Remove other Workflow files when executing Attack module

Question

Remove other Workflow files when executing Attack module

AdnaneKhan opened this issue 10 months ago · 0 comments

Currently, the attack feature (fork PR, push exec and push exfil) only adds a new workflow. If other workflows also run on push they will execute in addition to the malicious workflow. This can have unintended effects depending on what the different workflows do.

This can be solved by removing all other files within the .github/workflows directory before adding the new one. Since Gato uses the GitHub contents API, this only allows changing one file at a time. Deleting files individually would also trigger events.

The solution here is to use the Git database APIs (https://docs.github.com/en/rest/git/blobs?apiVersion=2022-11-28, etc.) to create a new commit that:

WITHIN THE NEW BRANCH removes all files in the .github/workflows directory.
Adds the malicious file.
Creates and pushes a single commit to the branch.

This will significantly increase the stability and opsec profile of Gato's attack features.