Skip to content

Exploiting CORS – How to Pentest Cross-Origin Resource Sharing Vulnerabilities #383

Exploiting CORS – How to Pentest Cross-Origin Resource Sharing Vulnerabilities

Exploiting CORS – How to Pentest Cross-Origin Resource Sharing Vulnerabilities #383

on:
issue_comment:
types: [created]
name: Move Project Cards by /command
jobs:
validate_and_get_card:
name: Validate command and get project card info
runs-on: ubuntu-latest
permissions:
issues: read
# Run the job only if the new comment starts with '/'
if: |
!github.event.issue.pull_request && startsWith(github.event.comment.body, '/')
outputs:
valid_command: ${{ steps.command_check.outputs.valid_command }}
command: ${{ steps.command_check.outputs.command }}
target_status: ${{ steps.command_check.outputs.target_status }} # Which status to move the card to
card_id: ${{ steps.get_card.outputs.card_id }}
project_url: ${{ steps.get_card.outputs.project_url }}
project_name: ${{ steps.get_card.outputs.project_name }}
steps:
- name: Validate command
id: command_check
env:
COMMENT: ${{ github.event.comment.body }}
run: |
# For ease of use, accept both /postedit and /post-edit.
if [[ "$COMMENT" == /postedit* || "$COMMENT" == /post-edit* ]]; then
echo "::set-output name=command::postedit"
echo "::set-output name=target_status::in Postediting"
echo "::set-output name=valid_command::true"
# We can remove this elif condition for /translate when we move to /postedit command completely.
# Keeping this for now to make the old command work during the transition period.
elif [[ "$COMMENT" == /translate* ]]; then
echo "::set-output name=command::translate"
echo "::set-output name=target_status::in Translation"
echo "::set-output name=valid_command::true"
elif [[ "$COMMENT" == /review* ]]; then
echo "::set-output name=command::review"
echo "::set-output name=target_status::in Review"
echo "::set-output name=valid_command::true"
else
echo "::warning::Invalid command. The comment must start with /postedit or /review."
echo "::set-output name=valid_command::false"
fi
- name: Get project card
id: get_card
if: steps.command_check.outputs.valid_command == 'true'
uses: actions/github-script@v7
env:
ISSUE_NODE_ID: ${{ github.event.issue.node_id }}
with:
script: |
const query = `
query ($id: ID!) {
node(id: $id) {
... on Issue {
projectsV2(first: 1) {
edges {
node {
id
url
title
items(first: 100) {
edges {
node {
id
content {
... on Issue {
id
}
}
}
}
}
}
}
}
}
}
}
`;
const variables = {
id: process.env.ISSUE_NODE_ID
};
const result = await github.graphql(query, variables);
console.log(`Result: ${JSON.stringify(result)}`);
const cardId = result.node.projectsV2.edges[0].node.items.edges.find(edge => edge.node.content.id === process.env.ISSUE_NODE_ID).node.id;
const projectUrl = result.node.projectsV2.edges[0].node.url;
const projectName = result.node.projectsV2.edges[0].node.title;
console.log(`Card ID: ${cardId}`);
console.log(`Project URL: ${projectUrl}`);
console.log(`Project Name: ${projectName}`);
core.setOutput('card_id', cardId);
core.setOutput('project_url', projectUrl);
core.setOutput('project_name', projectName);
github-token: ${{ secrets.MOVE_CARDS_TOKEN }}
assign_issue:
name: Assign issue and update project card
needs: validate_and_get_card
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- name: Add comment for invalid command # Reply to the user if the command was invalid
if: needs.validate_and_get_card.outputs.valid_command != 'true'
uses: actions/github-script@v7
env:
USER_LOGIN: ${{ github.event.comment.user.login }}
with:
script: |
const issueComment = `
@${process.env.USER_LOGIN} The command was invalid. The comment must start with /postedit or /review.
`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: issueComment
});
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout # Checkout the scripts in this repo onto the runner
if: needs.validate_and_get_card.outputs.valid_command == 'true'
uses: actions/checkout@v3
- name: Assign issue to the commenter as posteditor
id: assign_posteditor
# We can remove the check for 'translate' when we move to /postedit command completely.
if: needs.validate_and_get_card.outputs.valid_command == 'true' && (needs.validate_and_get_card.outputs.command == 'postedit' || needs.validate_and_get_card.outputs.command == 'translate' )
uses: actions/github-script@v7
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
script: |
const script = require('./scripts/assignPosteditor.js');
await script({github, context, core});
- name: Assign issue to the reviewer
id: assign_reviewer
if: needs.validate_and_get_card.outputs.valid_command == 'true' && needs.validate_and_get_card.outputs.command == 'review'
uses: actions/github-script@v7
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
script: |
const script = require('./scripts/assignReviewer.js');
const projectName = '${{ needs.validate_and_get_card.outputs.project_name }}';
await script({github, context, core, projectName});
- name: Update project card status
if: steps.assign_posteditor.outcome == 'success' || steps.assign_reviewer.outcome == 'success'
uses: titoportas/[email protected]
with:
project-url: ${{ needs.validate_and_get_card.outputs.project_url }}
github-token: ${{ secrets.MOVE_CARDS_TOKEN }}
item-id: ${{ needs.validate_and_get_card.outputs.card_id }}
field-keys: Status
field-values: ${{ needs.validate_and_get_card.outputs.target_status }}