De-slop: remove every em-dash + banned words across all modules + capstone (#94)
Sync course wiki / sync-wiki (push) Successful in 4s
Sync course wiki / sync-wiki (push) Successful in 4s
Co-authored-by: claude <claude@jpaul.io> Co-committed-by: claude <claude@jpaul.io>
This commit was merged in pull request #94.
This commit is contained in:
@@ -1,8 +1,8 @@
|
||||
#!/usr/bin/env bash
|
||||
# Module 19 lab — what a CI job could see if it ran on THIS machine.
|
||||
# Module 19 lab: what a CI job could see if it ran on THIS machine.
|
||||
#
|
||||
# Run this on any machine you'd consider turning into a self-hosted runner (your laptop is fine for
|
||||
# the exercise). It does NOT change anything — it only LOOKS. The point is to make concrete what is
|
||||
# the exercise). It does NOT change anything; it only LOOKS. The point is to make concrete what is
|
||||
# otherwise abstract: a "workflow step" is just a shell command, so whatever this read-only script
|
||||
# can see, a malicious workflow step (e.g. from a pull request) running on this runner can see too.
|
||||
#
|
||||
@@ -42,7 +42,7 @@ echo "os : $(uname -srm 2>/dev/null)"
|
||||
echo " >> A runner should run as a dedicated low-privilege user, never root, never your login."
|
||||
|
||||
line "SECRETS SITTING IN THE ENVIRONMENT"
|
||||
# Don't print values — just the names. Seeing the NAMES is enough to make the point.
|
||||
# Don't print values, just the names. Seeing the NAMES is enough to make the point.
|
||||
env | grep -iE 'token|secret|key|password|passwd|credential|aws|gcp|azure|api' | cut -d= -f1 | sort -u \
|
||||
| sed 's/^/ exposed env var: /' || true
|
||||
echo " >> Any of these is readable by every job step. Scope runner secrets to the absolute minimum."
|
||||
@@ -76,7 +76,7 @@ else
|
||||
echo " no reachable docker socket"
|
||||
fi
|
||||
|
||||
line "PRIVATE NETWORK REACH (the reason you self-host — and the reason it's dangerous)"
|
||||
line "PRIVATE NETWORK REACH (the reason you self-host, and the reason it's dangerous)"
|
||||
# Probe a few common private ranges' gateways and any hosts you care about.
|
||||
# Edit these to match your network for a sharper result.
|
||||
PROBES=( "192.168.0.1:80" "192.168.1.1:80" "10.0.0.1:80" )
|
||||
@@ -86,7 +86,7 @@ for hp in "${PROBES[@]}"; do
|
||||
echo " REACHABLE: ${host}:${port}"
|
||||
fi
|
||||
done
|
||||
echo " (edit the PROBES list above to test your real internal hosts — databases, deploy targets)"
|
||||
echo " (edit the PROBES list above to test your real internal hosts: databases, deploy targets)"
|
||||
echo " >> Every reachable internal host is something a compromised runner can attack or exfiltrate."
|
||||
|
||||
line "BOTTOM LINE"
|
||||
|
||||
Reference in New Issue
Block a user