claws-scan 0.7.3

data/corpus/automerge_via_cli.yml

@@ -0,0 +1,14 @@
+name: Automerge Non-code Changes
+on:
+  push:
+    paths: ['**.txt']
+
+permissions:
+  contents: read
+
+jobs:
+  merge:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Merge pull request
+        run: gh pr merge ${{ steps.create_pull_request.outputs.pull-request-number }} --squash --auto --delete-branch

data/corpus/build-docker-image-run-drc-for-cell-gds-using-magic.yml

@@ -0,0 +1,170 @@
+# Copyright 2021 SkyWater PDK Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache 2.0
+
+name: Build Docker Image for Run DRC for cell GDS (using Magic) Action
+
+on:
+  workflow_dispatch:
+  push:
+  pull_request_target:
+
+
+permissions:
+  contents: read
+
+
+jobs:
+
+  # FIXME: Remove once GitHub Container Registry is working.
+  # docker.pkg.github.com doesn't support buildx built packages, use
+  # docker/build-push-action instead.
+  build-github-package:
+    name: "Building Docker GitHub Package."
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      packages: write # ${{ github.event_name == "push" || github.event_name == "workflow_dispatch" }}
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+      with:
+        # Always clone the full depth so git-describe works.
+        fetch-depth: 0
+        submodules: true
+
+    - name: Set Action Name
+      run: echo "ACTION_NAME=run-drc-for-cell-gds-using-magic" >> $GITHUB_ENV
+
+    - name: Build container image
+      uses: docker/build-push-action@v1
+      with:
+        registry: docker.pkg.github.com
+        username: ${{ github.repository_owner }}
+        password: ${{ github.token }}
+        repository: ${{ github.repository }}/${{ env.ACTION_NAME }}
+        path: ${{ env.ACTION_NAME }}
+        tag_with_ref: true
+        tag_with_sha: true
+        add_git_labels: true
+        push: ${{ startsWith(github.ref, 'refs/heads/') }}
+
+
+  build-docker-image:
+    name: "Building image."
+
+    runs-on: ubuntu-latest
+
+    # Run a local registry
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+
+    steps:
+
+    - name: Dump context
+      uses: crazy-max/ghaction-dump-context@v1
+
+    - name: Checkout code
+      uses: actions/checkout@v2
+      with:
+        # Always clone the full depth so git-describe works.
+        fetch-depth: 0
+        submodules: true
+
+    - name: Set Action Name
+      run: echo "ACTION_NAME=run-drc-for-cell-gds-using-magic" >> $GITHUB_ENV
+
+    - name: Detect Push To Config
+      id: push_to
+      shell: python
+      env:
+        HAS_GCR_JSON_KEY: ${{ !!(secrets.GCR_JSON_KEY) }}
+      run: |
+        import os
+        gh_event = os.environ['GITHUB_EVENT_NAME']
+
+        i = []
+        print("Adding local service.")
+        i.append("localhost:5000/${{ env.ACTION_NAME }}")
+
+        if "${{ env.HAS_GCR_JSON_KEY }}":
+            print("Adding Google Container Repository (gcr.io)")
+            i.append("gcr.io/skywater-pdk/actions/${{ env.ACTION_NAME }}")
+
+        #print("Adding GitHub Container Repository (ghcr.io)")
+        #i.append("ghcr.io/${{ github.repository }}/${{ env.ACTION_NAME }}")
+
+        l = ",".join(i)
+        print("Final locations:", repr(l))
+        print("::set-output name=images::{}".format(l))
+
+    - name: Docker meta
+      id: docker_meta
+      uses: docker/metadata-action@v3
+      with:
+        images: ${{ steps.push_to.outputs.images }}
+        tags: |
+          type=ref,event=tag
+          type=ref,event=pr
+          type=ref,event=branch
+          type=sha
+          type=sha,format=long
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v1
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+      with:
+        driver-opts: network=host
+
+    - name: Login to Google Container Registry
+      if: ${{ contains(steps.push_to.outputs.images, 'gcr.io') }}
+      uses: docker/login-action@v1
+      with:
+        registry: gcr.io
+        username: _json_key
+        password: ${{ secrets.GCR_JSON_KEY }}
+
+    - name: Login to GitHub Container Registry
+      if: ${{ contains(steps.push_to.outputs.images, 'ghcr.io') }}
+      uses: docker/login-action@v1
+      with:
+        username: ${{ github.repository_owner }}
+        password: ${{ github.token }}
+        registry: ghcr.io
+
+    - name: Build and push
+      uses: docker/build-push-action@v2
+      id: docker_build
+      with:
+        context: ${{ env.ACTION_NAME }}
+        file: ${{ env.ACTION_NAME }}/Dockerfile
+        push: true
+        tags: |
+          ${{ steps.docker_meta.outputs.tags }}
+          localhost:5000/${{ env.ACTION_NAME }}:latest
+        labels: ${{ steps.docker_meta.outputs.labels }}
+
+    - name: Inspect
+      run: docker buildx imagetools inspect localhost:5000/${{ env.ACTION_NAME }}:latest
+
+    - name: Image digest
+      run: echo ${{ steps.docker_build.outputs.digest }}

