From c9340bcbd1d1a65c1742a0f39262831d09225a61 Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo <19227040+gedigi@users.noreply.github.com> Date: Mon, 7 Aug 2023 18:31:45 +0000 Subject: [PATCH 1/5] add semgrep for github workflows --- .../pull-request-target-code-checkout.yaml | 59 +++++++++++++++++++ .github/workflows/semgrep.yaml | 25 ++++++++ 2 files changed, 84 insertions(+) create mode 100644 .github/linters/semgrep/pull-request-target-code-checkout.yaml create mode 100644 .github/workflows/semgrep.yaml diff --git a/.github/linters/semgrep/pull-request-target-code-checkout.yaml b/.github/linters/semgrep/pull-request-target-code-checkout.yaml new file mode 100644 index 0000000000000..1348d505f6c36 --- /dev/null +++ b/.github/linters/semgrep/pull-request-target-code-checkout.yaml @@ -0,0 +1,59 @@ +rules: + - id: pull-request-target-code-checkout + languages: + - yaml + message: This GitHub Actions workflow file uses `pull_request_target` and checks + out code from the incoming pull request. When using `pull_request_target`, + the Action runs in the context of the target repository, which includes + access to all repository secrets. Please ensure you have `permission-check` + enabled for the jobs that check out code. Please see + https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + for additional mitigations. + metadata: + category: security + owasp: + - A01:2021 - Broken Access Control + cwe: + - "CWE-913: Improper Control of Dynamically-Managed Code Resources" + references: + - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + - https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md + technology: + - github-actions + subcategory: + - audit + likelihood: MEDIUM + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + patterns: + - pattern-either: + - pattern-inside: | + on: + ... + pull_request_target: ... + ... + ... + - pattern-inside: | + on: [..., pull_request_target, ...] + ... + - pattern-inside: | + on: pull_request_target + ... + - pattern-inside: | + jobs: + ... + $JOBNAME: + ... + - pattern-not-inside: | + needs: [permission-check] + ... + - pattern: | + ... + uses: "$ACTION" + - metavariable-regex: + metavariable: $ACTION + regex: actions/checkout@.* + severity: WARNING diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml new file mode 100644 index 0000000000000..bdfc971bd5d0f --- /dev/null +++ b/.github/workflows/semgrep.yaml @@ -0,0 +1,25 @@ +name: Semgrep + +on: + workflow_dispatch: + push: + paths: + - '.github/**' + +jobs: + semgrep: + name: semgrep/ci + runs-on: ubuntu-latest + + container: + image: returntocorp/semgrep + + # Skip any PR created by dependabot to avoid permission issues: + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v3 + - run: semgrep ci + env: + SEMGREP_RULES: >- + ./.github/linters/semgrep/pull-request-target-code-checkout.yaml \ No newline at end of file From fbbeefc39256ffffb031a9575d411576d565edb9 Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo Date: Mon, 7 Aug 2023 11:43:44 -0700 Subject: [PATCH 2/5] Update semgrep.yaml --- .github/workflows/semgrep.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml index bdfc971bd5d0f..c673b7a3cd8c9 100644 --- a/.github/workflows/semgrep.yaml +++ b/.github/workflows/semgrep.yaml @@ -22,4 +22,4 @@ jobs: - run: semgrep ci env: SEMGREP_RULES: >- - ./.github/linters/semgrep/pull-request-target-code-checkout.yaml \ No newline at end of file + ./.github/linters/semgrep/pull-request-target-code-checkout.yaml From 2a3546efaf17168484d6ec7e6344f0cbcea4d4cc Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo Date: Tue, 8 Aug 2023 20:03:51 +0000 Subject: [PATCH 3/5] temp remove permission-check to test semgrep --- .github/workflows/faucet-tests.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/faucet-tests.yaml b/.github/workflows/faucet-tests.yaml index 3cbf843126550..742cd80ec31b3 100644 --- a/.github/workflows/faucet-tests.yaml +++ b/.github/workflows/faucet-tests.yaml @@ -25,7 +25,6 @@ jobs: comment-not-permitted: Sorry, you don't have permission to trigger this workflow. run-tests-devnet: - needs: [permission-check] runs-on: high-perf-docker steps: - uses: actions/checkout@v3 From d9bbe02021fe42a5622b0be2c07e4814888635d2 Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo Date: Tue, 8 Aug 2023 20:49:31 +0000 Subject: [PATCH 4/5] revert workflow changes --- .github/workflows/faucet-tests.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/faucet-tests.yaml b/.github/workflows/faucet-tests.yaml index 742cd80ec31b3..3cbf843126550 100644 --- a/.github/workflows/faucet-tests.yaml +++ b/.github/workflows/faucet-tests.yaml @@ -25,6 +25,7 @@ jobs: comment-not-permitted: Sorry, you don't have permission to trigger this workflow. run-tests-devnet: + needs: [permission-check] runs-on: high-perf-docker steps: - uses: actions/checkout@v3 From b76f8b755d278a5b1723c388da8a2bef55627b03 Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo Date: Tue, 8 Aug 2023 15:41:41 -0700 Subject: [PATCH 5/5] Update semgrep.yaml --- .github/workflows/semgrep.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml index c673b7a3cd8c9..320f35904f60e 100644 --- a/.github/workflows/semgrep.yaml +++ b/.github/workflows/semgrep.yaml @@ -2,9 +2,8 @@ name: Semgrep on: workflow_dispatch: - push: - paths: - - '.github/**' + pull_request: + types: [labeled, opened, synchronize, reopened, auto_merge_enabled] jobs: semgrep: