Github API keys review

[domwhewell-sage]

Going to compile a list of the GitHub rest API that each of the modules access's here to check if auth_required needs to be set on any of them (Im looking at you github_workflows 👀)

[domwhewell-sage]

github_org

• https://docs.github.com/en/rest/orgs/orgs?apiVersion=2022-11-28#get-an-organization

This endpoint can be used without authentication if only public resources are requested.

• https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-organization-repositories

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

• https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#list-organization-members

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

• https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-repositories-for-a-user

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

[domwhewell-sage]

git_clone

If the api_key is supplied the repo url will be https://user:{self.api_key}@github.com
No issues there

[domwhewell-sage]

github_workflows

TL;DR:

• The module needs the auth_required meta data
• Update the error message from the Workflow Logs to notify the user what specific permissions they require
• Update the error message on the Workflow Artifacts to echo out the message returned by the endpoint

Endpoints not requiring an API key

• https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#list-repository-workflows

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

• https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2022-11-28#list-workflow-runs-for-a-workflow

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

• https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#list-workflow-run-artifacts

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

Endpoints that require an API key

Workflow Logs

• https://docs.github.com/en/rest/actions/workflow-runs?apiVersion=2022-11-28#download-workflow-run-logs

The documentation states

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

If you request a public workflow log without using an API key you get

> curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/blacklanternsecurity/bbot/actions/runs/13524342051/logs
{
  "message": "Must have admin rights to Repository.",
  "documentation_url": "https://docs.github.com/rest/actions/workflow-runs#download-workflow-run-logs",
  "status": "403"
}

It states you require admin rights to the repository however if you have the repo scope or "Actions" repository permissions (read) you will be fine

Workflow Artifacts

• https://docs.github.com/en/rest/actions/artifacts?apiVersion=2022-11-28#download-an-artifact

The documentation states

This endpoint can be used without authentication or the aforementioned permissions if only public resources are requested.

If you request a public workflow artifact without using an API key you get

> curl -L \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/blacklanternsecurity/bbot/actions/artifacts/2649651843/zip
{
  "message": "You must have the actions scope to download artifacts.",
  "documentation_url": "https://docs.github.com/rest/actions/artifacts#download-an-artifact",
  "status": "403"
}

This error message is a lot more helpful :)

[domwhewell-sage]

With an API key you get 5000 requests every hour. This is what I got after running burp intruder to go over my rate limit

HTTP/2 403 Forbidden
Date: Sun, 02 Mar 2025 13:45:45 GMT
Content-Type: application/json; charset=utf-8
X-Ratelimit-Limit: 5000
X-Ratelimit-Remaining: 0
X-Ratelimit-Reset: 1740924768
X-Ratelimit-Used: 5002
X-Ratelimit-Resource: core
X-Oauth-Scopes: admin:repo_hook, audit_log, codespace, copilot, delete:packages, project, read:packages, repo, write:org
X-Accepted-Oauth-Scopes: repo
Github-Authentication-Token-Expiration: 2025-03-27 18:50:44 UTC
X-Github-Media-Type: unknown, github.v3
Access-Control-Expose-Headers: ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-Xss-Protection: 0
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Content-Security-Policy: default-src 'none'
Vary: Accept-Encoding, Accept, X-Requested-With
Server: github.com
X-Github-Request-Id: D399:30F39A:609952:89AA7B:67C46109

{
  "message": "API rate limit exceeded for user ID 122788350. If you reach out to GitHub Support for help, please include the request ID D399:30F39A:609952:89AA7B:67C46109 and timestamp 2025-03-02 13:45:45 UTC.",
  "documentation_url": "https://docs.github.com/rest/overview/rate-limits-for-the-rest-api",
  "status": "403"
}

So the warning messages could possibly be updated to include the response['message']. And the download helper is used to download the files rather than the api_request helper perhaps the download helper isn't including the api key...