data/corpus/cmd.yml

@@ -0,0 +1,14 @@
+# INSECURE
+
+on: issue_comment
+name: IssueOps - Demo
+jobs:
+  act-on-issue:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+      - name: Reset demo if a demo or reset issue was opened
+        run: ./scripts/reset-demo.sh "${{ github.event.issue.body }}" "${{ github.event.issue.number }}"
+        env:
+          GITHUB_COM_TOKEN: ${{ secrets.GITHUB_TOKEN }}

data/corpus/container.yml

@@ -0,0 +1,19 @@
+name: CI
+on:
+  push:
+    branches: [ main ]
+jobs:
+  container-test-job:
+    runs-on: ubuntu-latest
+    container:
+      image: node:14.16
+      env:
+        NODE_ENV: development
+      ports:
+        - 80
+      volumes:
+        - my_docker_volume:/volume_mount
+      options: --cpus 1
+    steps:
+      - name: Check for dockerenv file
+        run: (ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)

data/corpus/container_docker.yml

@@ -0,0 +1,9 @@
+name: CI
+on:
+  push:
+    branches: [ main ]
+jobs:
+  use_image:
+    steps:
+      - name: My first step
+        uses: docker://alpine:3.8

data/corpus/dispatch_command_injection.yml

@@ -0,0 +1,17 @@
+name: Dispatch Me
+on:
+  workflow_dispatch:
+    inputs:
+      name:
+        description: 'Who I should say hello to'
+        required: true
+
+jobs:
+  greet:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v1
+      - name: Reset demo if a demo or reset issue was opened
+        run: ./scripts/greet.sh "${{ github.event.inputs.name }}"
+

data/corpus/inherit_secrets.yml

@@ -0,0 +1,20 @@
+on: [workflow_call]
+name: yea
+jobs:
+  rake:
+    runs-on: ubuntu-latest
+    secrets: inherit
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      # ignore: CommandInjection
+      - name: test
+        run: /bin/ls ${{ github.event.test }}
+      - name: Build
+        run: rake
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          YOINK: ${{ secrets.FLAG }}
+

data/corpus/nameless.yml

@@ -0,0 +1,11 @@
+on: [push, pull_request, pull_request_target]
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: '3.0' # Not needed with a .ruby-version file
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - run: bundle exec rake

data/corpus/permissions.yml

@@ -0,0 +1,19 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+    - main
+
+permissions:
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - uses: action/checkout@v3
+      - name: push
+        run: rake release

data/corpus/ruby.yml

@@ -0,0 +1,12 @@
+name: My workflow
+on: [push, pull_request, pull_request_target]
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: '3.0' # Not needed with a .ruby-version file
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - run: bundle exec rake

data/corpus/shellcheck.yml

@@ -0,0 +1,12 @@
+on: [push, pull_request, pull_request_target]
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - uses: ruby/setup-ruby@v1
+    - run: |
+        x=$(ls -lah)
+        if [[ $x == 2 ]]; then
+          echo $x
+        fi

