38+ echo "Branch: ${{ github.head_ref }}"
39+
40+ - name : Run user-controlled input
41+ run : |
42+ ${{ github.event.inputs.cmd }}
43+
44+ - name : Leak secrets into logs
45+ run : |
46+ echo "AWS key is $AWS_SECRET_ACCESS_KEY"
47+ echo "Token is $GH_TOKEN"
48+
49+ - name : Dangerous curl bash
50+ run : |
51+ curl https://example.com/install.sh | bash
52+
53+ - name : Upload secrets as artifact
54+ uses : actions/upload-artifact@v4
55+ with :
56+ name : secrets
57+ path : ~/.ssh
You can’t perform that action at this time.
0 commit comments