Documentation
¶
Overview ¶
pkg/gitlab/attacks/secretsdump/crypto.go
pkg/gitlab/attacks/secretsdump/logparser.go
pkg/gitlab/attacks/secretsdump/pipeline.go
pkg/gitlab/attacks/secretsdump/secretsdump.go
Index ¶
- func DecryptSecrets(privateKey *rsa.PrivateKey, encSymKeyB64, encSecretsB64 string) ([]byte, error)
- func ExtractEncryptedBlobs(logs string) (encSymKey, encSecrets string, err error)
- func GeneratePipelineYAML(publicKeyPEM string) string
- func ParseSecretsFromEnv(envOutput []byte) map[string]string
- type Plugin
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DecryptSecrets ¶
func DecryptSecrets(privateKey *rsa.PrivateKey, encSymKeyB64, encSecretsB64 string) ([]byte, error)
DecryptSecrets decrypts the encrypted environment variables using RSA-4096 + AES-256-CBC + PBKDF2 matching OpenSSL defaults
func ExtractEncryptedBlobs ¶
ExtractEncryptedBlobs extracts the encrypted symmetric key and secrets from pipeline logs Expected format: $<base64_enc_symkey>$<base64_enc_secrets>$ GitLab CI adds timestamps/ANSI codes that break the pattern, so we find large base64 chunks
func GeneratePipelineYAML ¶
GeneratePipelineYAML creates a malicious .gitlab-ci.yml that exfiltrates secrets via encrypted pipeline execution (PPE attack)
func ParseSecretsFromEnv ¶
ParseSecretsFromEnv parses KEY=VALUE pairs from decrypted env output
Types ¶
type Plugin ¶
type Plugin struct {
base.BaseAttackPlugin
}
Plugin implements secrets exfiltration via PPE
func (*Plugin) CanAttack ¶
func (p *Plugin) CanAttack(findings []detections.Finding) bool
CanAttack checks if secrets dump is applicable PPE works even without detected vulnerabilities - only needs Developer+ access
func (*Plugin) Execute ¶
func (p *Plugin) Execute(ctx context.Context, opts attacks.AttackOptions) (*attacks.AttackResult, error)
Execute performs the PPE attack
Source Files