|
1 | 1 | rules: |
2 | 2 | - id: third-party-action-not-pinned-to-commit-sha |
3 | | - pattern-either: |
4 | | - - pattern: uses: $ACTION@$REF |
5 | | - metavariable-regex: |
6 | | - $ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$ |
7 | | - $REF: ^(v?\d+(\.\d+){0,2}|[^@]+)$ |
8 | | - - pattern: uses: $ACTION |
9 | | - metavariable-regex: |
10 | | - $ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$ |
11 | | - message: > |
12 | | - Third-party GitHub Action is not pinned to a specific commit SHA. |
13 | | - This can be a security risk as the action may be modified unexpectedly. |
14 | | - Consider using a full length commit SHA instead of a tag or branch name. |
| 3 | + patterns: |
| 4 | + - pattern-inside: "{steps: ...}" |
| 5 | + - pattern: | |
| 6 | + uses: "$USES" |
| 7 | + - metavariable-pattern: |
| 8 | + metavariable: $USES |
| 9 | + language: generic |
| 10 | + patterns: |
| 11 | + - pattern-not-regex: ^[.]/ |
| 12 | + - pattern-not-regex: ^actions/ |
| 13 | + - pattern-not-regex: ^github/ |
| 14 | + - pattern-not-regex: ^gradio-app/gradio |
| 15 | + - pattern-not-regex: ^gradio-app/github |
| 16 | + - pattern-not-regex: "@[0-9a-f]{40}$" |
| 17 | + - pattern-not-regex: ^docker://.*@sha256:[0-9a-f]{64}$ |
| 18 | + - pattern-not-regex: ^docker://docker$ |
| 19 | + message: |
| 20 | + An action sourced from a third-party repository on GitHub is not pinned |
| 21 | + to a full length commit SHA. Pinning an action to a full length commit SHA |
| 22 | + is currently the only way to use an action as an immutable release. |
| 23 | + Pinning to a particular SHA helps mitigate the risk of a bad actor adding |
| 24 | + a backdoor to the action's repository, as they would need to generate a |
| 25 | + SHA-1 collision for a valid Git object payload. |
| 26 | + languages: |
| 27 | + - yaml |
15 | 28 | severity: WARNING |
16 | | - languages: [yaml] |
17 | | - paths: |
18 | | - include: |
19 | | - - '**/workflows/*.yml' |
20 | | - - '**/workflows/*.yaml' |
21 | 29 | metadata: |
| 30 | + cwe: |
| 31 | + - "CWE-1357: Reliance on Insufficiently Trustworthy Component" |
| 32 | + - "CWE-353: Missing Support for Integrity Check" |
| 33 | + owasp: A06:2021 - Vulnerable and Outdated Components |
| 34 | + references: |
| 35 | + - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components |
| 36 | + - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions |
22 | 37 | category: security |
23 | 38 | technology: |
24 | 39 | - github-actions |
25 | | - references: |
26 | | - - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions |
| 40 | + subcategory: |
| 41 | + - vuln |
| 42 | + likelihood: LOW |
| 43 | + impact: LOW |
| 44 | + confidence: HIGH |
| 45 | + license: Commons Clause License Condition v1.0[LGPL-2.1-only] |
| 46 | + vulnerability_class: |
| 47 | + - Cryptographic Issues |
| 48 | + - Other |
27 | 49 |
|
28 | 50 | - id: insecure-file-permissions |
29 | | - pattern: os.chmod(..., $PERMS) |
30 | | - message: > |
31 | | - Detected a call to os.chmod() with potentially insecure permissions. |
32 | | - Ensure that file permissions are set correctly to prevent unauthorized access. |
33 | | - severity: WARNING |
34 | | - languages: [python] |
| 51 | + languages: |
| 52 | + - python |
| 53 | + severity: ERROR |
| 54 | + message: These permissions `$BITS` are widely permissive and grant access to |
| 55 | + more people than may be necessary. A good default is `0o644` which gives |
| 56 | + read and write access to yourself and read access to everyone else. |
| 57 | + patterns: |
| 58 | + - pattern-inside: os.$METHOD(...) |
| 59 | + - pattern-either: |
| 60 | + - patterns: |
| 61 | + - pattern: os.$METHOD($FILE, $BITS, ...) |
| 62 | + - metavariable-comparison: |
| 63 | + comparison: $BITS >= 0o650 and $BITS < 0o100000 |
| 64 | + - patterns: |
| 65 | + - pattern: os.$METHOD($FILE, $BITS) |
| 66 | + - metavariable-comparison: |
| 67 | + comparison: $BITS >= 0o100650 |
| 68 | + - patterns: |
| 69 | + - pattern: os.$METHOD($FILE, $BITS, ...) |
| 70 | + - metavariable-pattern: |
| 71 | + metavariable: $BITS |
| 72 | + patterns: |
| 73 | + - pattern-either: |
| 74 | + - pattern: <... stat.S_IWGRP ...> |
| 75 | + - pattern: <... stat.S_IXGRP ...> |
| 76 | + - pattern: <... stat.S_IWOTH ...> |
| 77 | + - pattern: <... stat.S_IXOTH ...> |
| 78 | + - pattern: <... stat.S_IRWXO ...> |
| 79 | + - pattern: <... stat.S_IRWXG ...> |
| 80 | + - patterns: |
| 81 | + - pattern: os.$METHOD($FILE, $EXPR | $MOD, ...) |
| 82 | + - metavariable-comparison: |
| 83 | + comparison: $MOD == 0o111 |
| 84 | + - metavariable-pattern: |
| 85 | + metavariable: $METHOD |
| 86 | + patterns: |
| 87 | + - pattern-either: |
| 88 | + - pattern: chmod |
| 89 | + - pattern: lchmod |
| 90 | + - pattern: fchmod |
35 | 91 | metadata: |
36 | 92 | category: security |
| 93 | + owasp: |
| 94 | + - A01:2021 - Broken Access Control |
| 95 | + cwe: |
| 96 | + - "CWE-276: Incorrect Default Permissions" |
37 | 97 | technology: |
38 | 98 | - python |
39 | 99 | references: |
40 | | - - https://docs.python.org/3/library/os.html#os.chmod |
41 | | - - https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File |
42 | | - fix-regex: |
43 | | - regex: os\.chmod\((.*?),\s*(.*?)\) |
44 | | - replacement: os.chmod($1, 0o600) |
45 | | - |
| 100 | + - https://owasp.org/Top10/A01_2021-Broken_Access_Control |
| 101 | + cwe2022-top25: true |
| 102 | + cwe2021-top25: true |
| 103 | + subcategory: |
| 104 | + - vuln |
| 105 | + likelihood: LOW |
| 106 | + impact: MEDIUM |
| 107 | + confidence: MEDIUM |
| 108 | + license: Commons Clause License Condition v1.0[LGPL-2.1-only] |
| 109 | + vulnerability_class: |
| 110 | + - Improper Authorization |
0 commit comments