From bbd045e820a293927a18821051cf133e39044d8e Mon Sep 17 00:00:00 2001 From: Anton Abashkin Date: Thu, 8 Aug 2024 16:41:02 -0600 Subject: [PATCH 1/3] Rule: OpenAI isConsequential flag set to false for state changing operation in OpenAPI spec --- ...penai-consequential-action-false.test.yaml | 19 +++++++++ .../openai-consequential-action-false.yaml | 40 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 yaml/openapi/security/openai-consequential-action-false.test.yaml create mode 100644 yaml/openapi/security/openai-consequential-action-false.yaml diff --git a/yaml/openapi/security/openai-consequential-action-false.test.yaml b/yaml/openapi/security/openai-consequential-action-false.test.yaml new file mode 100644 index 0000000000..373b6ce7c3 --- /dev/null +++ b/yaml/openapi/security/openai-consequential-action-false.test.yaml @@ -0,0 +1,19 @@ +openapi: 3.1.0 +info: + title: Email Service API + version: 1.0.0 + description: API for managing emails +paths: + /emails/{emailId}: + get: + operationId: getEmailById + # ok: openai-consequential-action-false + x-openai-isConsequential: false + summary: List Emails + description: Get a list of email messages. + delete: + operationId: deleteEmailById + # ruleid: openai-consequential-action-false + x-openai-isConsequential: false + summary: Delete Email + description: Delete a specific email. diff --git a/yaml/openapi/security/openai-consequential-action-false.yaml b/yaml/openapi/security/openai-consequential-action-false.yaml new file mode 100644 index 0000000000..0d03c77319 --- /dev/null +++ b/yaml/openapi/security/openai-consequential-action-false.yaml @@ -0,0 +1,40 @@ +rules: + - id: openai-consequential-action-false + languages: [yaml] + message: >- + Found 'x-openai-isConsequential: false' in a state changing HTTP + method: $METHOD $PATH . This Action configuration will enable the 'Always + Allow' option for state changing HTTP methods, such as POST, PUT, PATCH, + or DELETE. The risk of a user selecting the 'Always Allow' button is that + the agent could perform unintended actions on behalf of the user. When + working with sensitive functionality, it is always best to include a Human + In The Loop (HITL) type of control. Consider the trade off between security + and user friction and then make a risk based decision about this function. + severity: WARNING + patterns: + - pattern-inside: | + $PATH: + ... + $METHOD: ... + - metavariable-regex: + metavariable: $METHOD + regex: (POST|post|PUT|put|PATCH|patch|DELETE|delete) + - pattern: | + x-openai-isConsequential: false + metadata: + category: security + subcategory: + - vuln + technology: + - openapi + - openai + likelihood: HIGH + impact: HIGH + confidence: HIGH + owasp: + - 'A04:2021 Insecure Design' + - 'LLM08:2023 - Excessive Agency' + references: + - https://platform.openai.com/docs/actions/consequential-flag + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf From ed1d78fc886f0b40395cdfd8d161da4779d542fa Mon Sep 17 00:00:00 2001 From: Anton Abashkin Date: Thu, 8 Aug 2024 16:44:49 -0600 Subject: [PATCH 2/3] set subcategory to audit instead of vuln --- yaml/openapi/security/openai-consequential-action-false.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yaml/openapi/security/openai-consequential-action-false.yaml b/yaml/openapi/security/openai-consequential-action-false.yaml index 0d03c77319..13d142145c 100644 --- a/yaml/openapi/security/openai-consequential-action-false.yaml +++ b/yaml/openapi/security/openai-consequential-action-false.yaml @@ -24,7 +24,7 @@ rules: metadata: category: security subcategory: - - vuln + - audit technology: - openapi - openai From 120b542e278b5fb579cda4877c740bb32bd12c20 Mon Sep 17 00:00:00 2001 From: Anton Abashkin Date: Tue, 13 Aug 2024 16:37:06 -0600 Subject: [PATCH 3/3] alternative approach --- ...penai-consequential-action-false.test.yaml | 26 +++++++++++++-- .../openai-consequential-action-false.yaml | 33 +++++++++++-------- 2 files changed, 44 insertions(+), 15 deletions(-) diff --git a/yaml/openapi/security/openai-consequential-action-false.test.yaml b/yaml/openapi/security/openai-consequential-action-false.test.yaml index 373b6ce7c3..28eb92ebea 100644 --- a/yaml/openapi/security/openai-consequential-action-false.test.yaml +++ b/yaml/openapi/security/openai-consequential-action-false.test.yaml @@ -5,15 +5,37 @@ info: description: API for managing emails paths: /emails/{emailId}: + # ok: openai-consequential-action-false get: operationId: getEmailById - # ok: openai-consequential-action-false x-openai-isConsequential: false summary: List Emails description: Get a list of email messages. + + # ruleid: openai-consequential-action-false delete: operationId: deleteEmailById - # ruleid: openai-consequential-action-false x-openai-isConsequential: false summary: Delete Email description: Delete a specific email. + + # ruleid: openai-consequential-action-false + post: + operationId: createEmail + x-openai-isConsequential: false + summary: Create Email + description: Create a new email. + + # ruleid: openai-consequential-action-false + put: + operationId: updateEmail + x-openai-isConsequential: false + summary: Update Email + description: Update an existing email. + + # ruleid: openai-consequential-action-false + patch: + operationId: partialUpdateEmail + x-openai-isConsequential: false + summary: Partially Update Email + description: Update certain fields of an existing email. diff --git a/yaml/openapi/security/openai-consequential-action-false.yaml b/yaml/openapi/security/openai-consequential-action-false.yaml index 13d142145c..d54163e597 100644 --- a/yaml/openapi/security/openai-consequential-action-false.yaml +++ b/yaml/openapi/security/openai-consequential-action-false.yaml @@ -2,25 +2,32 @@ rules: - id: openai-consequential-action-false languages: [yaml] message: >- - Found 'x-openai-isConsequential: false' in a state changing HTTP - method: $METHOD $PATH . This Action configuration will enable the 'Always - Allow' option for state changing HTTP methods, such as POST, PUT, PATCH, + Found 'x-openai-isConsequential: false' in a state-changing HTTP + method: $METHOD $PATH. This Action configuration will enable the 'Always + Allow' option for state-changing HTTP methods, such as POST, PUT, PATCH, or DELETE. The risk of a user selecting the 'Always Allow' button is that the agent could perform unintended actions on behalf of the user. When working with sensitive functionality, it is always best to include a Human - In The Loop (HITL) type of control. Consider the trade off between security - and user friction and then make a risk based decision about this function. + In The Loop (HITL) type of control. Consider the trade-off between security + and user friction and then make a risk-based decision about this function. severity: WARNING - patterns: + pattern-either: - pattern-inside: | - $PATH: + post: ... - $METHOD: ... - - metavariable-regex: - metavariable: $METHOD - regex: (POST|post|PUT|put|PATCH|patch|DELETE|delete) - - pattern: | - x-openai-isConsequential: false + x-openai-isConsequential: false + - pattern-inside: | + put: + ... + x-openai-isConsequential: false + - pattern-inside: | + patch: + ... + x-openai-isConsequential: false + - pattern-inside: | + delete: + ... + x-openai-isConsequential: false metadata: category: security subcategory: