Allow scanning orgs

Author: JarLob

.github/workflows/sample.yml

@@ -7,12 +7,8 @@ permissions:
 on:
   workflow_dispatch:
     inputs:
-      owner:
-        description: 'Org or user name'
-        required: true
-        type: string
-      repo:
-        description: 'Repository name'
+      owner-repo:
+        description: 'Org or org/repo to scan'
         required: true
         type: string
 
@@ -22,5 +18,4 @@ jobs:
     steps:
     - uses: GitHubSecurityLab/pwn-request-scanner@9791f6e2ab36a9ca92342d4b2adc749e870133b9 # v1
       with:
-        owner: ${{ inputs.owner }}
-        repo: ${{ inputs.repo }}
+        owner-repo: ${{ inputs.owner-repo }}

README.md

@@ -11,5 +11,5 @@ The `pwn request scanner` is a simple tool that doesn't go into depths of analyz
 You can run the scanner as:
 
 * GitHub Action in your repository. Just copy the [sample workflow](.github/workflows/sample.yml) or fork the repository and run the workflow from your fork.  
-* Run `node dist/index.js <github_owner> <repo_name>` in a codespace.  
+* Run `node dist/index.js owner/repo` or `node dist/index.js owner` in a codespace.  
 * Locally running the [index.js](dist/index.js) script from the dist folder. Set environment variable `GITHUB_TOKEN` to your Personal Access Token (PAT).  

action.yml

@@ -5,12 +5,8 @@ inputs:
     description: 'GitHub token to call REST API'
     required: false
     default: ${{ github.token }}
-  owner:
-    description: 'Org or user name'
-    required: true
-    type: string
-  repo:
-    description: 'Repository name'
+  owner-repo:
+    description: 'Org or org/repo to scan'
     required: true
     type: string
 

dist/index.js

@@ -1,20 +1,17 @@
 const core = require('@actions/core');
 const github = require('@actions/github');
 import {
-  convertWorkflowTemplate,
-  NoOperationTraceWriter,
-  parseWorkflow
+    convertWorkflowTemplate,
+    NoOperationTraceWriter,
+    parseWorkflow
 } from "@actions/workflow-parser";
 
 let verbose = false;
 let log = console.log;
 let debug = (msg) => { if (verbose) { log(msg); } }
 
-async function run(owner, repo, token) {
-    console.log("Working...");
-    const octokit = github.getOctokit(token)
-
-    debug(`Listing branches for ${owner}/${repo}.`);
+async function run_repo(owner, repo, octokit) {
+    console.log(`Listing branches for ${owner}/${repo}.`);
     const branches = await octokit.rest.repos.listBranches({
         owner,
         repo,
@@ -35,7 +32,7 @@ async function run(owner, repo, token) {
             continue;
         }
 
-        debug(`Checking branch ${branchName} for workflows.`);
+        console.log(`Checking branch ${branchName} for workflows.`);
         let contents;
         try {
             contents = await octokit.rest.repos.getContent({
@@ -49,9 +46,9 @@ async function run(owner, repo, token) {
                 debug(`Branch ${branchName} does not contain any workflows.`);
                 continue;
             }
-            throw(`Error: ${error.status}. Failed to retrieve contents for branch ${branchName}`, error);
+            throw (`Error: ${error.status}. Failed to retrieve contents for branch ${branchName}`, error);
         }
-        
+
         for (const file of contents.data) {
             const lowerCaseFile = file.name.toLowerCase();
             if (file.type === 'file' && (lowerCaseFile.endsWith('.yml') || lowerCaseFile.endsWith('.yaml'))) {
@@ -89,47 +86,79 @@ async function run(owner, repo, token) {
                     continue;
                 }
 
-                if (!found) {
+                found = true;
+                console.log(`https://github.com/${owner}/${repo}/blob/${branchName}/${file.path} from non-default branch uses pull_request_target`);
+            }
+        }
+    }
+
+    return found;
+}
+
+async function run(owner_repo, token) {
+    const octokit = github.getOctokit(token)
+    let found = false;
+    let owner, repo;
+    [owner, repo] = owner_repo.split('/');
+
+    if (repo === undefined) {
+        debug(`Listing repositories for owner ${owner}.`);
+        for await (const response of octokit.paginate.iterator(octokit.rest.repos.listForOrg, {
+            org: owner,
+            type: 'all',
+            per_page: 100
+        })) {
+            for (const repo of response.data) {
+                const repoFound = await run_repo(
+                    owner,
+                    repo.name,
+                    octokit
+                );
+                if (repoFound) {
                     found = true;
-                    console.log('These workflows from non-default branch use pull_request_target:');
                 }
-                console.log(`https://github.com/${owner}/${repo}/blob/${branchName}/${file.path}`);
             }
         }
     }
+    else {
+        found = await run_repo(
+            owner,
+            repo,
+            octokit
+        );
+    }
 
     console.log(`Done. ${found ? 'Found issues.' : 'No issues found.'}`);
     return found;
 }
 
 function printUsageAndExit() {
-  console.log('Usage: node index.js <github_owner> <repo_name> [--verbose]');
-  process.exit(1);
+    console.log('Usage: node index.js owner/repo [--verbose]');
+    process.exit(1);
 }
 
 if (process.env.GITHUB_ACTIONS) {
     verbose = process.env.RUNNER_DEBUG ? true : false;
-    const owner = core.getInput('owner');
-    const repo = core.getInput('repo');
+    const owner_repo = core.getInput('owner-repo');
     const token = core.getInput('token');
 
-    run(owner, repo, token).catch(error => {
+    run(owner_repo, token).catch(error => {
         core.setFailed(error);
     }).then(found => {
         if (found) {
             core.warning('Workflows from non-default branches were detected to use pull_request_target. See logs for the details.');
         }
     });
 } else {
-    if (process.argv.length < 4) {
+    if (process.argv.length < 3) {
         printUsageAndExit();
     }
     if (process.env.GITHUB_TOKEN === undefined) {
         console.log('Error: GITHUB_TOKEN environment variable is not set.');
         process.exit(1);
     }
-    verbose = process.argv.length > 4 && process.argv[4] === '--verbose' ? true : false;
-    run(process.argv[2], process.argv[3], process.env.GITHUB_TOKEN).catch(error => {
+    verbose = process.argv.length > 3 && process.argv[3] === '--verbose' ? true : false;
+    run(process.argv[2], process.env.GITHUB_TOKEN).catch(error => {
         console.log(`Error: ${error}`);
         process.exit(1);
     });