LOTP

Living Off the Pipeline

The idea of the LOTP project is to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection.

Tags

cli github-actions injection config-file input-file eval-js eval-sh eval-py eval-groovy eval-kotlin Reset

Tool	Tags
Ant	cli config-file eval-sh
bundler	cli eval-sh config-file
checkov	cli config-file eval-py
eslint	cli config-file eval-js
actions/github-script	github-actions injection eval-js
oxsecurity/megalinter	github-actions config-file eval-sh
roots/issue-closer-action	github-actions injection eval-js
sergeysova/jq-action	github-actions injection eval-sh
go generate	cli input-file eval-sh
gomplate	cli config-file eval-sh
gradle	cli config-file eval-groovy eval-kotlin
maven	cli eval-sh
mkdocs	cli config-file eval-py
MSBuild	cli config-file input-file eval-sh
mypy	cli eval-sh
pre-commit	cli config-file eval-sh
prettier	cli config-file eval-js
pylint	cli config-file eval-python
rake	cli eval-sh config-file
rubocop	cli eval-sh config-file
terraform	cli input-file eval-sh
tflint	cli config-file eval-sh