Use Github pack with Coda employee github account (search code of Coda's private repositories)

## Summary: When you use the [Github formula](https://coda.io/formulas#GitHub::CodeSearch), the information from the Github API is returned by the endpoint https://coda.io/coda.CalcService/InvokeFormula. From what I understand, this endpoint expects a [gRPC](https://grpc.io/) request. In the request is sent: the formula (`Github..CodeSearch`), the version of the Github pack (`3.4.1`), the id of the Github connection (generated by Coda when connecting your account), the id of the document to which the Github account is linked, and the parameters for the formula. The issue is that you can take the document id and connection id of any public document and use the formula as you please. Also, it's not required to be authenticated to make a request to the endpoint https://coda.io/coda.CalcService/InvokeFormula. It may be working as designed, so that's why I used a document created by a Coda employee for the proof of concept in case that is considered a N/A report :D ## Steps To Reproduce: Pass all requests through Burp or similar proxy to make the reproduction easier. 1. Make sure you are signed in https://coda.io 1. Go to https://coda.io/t/Git-Cherry-Pick-From-Branch_tTZJuuyHgqa/preview?useBack 1. If you look at the requests in Burp, you will see a request to https://coda.io/embed/igvicDMruo?viewMode=gallery&disconnected=true that is loaded in an `<iframe>` (it is the document you see when you load the template). "igvicDMruo" is the document id. 1. Using the document id from the last step, go to https://coda.io/internalAppApi/documents/igvicDMruo/externalConnections 1. The value that matters from the response is the `id` of the object with `name` "albertc44". The connection id is `7b167155-731e-4913-9091-729c5bd77ee0` 1. Go to https://coda.io/newdoc/POC 1. Click "Create doc" 1. Click the "Open Packs" button at the top right. It is the puzzle piece icon between the robot and the arrows 1. Click "+ Add a new Pack" 1. Click the "Github" card/box 1. Click the orange "Sign in to install" button 1. Click "Authorize codaprojectapp" 1. Click "You and anyone this doc is shared with" 1. Click "Nobody" 1. Click the orange "+" button at the top of the document 1. Go to "Formula", then "Github", and then click "CodeSearch" 1. In the dialog opened press the key "Tab", enter comma `,`, enter `"secret"`, enter `,`, enter `organization: "kr-project"` and finally press the key "Enter" 1. In Burp Proxy or similar, find the last request to /coda.CalcService/InvokeFormula and send it to the Repeater or similar to modify 1. Remove the `Cookie` header 1. The value between `$` and `2$` is the connection id. Replace this value with the `7b167155-731e-4913-9091-729c5bd77ee0` you got before (don't touch the `2` before the `$` 😅 ) 1. The first ten characters of the last line are the document id. Replace it with the document id you got in the first steps (`igvicDMruo`) 1. Send the request 1. The most interesting things in the response are the values of `Fragment` ## Supporting Material/References: None ## Impact It's possible to search the code of all the private repositories to which https://github.com/albertc44 has access. Including the ones of the __kr-project__ organization, that is where the Coda repositories are.