-
Notifications
You must be signed in to change notification settings - Fork 310
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6720 from Checkmarx/unsecured_commands
feat(query): added cicd github query unsecured commands
- Loading branch information
Showing
7 changed files
with
197 additions
and
0 deletions.
There are no files selected for viewing
12 changes: 12 additions & 0 deletions
12
assets/queries/cicd/github/unsecured_commands/metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| { | ||
| "id": "60fd272d-15f4-4d8f-afe4-77d9c6cc0453", | ||
| "queryName": "Unsecured Commands", | ||
| "severity": "MEDIUM", | ||
| "category": "Insecure Configurations", | ||
| "descriptionText": "There are deprecated set-env and add-path commands that can be explicitly enabled by a user via setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable as true. Depending on the use of the environment variable, this could enable an attacker to, at worst, modify the system path to run a different command than intended, resulting in arbitrary code execution.", | ||
| "descriptionUrl": "https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-the-events-related-to-incoming-prs", | ||
| "platform": "CICD", | ||
| "descriptionID": "44751f79", | ||
| "cloudProvider": "common" | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| package Cx | ||
|
|
||
| import data.generic.common as common_lib | ||
|
|
||
| CxPolicy[result] { | ||
|
|
||
| env := input.document[i].env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] | ||
| env == true | ||
|
|
||
|
|
||
| result := { | ||
| "documentId": input.document[i].id, | ||
| "searchKey": sprintf("env.actions_allow_unsecure_commands={{%s}}", [env]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", | ||
| "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", | ||
| "searchLine": common_lib.build_search_line(["env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"],[]) | ||
| } | ||
| } | ||
|
|
||
| CxPolicy[result] { | ||
|
|
||
| env := input.document[i].jobs[j].env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] | ||
| env == true | ||
|
|
||
|
|
||
| result := { | ||
| "documentId": input.document[i].id, | ||
| "searchKey": sprintf("env.actions_allow_unsecure_commands={{%s}}", [env]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", | ||
| "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", | ||
| "searchLine": common_lib.build_search_line(["jobs", j, "env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"],[]) | ||
| } | ||
| } | ||
|
|
||
| CxPolicy[result] { | ||
|
|
||
| env := input.document[i].jobs[j].steps[k].env["ACTIONS_ALLOW_UNSECURE_COMMANDS"] | ||
| env == true | ||
|
|
||
|
|
||
| result := { | ||
| "documentId": input.document[i].id, | ||
| "searchKey": sprintf("env.actions_allow_unsecure_commands={{%s}}", [env]), | ||
| "issueType": "IncorrectValue", | ||
| "keyExpectedValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is not set as true.", | ||
| "keyActualValue": "ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable is set as true.", | ||
| "searchLine": common_lib.build_search_line(["jobs", j, "steps", k, "env", "ACTIONS_ALLOW_UNSECURE_COMMANDS"],[]) | ||
| } | ||
| } | ||
|
|
||
|
|
||
|
|
||
|
|
16 changes: 16 additions & 0 deletions
16
assets/queries/cicd/github/unsecured_commands/test/negative.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| name: test-positive | ||
| on: | ||
| pull_request: | ||
| types: [opened, synchronize, edited, reopened] | ||
| branches: | ||
| - master | ||
| jobs: | ||
| test-positive: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: PR comment | ||
| uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411 | ||
| with: | ||
| comment_tag: title_check | ||
| mode: recreate | ||
| create_if_not_exists: true |
33 changes: 33 additions & 0 deletions
33
assets/queries/cicd/github/unsecured_commands/test/positive1.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| name: Vulnerable workflow | ||
|
|
||
| on: | ||
| pull_request_target | ||
|
|
||
| env: | ||
| # 1. Enable unsecure commands | ||
| ACTIONS_ALLOW_UNSECURE_COMMANDS: true | ||
| ENVIRONMENT_NAME: prod | ||
|
|
||
| jobs: | ||
| deploy: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| # 2. Print github context | ||
| - run: | | ||
| print("""${{ toJSON(github) }}""") | ||
| shell: python | ||
| - name: Create new PR deployment | ||
| uses: actions/github-script@v5 | ||
| with: | ||
| # 3. Create deployment | ||
| script: | | ||
| return await github.rest.repos.createDeployment({ | ||
| ...context.repo, | ||
| ref: context.payload.pull_request.head.sha, | ||
| auto_merge: false, | ||
| required_contexts: [], | ||
| environment: "${{ env.ENVIRONMENT_NAME }}", | ||
| transient_environment: false, | ||
| production_environment: false, | ||
| }); | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} |
31 changes: 31 additions & 0 deletions
31
assets/queries/cicd/github/unsecured_commands/test/positive2.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| name: Vulnerable workflow | ||
|
|
||
| on: | ||
| pull_request_target | ||
|
|
||
|
|
||
| jobs: | ||
| deploy: | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| ACTIONS_ALLOW_UNSECURE_COMMANDS: true | ||
| steps: | ||
| # 2. Print github context | ||
| - run: | | ||
| print("""${{ toJSON(github) }}""") | ||
| shell: python | ||
| - name: Create new PR deployment | ||
| uses: actions/github-script@v5 | ||
| with: | ||
| # 3. Create deployment | ||
| script: | | ||
| return await github.rest.repos.createDeployment({ | ||
| ...context.repo, | ||
| ref: context.payload.pull_request.head.sha, | ||
| auto_merge: false, | ||
| required_contexts: [], | ||
| environment: "${{ env.ENVIRONMENT_NAME }}", | ||
| transient_environment: false, | ||
| production_environment: false, | ||
| }); | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} |
30 changes: 30 additions & 0 deletions
30
assets/queries/cicd/github/unsecured_commands/test/positive3.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| name: Vulnerable workflow | ||
|
|
||
| on: | ||
| pull_request_target | ||
|
|
||
| jobs: | ||
| deploy: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| # 2. Print github context | ||
| - run: | | ||
| print("""${{ toJSON(github) }}""") | ||
| shell: python | ||
| - name: Create new PR deployment | ||
| env: | ||
| ACTIONS_ALLOW_UNSECURE_COMMANDS: true | ||
| uses: actions/github-script@v5 | ||
| with: | ||
| # 3. Create deployment | ||
| script: | | ||
| return await github.rest.repos.createDeployment({ | ||
| ...context.repo, | ||
| ref: context.payload.pull_request.head.sha, | ||
| auto_merge: false, | ||
| required_contexts: [], | ||
| environment: "${{ env.ENVIRONMENT_NAME }}", | ||
| transient_environment: false, | ||
| production_environment: false, | ||
| }); | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} |
20 changes: 20 additions & 0 deletions
20
assets/queries/cicd/github/unsecured_commands/test/positive_expected_result.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| [ | ||
| { | ||
| "queryName": "Unsecured Commands", | ||
| "severity": "MEDIUM", | ||
| "line": 8, | ||
| "fileName": "positive1.yaml" | ||
| }, | ||
| { | ||
| "queryName": "Unsecured Commands", | ||
| "severity": "MEDIUM", | ||
| "line": 11, | ||
| "fileName": "positive2.yaml" | ||
| }, | ||
| { | ||
| "queryName": "Unsecured Commands", | ||
| "severity": "MEDIUM", | ||
| "line": 16, | ||
| "fileName": "positive3.yaml" | ||
| } | ||
| ] |