-
Notifications
You must be signed in to change notification settings - Fork 0
/
check_github_token_access.py
88 lines (77 loc) · 3.09 KB
/
check_github_token_access.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
import requests
import argparse
HEADERS = {
'Accept': 'application/vnd.github.v3+json',
'X-Github-Api-Version': '2022-11-28'
}
def getUser():
url = 'https://api.github.com/user'
response = requests.get(url, headers=HEADERS)
if response.status_code == 200:
return response.json()
else:
print('[-] Error: ' + str(response.status_code) + ' ' + response.json()['message'])
return None
def getRepos():
i=1
while True:
url = 'https://api.github.com/user/repos?per_page=100&page=' + str(i)
response = requests.get(url, headers=HEADERS)
response_json = response.json()
if response.status_code != 200:
print('[-] Error: ' + str(response.status_code) + ' ' + response.json()['message'] + ' When trying to access user repos')
break
if not response_json:
break
for repo in response_json:
if repo['private']:
permissions = []
for key, value in repo['permissions'].items():
if value == True:
permissions.append(key.capitalize())
print("%s permissions on %s" % (", ".join(permissions), repo['html_url']))
i+=1
def getOrgs():
orgs = []
url = 'https://api.github.com/user/orgs'
response = requests.get(url, headers=HEADERS)
response_json = response.json()
for org in response_json:
orgs.append(org['login'])
return orgs
def getPrivateOrgRepos(orgs):
for org in orgs:
i=1
while True:
url = 'https://api.github.com/orgs/' + org + '/repos?per_page=100&page=' + str(i)
response = requests.get(url, headers=HEADERS)
response_json = response.json()
if response.status_code != 200:
print('[-] Error: ' + str(response.status_code) + ' ' + response.json()['message'] + ' When trying to access the organization ' + org)
break
if not response_json:
break
for repo in response_json:
if repo['private']:
permissions = []
for key, value in repo['permissions'].items():
if value == True:
permissions.append(key.capitalize())
print("%s permissions on %s" % (", ".join(permissions), repo['html_url']))
i+=1
def parse_arguments():
parser = argparse.ArgumentParser(description='Supply a github personal access token to check what private repositories it has access to.')
parser.add_argument('--token', '-t', metavar='ghp_xxxx', type=str, required=True, help='The github personal access token to use in requests to the github api.' )
args = parser.parse_args()
HEADERS.update({'Authorization': 'Bearer ' + args.token})
def main():
user = getUser()
if user:
print('[+] User: ' + user['login'])
print('[+] Enumerating private user and org repos...')
getRepos()
orgs = getOrgs()
getPrivateOrgRepos(orgs)
if __name__== "__main__":
parse_arguments()
main()