Track job and workflow permissions

[adrien-f]

Pull Request Overview

Given a PwnRequest, it will have associated permissions available to it. This tracks Workflow and Job permissions and expose it in the PwnRequestResult and the to_machine response.

Let me know what you think, I think this can be a useful enabler for more visitors (escalating permissions for example).

What does this PR add/solve?

I think this will be helpful in associating a result with a severity, detecting high impact results and filtering false positives if wanted.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Security enhancement
• CI/CD improvement

Areas affected

• Enumeration functionality
• Attack/Exploitation features
• GitHub API integration
• Workflow analysis
• Runner detection
• MCP Server
• CLI/User interface
• Documentation
• Tests
• Configuration

Testing Steps

Manual Testing

Automated Testing

• All existing unit tests pass
• New unit tests added for new functionality
• Integration tests updated/added if applicable
• Code coverage maintained or improved

Testing Commands

# Add specific commands to test this PR
# Example:
# python -m pytest unit_test/test_new_feature.py
# python -m gatox enumerate --help

Security Considerations

• This change does not introduce new security risks
• This change has been reviewed for potential security vulnerabilities
• This change improves existing security measures
• N/A - No security implications

Documentation

• Code changes are documented with appropriate comments
• Public API changes are documented
• README.md updated if needed
• Documentation site updated if needed (docs/ folder)
• CHANGELOG.md updated if applicable

Checklist

• My code follows the project's coding style and conventions
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

Additional Notes

Screenshots (if applicable)

Performance Impact

Breaking Changes

Related Issues/PRs

Closes #
Related to #

[adrien-f]

I'm re-reading https://adnanthekhan.com/posts/dependabot-core-toctou-writeup/
And I think I need to take into account that PRs from forks are unprivileged if I understand it properly, maybe checking the workflow triggers and see if it's only PR events. Not sure how to differentiate if fork or not, in the case of public GitHub it will almost always be the case, but private orgs have it different depending.

[AdnaneKhan]

I'm re-reading https://adnanthekhan.com/posts/dependabot-core-toctou-writeup/ And I think I need to take into account that PRs from forks are unprivileged if I understand it properly, maybe checking the workflow triggers and see if it's only PR events. Not sure how to differentiate if fork or not, in the case of public GitHub it will almost always be the case, but private orgs have it different depending.

So Gato-X only looks at privileged triggers with the exception of pull_request_review and pull_request_review_comment (that is an edge case where an actor can trigger PR review body injection, due to how that trigger behaves differently if the PR is fork or not). For pwn request results checking the token permissions is a correct approach