Autodiscovery

pipeleek gh renovate autodiscovery

Create a PoC for Renovate Autodiscovery misconfigurations exploitation

Synopsis

Create a repository with a Renovate Bot configuration that will be picked up by an existing Renovate Bot user. The Renovate Bot will execute the malicious Gradle wrapper script during dependency updates, which you can customize in exploit.sh. Note: On GitHub, the bot/user account must proactively accept the invite.

1	`pipeleek gh renovate autodiscovery [flags]`

Examples

1
2

# Create a repository and invite the victim Renovate Bot user to it. Uses Gradle wrapper to execute arbitrary code during dependency updates.
pipeleek gh renovate autodiscovery --token ghp_xxxxx --github https://api.github.com --repo-name my-exploit-repo --username renovate-bot-user

Options

1
2
3

  -h, --help               help for autodiscovery
  -r, --repo-name string   The name for the created repository
  -u, --username string    The username of the victim Renovate Bot user to invite

Options inherited from parent commands

      --color              Enable colored log output (auto-disabled when using --logfile) (default true)
      --config string      Config file path. Example: ~/.config/pipeleek/pipeleek.yaml
  -g, --github string      GitHub API base URL (default "https://api.github.com")
      --ignore-proxy       Ignore HTTP_PROXY environment variable
      --json               Use JSON as log output format
      --log-level string   Set log level globally (debug, info, warn, error). Example: --log-level=warn
  -l, --logfile string     Log output to a file
  -t, --token string       GitHub Personal Access Token
  -v, --verbose            Enable debug logging (shortcut for --log-level=debug)