Skip to content

Commit

Permalink
New Published Rules - akeyless_appsec.unsafe-add-mask-workflow-command (
Browse files Browse the repository at this point in the history
#3411)

* add akeyless_appsec/unsafe-add-mask-workflow-command.yaml

* add akeyless_appsec/unsafe-add-mask-workflow-command.yaml

* move unsafe-add-mask-workflow-command to github-actions folder

* update unsafe-add-mask-workflow-command rule

* update unsafe-add-mask-workflow-command rule

---------

Co-authored-by: semgrep.dev <[email protected]>
Co-authored-by: Vasilii <[email protected]>
  • Loading branch information
3 people authored Jul 2, 2024
1 parent b01bbdb commit bf733d3
Show file tree
Hide file tree
Showing 2 changed files with 75 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: Test Workflow

on:
push:
branches:
- main

jobs:
test-job:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Setup Python
uses: actions/setup-python@v2
with:
python-version: '3.8'

- name: Run script to generate token
run: |
TOKEN=$(openssl rand -hex 16)
# ruleid: unsafe-add-mask-workflow-command
echo "::add-mask::$TOKEN"
echo "TOKEN=$TOKEN" >> $GITHUB_ENV
- name: Use the token
run: |
echo "Using the token in the next step"
curl -H "Authorization: Bearer $TOKEN" https://api.example.com
- name: Print GitHub context
run: |
echo "GitHub context:"
echo "${{ toJSON(github) }}"
# ruleid: unsafe-add-mask-workflow-command
echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
rules:
- id: unsafe-add-mask-workflow-command
patterns:
- pattern-regex: '::add-mask::'
languages:
- yaml
severity: WARNING
message: GitHub Actions provides the **'add-mask'** workflow command to mask sensitive
data in the workflow logs. If **'add-mask'** is not used or if workflow commands
have been stopped, sensitive data can leaked into the workflow logs. An attacker
could simply copy the workflow to another branch and add the following payload
`echo "::stop-commands::$stopMarker"` to stop workflow command processing ([described
here](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#stopping-and-starting-workflow-commands)),
which will cause the secret token to be exposed despite the **'add-mask'** usage.
For more information, please refer to the [GitHub documentation](https://github.com/actions/toolkit/blob/main/docs/commands.md#register-a-secret).
metadata:
cwe:
- 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
owasp: A06:2017 - Security Misconfiguration
category: security
technology:
- github-actions
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Dangerous Method or Function
references:
- https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
- https://github.com/actions/runner/issues/159
- https://github.com/actions/runner/issues/475
- https://github.com/actions/runner/issues/807
- https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-sensitive-data-in-workflows
- https://github.com/github/docs/blob/main/content/actions/using-workflows/workflow-commands-for-github-actions.md#masking-a-value-in-a-log

0 comments on commit bf733d3

Please sign in to comment.