Skip to content

Latest commit

 

History

History
173 lines (132 loc) · 6.01 KB

RULES.md

File metadata and controls

173 lines (132 loc) · 6.01 KB

Rules

All rules supported by ades are listed and explained in this document, including an example of how to address it.

ADES100 - Expression in run: directive

When an expression appears in a run: directive you can avoid potential attacks by extracting the expression into an environment variable and using the environment variable instead.

For example, given the workflow snippet:

- name: Example step
  run: |
    echo 'Hello ${{ inputs.name }}'

it can be made safer by converting it into:

- name: Example step
  env:
    NAME: ${{ inputs.name }} # <- Assign the expression to an environment variable
  run: |
    echo "Hello $NAME"
#        ^      ^^^^^
#        |      | Replace the expression with the environment variable
#        |
#        | Note: the use of double quotes is required in this example (for interpolation)

Note that the changes depend on the runner and shell being used. For example, on Windows (or when using shell: powershell) the environment variable must be accessed as $Env:NAME.

ADES101 - Expression in actions/github-script script

When an expression appears in a actions/github-script script you can avoid potential attacks by extracting the expression into an environment variable and using the environment variable instead.

For example, given the workflow snippet:

- name: Example step
  uses: actions/github-script@v6
  with:
    script: console.log('Hello ${{ inputs.name }}')

it can be made safer by converting it into:

- name: Example step
  uses: actions/github-script@v6
  env:
    NAME: ${{ inputs.name }} # <- Assign the expression to an environment variable
  with:
    script: console.log(`Hello ${process.env.NAME}`)
#                       ^      ^^^^^^^^^^^^^^^^^^^
#                       |      | Replace the expression with the environment variable
#                       |
#                       | Note: the use of backticks is required in this example (for interpolation)

ADES102 - Expression in roots/issue-closer issue close message

When an expression appears in the issue close message of roots/issue-closer it is interpreted as an ES6-style template literal. You can avoid potential attacks by extracting the expression into an environment variable and using the environment variable instead.

For example, given the workflow snippet:

- name: Example step
  uses: roots/issue-closer@v1
  with:
    issue-close-message: Closing ${{ github.event.issue.title }}

it can be made safer by converting it into:

- name: Example step
  uses: roots/issue-closer@v1
  env:
    NAME: ${{ github.event.issue.title }} # <- Assign the expression to an environment variable
  with:
    issue-close-message: Closing ${process.env.NAME}
  #                              ^^^^^^^^^^^^^^^^^^^
  #                              | Replace the expression with the environment variable

ADES103 - Expression in roots/issue-closer pull request close message

When an expression appears in the pull request close message of roots/issue-closer it is interpreted as an ES6-style template literal. You can avoid potential attacks by extracting the expression into an environment variable and using the environment variable instead.

For example, given the workflow snippet:

- name: Example step
  uses: roots/issue-closer@v1
  with:
    pr-close-message: Closing ${{ github.event.issue.title }}

it can be made safer by converting it into:

- name: Example step
  uses: roots/issue-closer@v1
  env:
    NAME: ${{ github.event.issue.title }} # <- Assign the expression to an environment variable
  with:
    pr-close-message: Closing ${process.env.NAME}
  #                           ^^^^^^^^^^^^^^^^^^^
  #                           | Replace the expression with the environment variable

ADES104 - Expression in sergeysova/jq-action command

When an expression appears in the command input of sergeysova/jq-action you can avoid any potential attack by extracting the expression into an environment variable and using the environment variable instead.

For example, given the workflow snippet:

- name: Example step
  uses: sergeysova/jq-action@v2
  with:
    cmd: jq .version ${{ github.event.inputs.file }} -r

it can be made safer by converting it into:

- name: Example step
  uses: sergeysova/jq-action@v2
  env:
    FILE: ${{ github.event.inputs.file }} # <- Assign the expression to an environment variable
  with:
  #                  | Note: use double quotes to avoid argument splitting
  #                  v
    cmd: jq .version "$FILE" -r
  #                   ^^^^^
  #                   | Replace the expression with the environment variable

ADES200 - Expression in ericcornelissen/git-tag-annotation-action tag input

When an expression is used in the tag input for ericcornelissen/git-tag-annotation-action in v1.0.0 or earlier it may be used to execute arbitrary shell commands, see GHSA-hgx2-4pp9-357g. To mitigate this, upgrade the action to a non-vulnerable version.

ADES201 - Expression in kceb/git-message-action sha input

When an expression is used in the sha input for kceb/git-message-action in v1.1.0 or earlier it may be used to execute arbitrary shell commands (no vulnerability identifier available). To mitigate this, upgrade the action to a non-vulnerable version.

ADES202 - Expression in atlassian/gajira-create summary input

When an expression is used in the summary input for atlassian/gajira-create in v2.0.0 or earlier it may be used to execute arbitrary JavaScript code, see GHSA-4xqx-pqpj-9fqw. To mitigate this, upgrade the action to a non-vulnerable version.