bartoszmajsak/gist:f14269598dd2fada7e3940b2268fe26a

## gistfile0.txt
#!/bin/bash
# Reproducer: Attempt to chain 10 tokens (token proliferation attack)

MAAS_URL="${MAAS_URL:-maas.$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')}"

echo "=== Token Proliferation Test ==="
echo "Attempting to create a chain of 10 tokens using each to issue the next"
echo ""

# Start with OpenShift identity token
CURRENT_TOKEN=$(oc whoami -t)
echo "TOKEN[0]: OpenShift identity ($(echo $CURRENT_TOKEN | cut -c1-20)...)"

for i in {1..10}; do
  RESPONSE=$(curl -sSk -X POST \
    -H "Authorization: Bearer ${CURRENT_TOKEN}" \
    -H "Content-Type: application/json" \
    -d '{"expiration":"10m"}' \
    -w "\nHTTP_STATUS:%{http_code}" \
    "https://${MAAS_URL}/maas-api/v1/tokens")

  HTTP_STATUS=$(echo "$RESPONSE" | grep "HTTP_STATUS:" | cut -d':' -f2)
  BODY=$(echo "$RESPONSE" | sed '/HTTP_STATUS:/d')
  NEW_TOKEN=$(echo "$BODY" | jq -r .token 2>/dev/null)

  # Check for 2xx success status
  if [[ ! "$HTTP_STATUS" =~ ^2 ]] || [[ -z "$NEW_TOKEN" || "$NEW_TOKEN" == "null" ]]; then
    echo "TOKEN[$i]: ❌ BLOCKED (HTTP $HTTP_STATUS)"
    if [[ $i -eq 1 ]]; then
      echo ""
      echo "❌ FAIL: Cannot create any tokens"
      exit 1
    else
      echo ""
      echo "✅ PASS: Token chain stopped at iteration $i"
      echo "   Only OpenShift identity can issue tokens (TOKEN[1])"
      echo "   SA tokens cannot create more tokens"
      exit 0
    fi
  fi

  echo "TOKEN[$i]: ✅ Created ($(echo $NEW_TOKEN | cut -c1-20)...)"
  CURRENT_TOKEN="$NEW_TOKEN"
done

echo ""
echo "❌ FAIL: Created 10 chained tokens!"
echo "   This is a security vulnerability - SA tokens should not create tokens"
exit 1
	#!/bin/bash
	# Reproducer: Attempt to chain 10 tokens (token proliferation attack)

	MAAS_URL="${MAAS_URL:-maas.$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')}"

	echo "=== Token Proliferation Test ==="
	echo "Attempting to create a chain of 10 tokens using each to issue the next"
	echo ""

	# Start with OpenShift identity token
	CURRENT_TOKEN=$(oc whoami -t)
	echo "TOKEN[0]: OpenShift identity ($(echo $CURRENT_TOKEN \| cut -c1-20)...)"

	for i in {1..10}; do
	RESPONSE=$(curl -sSk -X POST \
	-H "Authorization: Bearer ${CURRENT_TOKEN}" \
	-H "Content-Type: application/json" \
	-d '{"expiration":"10m"}' \
	-w "\nHTTP_STATUS:%{http_code}" \
	"https://${MAAS_URL}/maas-api/v1/tokens")

	HTTP_STATUS=$(echo "$RESPONSE" \| grep "HTTP_STATUS:" \| cut -d':' -f2)
	BODY=$(echo "$RESPONSE" \| sed '/HTTP_STATUS:/d')
	NEW_TOKEN=$(echo "$BODY" \| jq -r .token 2>/dev/null)

	# Check for 2xx success status
	if [[ ! "$HTTP_STATUS" =~ ^2 ]] \|\| [[ -z "$NEW_TOKEN" \|\| "$NEW_TOKEN" == "null" ]]; then
	echo "TOKEN[$i]: ❌ BLOCKED (HTTP $HTTP_STATUS)"
	if [[ $i -eq 1 ]]; then
	echo ""
	echo "❌ FAIL: Cannot create any tokens"
	exit 1
	else
	echo ""
	echo "✅ PASS: Token chain stopped at iteration $i"
	echo " Only OpenShift identity can issue tokens (TOKEN[1])"
	echo " SA tokens cannot create more tokens"
	exit 0
	fi
	fi

	echo "TOKEN[$i]: ✅ Created ($(echo $NEW_TOKEN \| cut -c1-20)...)"
	CURRENT_TOKEN="$NEW_TOKEN"
	done

	echo ""
	echo "❌ FAIL: Created 10 chained tokens!"
	echo " This is a security vulnerability - SA tokens should not create tokens"
	exit 1
No results found