data/corpus/unsafe_checkout_code_execution.yml

@@ -0,0 +1,21 @@
+name: Unsafe Checkout that Leads to RCE
+
+on: [pull_request_target]
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+    # check out the attacker controlled branch with their code
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+
+    # set up the environment and run specs
+    # because Rakefile comes from the attacker's branch
+    # we end up executing their code, even though they don't
+    # control the command here
+    - run: |
+        rake setup
+        rake spec

data/corpus/unsafe_checkout_token_leak.yml

@@ -0,0 +1,33 @@
+name: Unsafe Checkout that can Leak Tokens
+
+on: pull_request_target
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+    # check out the attacker controlled branch
+    - name: Checkout (depth 0)
+      uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+
+    # grab the version number from the VERSION file
+    # however... because we're getting the contents of the file
+    # from the attacker's branch, and because git allows symlinks
+    # the attacker can symlink VERSION to any other file on the system
+    # to leak its contents.
+    - name: Get PR Version
+      id: version_number
+      run: echo "::set-output name=version::$(cat VERSION)"
+
+    # Dump the version number into a Github comment for everyone to see
+    - name: Comment the new version
+      uses: peter-evans/create-or-update-comment@v2
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        comment-author: 'github-actions[bot]'
+        body: |
+          Version was updated to
+          ```${{ steps.version_number.outputs.version }}```
+          bye now...

data/corpus/unscoped_secrets.yml

@@ -0,0 +1,16 @@
+on: [pull_request]
+name: yea
+jobs:
+  rake:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: Build
+        run: rake
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+          YOINK: ${{ secrets.API_KEY }}
+

data/github_action.yml

@@ -0,0 +1,36 @@
+name: Workflow Static Analyzer
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: Static Analyze
+    steps:
+      - name: Set Up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.0'
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Get PR diff Files
+        uses: technote-space/get-diff-action@v5
+        id: modified_actions
+        with:
+          PATTERNS: .github/workflows/*.y*ml
+      - name: Set Up Claws
+        run: |
+          gem install --source "https://${{ secrets.BETTERMENT_GH_PACKAGES_PAT }}@rubygems.pkg.github.com/betterment" claws --version "0.1.4"
+      - name: Analyze New/Changed Workflows
+        run: |
+          bungler_flags=""
+          for workflow in ${{ env.GIT_DIFF }}
+          do
+            echo "$workflow"
+            bungler_flags="-t $workflow $bungler_flags"
+          done
+          analyze -f github -c .claws-config.yml $bungler_flags

data/lib/claws/application.rb

@@ -0,0 +1,237 @@
+module Claws
+  class Application
+    def initialize
+      @detections = []
+    end
+
+    def load_detection(detection)
+      @detections << detection
+    end
+
+    def analyze(filename, raw_contents)
+      workflow = Workflow.load(raw_contents)
+
+      file_ignores = workflow.ignores
+
+      # enrich violations with snippets
+      # skip violations if specifically ignored
+      get_violations(filename, workflow).reject do |v|
+        v.snippet = workflow.get_snippet(v.line)
+
+        line_above = [1, v.line - 1].max
+        ignores_for_line = file_ignores.fetch(line_above, [])
+        ignores_for_line.include? v.name
+      end
+    end
+
+    def get_violations(filename, workflow)
+      violations = get_workflow_violations(filename, workflow)
+
+      workflow.jobs.each do |_job_name, job|
+        violations += get_job_violations(filename, workflow, job)
+
+        job.fetch("steps", []).each do |step|
+          violations += get_step_violations(filename, workflow, job, step)
+        end
+      end
+
+      violations
+    end
+
+    def get_workflow_violations(filename, workflow)
+      violations = []
+      @detections.each do |detection|
+        detection.on_workflow.each do |rule|
+          violation = run_detection(
+            filename: filename,
+            detection: detection,
+            rule: rule,
+            workflow: workflow
+          )
+
+          violations << violation if violation
+
+          next if rule.is_a? Symbol or !rule[:debug]
+
+          enter_debug(
+            result: !violation.nil?,
+            expression: rule[:expression],
+            values: {
+              data: detection.data,
+              workflow: workflow
+            }
+          )
+        end
+      end
+
+      violations
+    end
+
+    def get_job_violations(filename, workflow, job)
+      violations = []
+      @detections.each do |detection|
