Skip to content

thomaspreece/GitHub-Token-Tester

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
app_harness.py
app_harness.py
 
 
requirements.txt
requirements.txt
 
 
test_token_permissions.py
test_token_permissions.py
 
 

Repository files navigation

GitHub Token Tester

When you have any of the following GitHub tokens:

  • Token starting ghs_ - App Installation Token
  • Token starting ghu_ - App User Access Token
  • Token starting gho_ - OAuth App Token
  • Token starting ghp_ - Classic PAT
  • Token starting github_pat_ - Fine-grained PAT

There often isn't an easy way to figure out what permissions the token has. The purpose of this repo is to provide a tool that makes a set of requests to GitHub to test the exact permissions of the token.

Notes:

  • This tool isn't designed stealthy. All requests made will appear in GitHub audit logs. Also, some requests have to test write permissions so will make changes
  • Not all GitHub permissions are implemented by this tool yet.

How does it work?

There are two types of approach the tool takes.

  1. For Classic PATs and OAuth App Tokens (ghp_ and gho_) this tool will make a request to the user endpoint. This request will contain a header that lists the scopes the token has. It makes no further requests
  2. For App Installation Tokens, App User Access Tokens and Fine-grained PATs (ghs_, ghu_ and github_pat_), GitHub doesn't provide an easy way to see the fine-grained permissions. Therefore, this tool follows a bruteforce approach of testing each permission one by one. Before it does this, the tool will first look for a repository that is accessible by the token and which the user has admin permissions on. This is because the actual permissions the token gets on the API are the intersection of the token's permissions and the user's own permissions. Therefore, finding a repository the user has admin on is required for the permissions of the token to be accurately assessed. You can however override the repository it uses in the environment file if the code is unable to find a suitable repository.

Requirements

To use this tool you need one of the following:

  • A GitHub token (as detailed above) OR
  • A GitHub App private key + app id + app instation id OR
  • A GitHub App client id + client secret

You'll also need to install the python depenedencies in requirements.txt

Use

  • Copy .env.example to .env
  • Fill in .env with required values
  • If using a token directly then run python3 ./test_token_permissions.py
  • If you are using a GitHub App private key or client id then run:
    • python3 ./app_harness.py -m installation_token for generating a ghs_ token and testing that
    • python3 ./app_harness.py -m access_token for generating a ghu_ token and testing that
  • See terminal output and permissions.csv for results of run.

About

Got a GitHub token (PAT, App, OAuth) and want to figure out what permissions it has? This repo solves this by allowing you to test and validate the different types of GitHub token..

Resources

Readme
Activity

Stars

22 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages