-
Notifications
You must be signed in to change notification settings - Fork 390
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New Published Rules - akeyless_appsec.unsafe-add-mask-workflow-command (
#3411) * add akeyless_appsec/unsafe-add-mask-workflow-command.yaml * add akeyless_appsec/unsafe-add-mask-workflow-command.yaml * move unsafe-add-mask-workflow-command to github-actions folder * update unsafe-add-mask-workflow-command rule * update unsafe-add-mask-workflow-command rule --------- Co-authored-by: semgrep.dev <[email protected]> Co-authored-by: Vasilii <[email protected]>
- Loading branch information
1 parent
b01bbdb
commit bf733d3
Showing
2 changed files
with
75 additions
and
0 deletions.
There are no files selected for viewing
38 changes: 38 additions & 0 deletions
38
yaml/github-actions/security/audit/unsafe-add-mask-workflow-command.test.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
name: Test Workflow | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
|
||
jobs: | ||
test-job: | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v2 | ||
|
||
- name: Setup Python | ||
uses: actions/setup-python@v2 | ||
with: | ||
python-version: '3.8' | ||
|
||
- name: Run script to generate token | ||
run: | | ||
TOKEN=$(openssl rand -hex 16) | ||
# ruleid: unsafe-add-mask-workflow-command | ||
echo "::add-mask::$TOKEN" | ||
echo "TOKEN=$TOKEN" >> $GITHUB_ENV | ||
- name: Use the token | ||
run: | | ||
echo "Using the token in the next step" | ||
curl -H "Authorization: Bearer $TOKEN" https://api.example.com | ||
- name: Print GitHub context | ||
run: | | ||
echo "GitHub context:" | ||
echo "${{ toJSON(github) }}" | ||
# ruleid: unsafe-add-mask-workflow-command | ||
echo "::add-mask::${{ secrets.GITHUB_TOKEN }}" |
37 changes: 37 additions & 0 deletions
37
yaml/github-actions/security/audit/unsafe-add-mask-workflow-command.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
rules: | ||
- id: unsafe-add-mask-workflow-command | ||
patterns: | ||
- pattern-regex: '::add-mask::' | ||
languages: | ||
- yaml | ||
severity: WARNING | ||
message: GitHub Actions provides the **'add-mask'** workflow command to mask sensitive | ||
data in the workflow logs. If **'add-mask'** is not used or if workflow commands | ||
have been stopped, sensitive data can leaked into the workflow logs. An attacker | ||
could simply copy the workflow to another branch and add the following payload | ||
`echo "::stop-commands::$stopMarker"` to stop workflow command processing ([described | ||
here](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#stopping-and-starting-workflow-commands)), | ||
which will cause the secret token to be exposed despite the **'add-mask'** usage. | ||
For more information, please refer to the [GitHub documentation](https://github.com/actions/toolkit/blob/main/docs/commands.md#register-a-secret). | ||
metadata: | ||
cwe: | ||
- 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor' | ||
owasp: A06:2017 - Security Misconfiguration | ||
category: security | ||
technology: | ||
- github-actions | ||
subcategory: | ||
- audit | ||
likelihood: LOW | ||
impact: MEDIUM | ||
confidence: LOW | ||
license: Commons Clause License Condition v1.0[LGPL-2.1-only] | ||
vulnerability_class: | ||
- Dangerous Method or Function | ||
references: | ||
- https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/ | ||
- https://github.com/actions/runner/issues/159 | ||
- https://github.com/actions/runner/issues/475 | ||
- https://github.com/actions/runner/issues/807 | ||
- https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-sensitive-data-in-workflows | ||
- https://github.com/github/docs/blob/main/content/actions/using-workflows/workflow-commands-for-github-actions.md#masking-a-value-in-a-log |