+        detection.on_job.each do |rule|
+          violation = run_detection(
+            filename: filename,
+            detection: detection,
+            rule: rule,
+            workflow: workflow,
+            job: job
+          )
+
+          violations << violation if violation
+
+          next if rule.is_a? Symbol or !rule[:debug]
+
+          enter_debug(
+            result: !violation.nil?,
+            expression: rule[:expression],
+            values: {
+              data: detection.data,
+              workflow: workflow,
+              job: job
+            }
+          )
+        end
+      end
+
+      violations
+    end
+
+    def get_step_violations(filename, workflow, job, step)
+      violations = []
+
+      @detections.each do |detection|
+        detection.on_step.each do |rule|
+          violation = run_detection(
+            filename: filename,
+            detection: detection,
+            rule: rule,
+            workflow: workflow,
+            job: job,
+            step: step
+          )
+
+          violations << violation if violation
+
+          next if rule.is_a? Symbol or !rule[:debug]
+
+          enter_debug(
+            result: !violation.nil?,
+            expression: rule[:expression],
+            values: {
+              data: detection.data,
+              workflow: workflow,
+              job: job,
+              step: step
+            }
+          )
+        end
+      end
+
+      violations
+    end
+
+    private
+
+    def run_detection(filename:, detection:, rule:, workflow:, job: nil, step: nil) # rubocop:disable Metrics/ParameterLists
+      violation = if rule.is_a? Symbol
+                    get_dynamic_violation(
+                      detection: detection,
+                      method: rule,
+                      workflow: workflow,
+                      job: job,
+                      step: step
+                    )
+                  else
+                    get_static_violations(
+                      detection: detection,
+                      rule: rule,
+                      workflow: workflow,
+                      job: job,
+                      step: step
+                    )
+                  end
+
+      if violation
+        violation.file = filename
+        violation.name = detection.name
+      end
+
+      violation
+    end
+
+    def get_dynamic_violation(detection:, method:, workflow:, job:, step:)
+      detection.send(
+        method,
+        workflow: workflow,
+        job: job,
+        step: step
+      )
+    end
+
+    def get_static_violations(rule:, detection:, workflow:, job:, step:)
+      result = rule[:expression].eval_with(values: {
+                                             data: detection.data,
+                                             workflow: workflow,
+                                             job: job,
+                                             step: step
+                                           })
+
+      return unless result
+
+      default_target = [step, job, workflow].find(&:itself)
+      line_number = default_target.line
+      line_number = get_nearest_key(default_target, rule[:highlight]).line if rule[:highlight]
+
+      Violation.new(
+        line: line_number,
+        description: detection.description
+      )
+    end
+
+    def enter_debug(result:, expression:, values:) # rubocop:disable Metrics/AbcSize
+      @debug_values = values
+
+      require "pry"
+      puts "!!! CLAWS DEBUG !!!".red
+      puts "#{expression} returned #{result}".red
+      puts "Tips:"
+      puts "* values available in @debug_values".green
+      puts "* eval a test expression: e 'expression'".green
+      puts "  * e '1 == 2'".green
+      puts "  * e '$data'".green
+      puts "  * e '$job.meta'".green
+      puts "  * e '$job.meta.action.name in $data.automerge_actions'".green
+      puts "* ^D to exit".green
+
+      # no stack trace needed since there's no error
+      binding.pry quiet: true # rubocop:disable Lint/Debugger
+    end
+
+    def e(expression)
+      expr = BaseRule.parse_rule(expression)
+      puts expr.eval_with(
+        values: @debug_values
+      ).inspect
+    end
+
+    def get_nearest_key(blob, path) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+      cursor = blob
+      found_key = nil
+      path.split(".").each do |key|
+        return found_key unless cursor.is_a? Hash or cursor.is_a? Workflow
+
+        if cursor.include? key.to_s
+          found_key = cursor.keys.filter { |k| k.to_s == key.to_s }.first
+          cursor = cursor[key.to_s]
+        elsif cursor.include? key.to_sym
+          found_key = cursor.keys.filter { |k| k.to_sym == key.to_sym }.first
+          cursor = cursor[key.to_sym]
+        end
+      end
+
+      found_key
+    end
+  end
+end