0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [#2895] update

Browse source
This commit is contained in:
CPol 2021-12-07 15:53:39 +00:00 committed by gitbook-bot
parent 5b7044ff84
commit 5d35e0d35b
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 8 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
cloud-security/github-security/README.md
View file

@ -256,6 +256,12 @@ For an introduction about [**Github Environment check the basic information**](b
In case an environment can be **accessed from all the branches**, it's **isn't protected** and you can easily access the secrets inside the environment. Note that you might find repos where **all the branches are protected** (by specifying its names or by using `*`) in that scenario, **find a branch were you can push code** and you can **exfiltrate** the secrets creating a new github action (or modifying one).
Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and your user isn't listed. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**.
Note, that you might find the edge case where **all the branches are protected** (via wildcard `*`) it's specified **who can push code to the branches** (_you can specify that in the branch protection_) and **your user isn't allowed**. You can still run a custom github action because you can create a branch and use the push trigger over itself. The **branch protection allows the push to a new branch so the github action will be triggered**.
Note that after the creation of the branch the branch protection will apply to the new branch and you won't be able to modify it, but for that time you will have already dumped the secrets.
```yaml
push: # Run it when a push is made to a branch
branches:
- current_branch_name #Use '**' to run when a push is made to any branch
```
Note that **after the creation** of the branch the **branch protection will apply to the new branch** and you won't be able to modify it, but for that time you will have already dumped the secrets.

13
cloud-security/github-security/basic-github-information.md
View file

@ -180,19 +180,6 @@ Once configured in the repo or the organizations **users of github won't be able
Therefore, the **only way to steal github secrets is to be able to access the machine that is executing the Github Action** (in that scenario you will be able to access only the secrets declared for the Action).
### Git Environments
Github allows to create **environments** where you can save **secrets**. Then, you can give the github action access to the secrets inside the environment with something like:
```yaml
jobs:
deployment:
runs-on: ubuntu-latest
environment: env_name
```
You can configure an environment to be **accessed** by **all branches** (default), **only protected** branches or **specify** which branches can access it.
### Git Action Box
A Github Action can be **executed inside the github environment** or can be executed in a **third party infrastructure** configured by the user.