Skip to content

Commit

Permalink
test semgrep (#9551)
Browse files Browse the repository at this point in the history 
* semgrep fix

* test semgrep

* add changeset

* change

* revert interface

* semgrep test

* add changeset

* revert

* delete changeset

* test

* changes

* fixes

---------

Co-authored-by: gradio-pr-bot <[email protected]>
  • Loading branch information
@abidlabs @gradio-pr-bot
abidlabs and gradio-pr-bot authored Oct 6, 2024
1 parent 99c9e26 commit 136c12f
Show file tree
Hide file tree
Showing 2 changed files with 98 additions and 33 deletions.
127 changes: 96 additions & 31 deletions .github/configs/semgrep_rules.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,45 +1,110 @@
rules:
- id: third-party-action-not-pinned-to-commit-sha
pattern-either:
- pattern: uses: $ACTION@$REF
metavariable-regex:
$ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$
$REF: ^(v?\d+(\.\d+){0,2}|[^@]+)$
- pattern: uses: $ACTION
metavariable-regex:
$ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$
message: >
Third-party GitHub Action is not pinned to a specific commit SHA.
This can be a security risk as the action may be modified unexpectedly.
Consider using a full length commit SHA instead of a tag or branch name.
patterns:
- pattern-inside: "{steps: ...}"
- pattern: |
uses: "$USES"
- metavariable-pattern:
metavariable: $USES
language: generic
patterns:
- pattern-not-regex: ^[.]/
- pattern-not-regex: ^actions/
- pattern-not-regex: ^github/
- pattern-not-regex: ^gradio-app/gradio
- pattern-not-regex: ^gradio-app/github
- pattern-not-regex: "@[0-9a-f]{40}$"
- pattern-not-regex: ^docker://.*@sha256:[0-9a-f]{64}$
- pattern-not-regex: ^docker://docker$
message:
An action sourced from a third-party repository on GitHub is not pinned
to a full length commit SHA. Pinning an action to a full length commit SHA
is currently the only way to use an action as an immutable release.
Pinning to a particular SHA helps mitigate the risk of a bad actor adding
a backdoor to the action's repository, as they would need to generate a
SHA-1 collision for a valid Git object payload.
languages:
- yaml
severity: WARNING
languages: [yaml]
paths:
include:
- '**/workflows/*.yml'
- '**/workflows/*.yaml'
metadata:
cwe:
- "CWE-1357: Reliance on Insufficiently Trustworthy Component"
- "CWE-353: Missing Support for Integrity Check"
owasp: A06:2021 - Vulnerable and Outdated Components
references:
- https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components
- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
category: security
technology:
- github-actions
references:
- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
- Other

- id: insecure-file-permissions
pattern: os.chmod(..., $PERMS)
message: >
Detected a call to os.chmod() with potentially insecure permissions.
Ensure that file permissions are set correctly to prevent unauthorized access.
severity: WARNING
languages: [python]
languages:
- python
severity: ERROR
message: These permissions `$BITS` are widely permissive and grant access to
more people than may be necessary. A good default is `0o644` which gives
read and write access to yourself and read access to everyone else.
patterns:
- pattern-inside: os.$METHOD(...)
- pattern-either:
- patterns:
- pattern: os.$METHOD($FILE, $BITS, ...)
- metavariable-comparison:
comparison: $BITS >= 0o650 and $BITS < 0o100000
- patterns:
- pattern: os.$METHOD($FILE, $BITS)
- metavariable-comparison:
comparison: $BITS >= 0o100650
- patterns:
- pattern: os.$METHOD($FILE, $BITS, ...)
- metavariable-pattern:
metavariable: $BITS
patterns:
- pattern-either:
- pattern: <... stat.S_IWGRP ...>
- pattern: <... stat.S_IXGRP ...>
- pattern: <... stat.S_IWOTH ...>
- pattern: <... stat.S_IXOTH ...>
- pattern: <... stat.S_IRWXO ...>
- pattern: <... stat.S_IRWXG ...>
- patterns:
- pattern: os.$METHOD($FILE, $EXPR | $MOD, ...)
- metavariable-comparison:
comparison: $MOD == 0o111
- metavariable-pattern:
metavariable: $METHOD
patterns:
- pattern-either:
- pattern: chmod
- pattern: lchmod
- pattern: fchmod
metadata:
category: security
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-276: Incorrect Default Permissions"
technology:
- python
references:
- https://docs.python.org/3/library/os.html#os.chmod
- https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
fix-regex:
regex: os\.chmod\((.*?),\s*(.*?)\)
replacement: os.chmod($1, 0o600)

- https://owasp.org/Top10/A01_2021-Broken_Access_Control
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
4 changes: 2 additions & 2 deletions .github/workflows/website-deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ jobs:
- name: Deploy Preview Website to Cloudflare Pages
if: needs.changes.outputs.pr_number != 'false'
id: cloudflare-preview
uses: cloudflare/wrangler-action@v3
uses: cloudflare/wrangler-action@93fff4f65695eb901ed8bbdaa2e6a3ead4f6b345
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
Expand All @@ -77,7 +77,7 @@ jobs:
- name: Deploy Production Website to Cloudflare Pages
if: needs.changes.outputs.source_repo == 'gradio-app/gradio' && needs.changes.outputs.source_branch == 'refs/heads/main'
id: cloudflare-production
uses: cloudflare/wrangler-action@v3
uses: cloudflare/wrangler-action@93fff4f65695eb901ed8bbdaa2e6a3ead4f6b345
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
Expand Down

0 comments on commit 136c12f

Please sign in to comment.