Add Gitea enum command with SDK integration

Co-authored-by: frjcomp <107982661+frjcomp@users.noreply.github.com>

Author: Copilot

src/pipeleak/cmd/gitea/enum.go

@@ -0,0 +1,96 @@
+package gitea
+
+import (
+	"fmt"
+	"os"
+
+	"code.gitea.io/sdk/gitea"
+	"github.com/CompassSecurity/pipeleak/helper"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+func NewEnumCmd() *cobra.Command {
+	enumCmd := &cobra.Command{
+		Use:     "enum",
+		Short:   "Enumerate access rights of a Gitea access token",
+		Long:    "Enumerate access rights of a Gitea access token by retrieving the authenticated user's information.",
+		Example: `pipeleak gitea enum --token $GITEA_TOKEN --gitea https://gitea.mycompany.com`,
+		Run:     Enum,
+	}
+	enumCmd.Flags().StringVarP(&giteaUrl, "gitea", "g", "https://gitea.com", "Gitea instance URL")
+	enumCmd.Flags().StringVarP(&giteaApiToken, "token", "t", "", "Gitea API Token")
+
+	enumCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Verbose logging")
+	return enumCmd
+}
+
+func Enum(cmd *cobra.Command, args []string) {
+	helper.SetLogLevel(verbose)
+
+	// Check if token is provided via flag or environment variable
+	if giteaApiToken == "" {
+		giteaApiToken = os.Getenv("GITEA_TOKEN")
+	}
+
+	if giteaApiToken == "" {
+		log.Fatal().Msg("error: missing --token flag or GITEA_TOKEN environment variable")
+		return
+	}
+
+	// Initialize Gitea client
+	client, err := gitea.NewClient(giteaUrl, gitea.SetToken(giteaApiToken))
+	if err != nil {
+		log.Fatal().Stack().Err(err).Msg("Failed creating gitea client")
+		return
+	}
+
+	// Fetch user info
+	log.Info().Msg("Enumerating User")
+	user, _, err := client.GetMyUserInfo()
+	if err != nil {
+		log.Fatal().Stack().Err(err).Msg("Failed fetching current user")
+		return
+	}
+
+	// Log user data structure for debug visibility
+	log.Debug().Interface("user", user).Msg("Full user data structure")
+
+	// Output all user data fields in plain text
+	fmt.Printf("\nAuthenticated User Information:\n")
+	fmt.Printf("================================\n")
+	fmt.Printf("ID:               %d\n", user.ID)
+	fmt.Printf("Username:         %s\n", user.UserName)
+	fmt.Printf("Login Name:       %s\n", user.LoginName)
+	fmt.Printf("Source ID:        %d\n", user.SourceID)
+	fmt.Printf("Full Name:        %s\n", user.FullName)
+	fmt.Printf("Email:            %s\n", user.Email)
+	fmt.Printf("Avatar URL:       %s\n", user.AvatarURL)
+	fmt.Printf("Language:         %s\n", user.Language)
+	fmt.Printf("Is Admin:         %t\n", user.IsAdmin)
+	fmt.Printf("Last Login:       %s\n", user.LastLogin)
+	fmt.Printf("Created:          %s\n", user.Created)
+	fmt.Printf("Restricted:       %t\n", user.Restricted)
+	fmt.Printf("Is Active:        %t\n", user.IsActive)
+	fmt.Printf("Prohibit Login:   %t\n", user.ProhibitLogin)
+	fmt.Printf("Location:         %s\n", user.Location)
+	fmt.Printf("Website:          %s\n", user.Website)
+	fmt.Printf("Description:      %s\n", user.Description)
+	fmt.Printf("Visibility:       %s\n", user.Visibility)
+	fmt.Printf("Followers:        %d\n", user.FollowerCount)
+	fmt.Printf("Following:        %d\n", user.FollowingCount)
+	fmt.Printf("Starred Repos:    %d\n", user.StarredRepoCount)
+
+	// Also log with structured logging
+	log.Warn().
+		Int64("id", user.ID).
+		Str("username", user.UserName).
+		Str("fullName", user.FullName).
+		Str("email", user.Email).
+		Bool("isAdmin", user.IsAdmin).
+		Bool("isActive", user.IsActive).
+		Bool("restricted", user.Restricted).
+		Msg("Current user")
+
+	log.Info().Msg("Done")
+}

src/pipeleak/cmd/gitea/gitea.go

@@ -0,0 +1,28 @@
+package gitea
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var (
+	giteaApiToken string
+	giteaUrl      string
+	verbose       bool
+)
+
+func NewGiteaRootCmd() *cobra.Command {
+	giteaCmd := &cobra.Command{
+		Use:     "gitea [command]",
+		Short:   "Gitea related commands",
+		Long:    "Commands to enumerate and exploit Gitea instances.",
+		GroupID: "Gitea",
+	}
+
+	giteaCmd.AddCommand(NewEnumCmd())
+
+	giteaCmd.PersistentFlags().StringVarP(&giteaUrl, "gitea", "g", "https://gitea.com", "Gitea instance URL")
+	giteaCmd.PersistentFlags().StringVarP(&giteaApiToken, "token", "t", "", "Gitea API Token")
+	giteaCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "Verbose logging")
+
+	return giteaCmd
+}

src/pipeleak/cmd/root.go

@@ -10,6 +10,7 @@ import (
 	"github.com/CompassSecurity/pipeleak/cmd/bitbucket"
 	"github.com/CompassSecurity/pipeleak/cmd/devops"
 	"github.com/CompassSecurity/pipeleak/cmd/docs"
+	"github.com/CompassSecurity/pipeleak/cmd/gitea"
 	"github.com/CompassSecurity/pipeleak/cmd/github"
 	"github.com/CompassSecurity/pipeleak/cmd/gitlab"
 	"github.com/rs/zerolog"
@@ -42,6 +43,7 @@ func init() {
 	rootCmd.AddCommand(gitlab.NewGitLabRootUnauthenticatedCmd())
 	rootCmd.AddCommand(bitbucket.NewBitBucketRootCmd())
 	rootCmd.AddCommand(devops.NewAzureDevOpsRootCmd())
+	rootCmd.AddCommand(gitea.NewGiteaRootCmd())
 	rootCmd.AddCommand(docs.NewDocsCmd(rootCmd))
 	rootCmd.PersistentFlags().BoolVarP(&JsonLogoutput, "json", "", false, "Use JSON as log output format")
 	rootCmd.PersistentFlags().BoolVarP(&LogColor, "coloredLog", "", true, "Output the human-readable log in color")
@@ -52,6 +54,7 @@ func init() {
 	rootCmd.AddGroup(&cobra.Group{ID: "Helper", Title: "Various Helper Commands"})
 	rootCmd.AddGroup(&cobra.Group{ID: "BitBucket", Title: "BitBucket Commands"})
 	rootCmd.AddGroup(&cobra.Group{ID: "AzureDevOps", Title: "Azure DevOps Commands"})
+	rootCmd.AddGroup(&cobra.Group{ID: "Gitea", Title: "Gitea Commands"})
 }
 
 type CustomWriter struct {

src/pipeleak/go.mod

@@ -31,7 +31,9 @@ require (
 	cloud.google.com/go/compute/metadata v0.8.0 // indirect
 	cloud.google.com/go/iam v1.5.2 // indirect
 	cloud.google.com/go/secretmanager v1.15.0 // indirect
+	code.gitea.io/sdk/gitea v0.22.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/42wim/httpsig v1.2.3 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/BobuSumisu/aho-corasick v1.0.3 // indirect
 	github.com/TheZeroSlave/zapsentry v1.23.0 // indirect
@@ -63,12 +65,14 @@ require (
 	github.com/couchbase/goprotostellar v1.0.2 // indirect
 	github.com/couchbaselabs/gocbconnstr/v2 v2.0.0-20240607131231-fb385523de28 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/davidmz/go-pageant v1.0.2 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/getsentry/sentry-go v0.32.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-fed/httpsig v1.1.0 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.11 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
@@ -87,6 +91,7 @@ require (
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/headzoo/ut v0.0.0-20181013193318-a13b5a7a02ca // indirect
 	github.com/jlaffaye/ftp v0.2.0 // indirect

src/pipeleak/go.sum

@@ -28,11 +28,15 @@ cloud.google.com/go/secretmanager v1.15.0 h1:RtkCMgTpaBMbzozcRUGfZe46jb9a3qh5EdE
 cloud.google.com/go/secretmanager v1.15.0/go.mod h1:1hQSAhKK7FldiYw//wbR/XPfPc08eQ81oBsnRUHEvUc=
 cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
 cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
+code.gitea.io/sdk/gitea v0.22.0 h1:HCKq7bX/HQ85Nw7c/HAhWgRye+vBp5nQOE8Md1+9Ef0=
+code.gitea.io/sdk/gitea v0.22.0/go.mod h1:yyF5+GhljqvA30sRDreoyHILruNiy4ASufugzYg0VHM=
 dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
 dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/42wim/httpsig v1.2.3 h1:xb0YyWhkYj57SPtfSttIobJUPJZB9as1nsfo7KWVcEs=
+github.com/42wim/httpsig v1.2.3/go.mod h1:nZq9OlYKDrUBhptd77IHx4/sZZD+IxTBADvAPI9G/EM=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg=
@@ -158,6 +162,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davidmz/go-pageant v1.0.2 h1:bPblRCh5jGU+Uptpz6LgMZGD5hJoOt7otgT454WvHn0=
+github.com/davidmz/go-pageant v1.0.2/go.mod h1:P2EDDnMqIwG5Rrp05dTRITj9z2zpGcD9efWSkTNKLIE=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
@@ -185,6 +191,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-fed/httpsig v1.1.0 h1:9M+hb0jkEICD8/cAiNqEB66R87tTINszBRTjwjQzWcI=
+github.com/go-fed/httpsig v1.1.0/go.mod h1:RCMrTZvN1bJYtofsG4rd5NaO5obxQ5xBkdiS7xsT7bM=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -285,6 +293,8 @@ github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVU
 github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
+github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
+github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -581,6 +591,7 @@ golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=