claws-scan 0.7.3

data/lib/claws/base_rule.rb

@@ -0,0 +1,94 @@
+class BaseRule
+  attr_accessor :on_workflow, :on_job, :on_step, :configuration
+
+  def self.parse_rule(rule) # rubocop:disable Metrics/AbcSize
+    ExpressionParser.parse_expression(rule).tap do |expression|
+      expression.instance_eval do
+        def ctx # rubocop:disable Metrics/AbcSize
+          @ctx ||= Context.new(
+            default: {},
+            methods: {
+              contains: ->(haystack, needle) { !haystack.nil? and haystack.include? needle },
+              contains_any: ->(haystack, needles) { !haystack.nil? and needles.any? { |n| haystack.include? n } },
+              startswith: ->(string, needle) { string.to_s.start_with? needle },
+              endswith: ->(string, needle) { string.to_s.end_with? needle },
+              difference: ->(arr1, arr2) { arr1.difference arr2 },
+              intersection: ->(arr1, arr2) { arr1.intersection arr2 },
+              count: ->(n) { n.length }
+            }
+          )
+        end
+
+        def eval_with(values: {})
+          value(
+            ctx: ctx.tap { |c| c.transient_symbols = values }
+          )
+        end
+
+        def inspect
+          to_s
+        end
+
+        def to_s
+          "<Expression '#{input}'>"
+        end
+      end
+    end
+  end
+
+  def self.name(value)
+    define_method(:name) { value }
+  end
+
+  def self.description(value)
+    define_method(:description) { value }
+  end
+
+  def self.on_workflow(value, highlight: nil, debug: false)
+    (@on_workflow ||= []) << extract_value(value, highlight: highlight, debug: debug)
+  end
+
+  def self.on_job(value, highlight: nil, debug: false)
+    highlight = highlight.to_s unless highlight.nil?
+    (@on_job ||= []) << extract_value(value, highlight: highlight, debug: debug)
+  end
+
+  def self.on_step(value, highlight: nil, debug: false)
+    highlight = highlight.to_s unless highlight.nil?
+    (@on_step ||= []) << extract_value(value, highlight: highlight, debug: debug)
+  end
+
+  def self.extract_value(value, highlight: nil, debug: false)
+    case value
+    when String
+      { expression: parse_rule(value), highlight: highlight, debug: debug }
+    when Symbol
+      value
+    else
+      raise "Hook must receive either a String (rule) or Symbol (method name), not: #{value.class}"
+    end
+  end
+
+  def initialize(configuration: nil)
+    @on_workflow = self.class.instance_variable_get(:@on_workflow) || []
+    @on_job = self.class.instance_variable_get(:@on_job) || []
+    @on_step = self.class.instance_variable_get(:@on_step) || []
+    @configuration = configuration
+  end
+
+  def name
+    self.class.to_s.split("::").last
+  end
+
+  def inspect
+    to_s
+  end
+
+  def to_s
+    "<Rule #{name} (#{@on_workflow.length} Workflow Rules; #{@on_job.length} Job Rules; #{@on_step.length} Step Rules)>"
+  end
+
+  def data
+    {}
+  end
+end

data/lib/claws/cli/color.rb

@@ -0,0 +1,30 @@
+class String
+  # colorization
+  def colorize(color_code)
+    "\e[#{color_code}m#{self}\e[0m"
+  end
+
+  def red
+    colorize(31)
+  end
+
+  def green
+    colorize(32)
+  end
+
+  def yellow
+    colorize(33)
+  end
+
+  def blue
+    colorize(34)
+  end
+
+  def pink
+    colorize(35)
+  end
+
+  def light_blue
+    colorize(36)
+  end
+end

data/lib/claws/cli/yaml_with_lines.rb

@@ -0,0 +1,124 @@
+require "psych"
+require "pry"
+
+module Locatable
+  attr_accessor :line
+end
+
+module Psych
+  module Nodes
+    class Node
+      attr_accessor :line
+    end
+  end
+end
+
+module Psych
+  module Visitors
+    class ToRuby
+      def accept(target)
+        s = super(target)
+        if target.respond_to?(:line) and ![TrueClass, FalseClass, NilClass, Integer].include? s.class
+          s.instance_eval do
+            extend(Locatable)
+          end
+
+          s.line = target.line
+        end
+
+        s
+      end
+
+      private
+
+      def register_empty(object)
+        list = register(object, [])
+        object.children.each do |c|
+          c.line = 0 if c.respond_to? :line and c.line.nil?
+          c.line += 1 if c.respond_to? :line
+          list.push accept c
+        end
+        list
+      end
+
+      def revive_hash(hash, o, _tagged: false) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity, Naming/MethodParameterName
+        o.children.each_slice(2) do |k, v|
+          key = accept(k)
+          val = accept(v)
+
+          key.line = 0 if key.respond_to? :line and key.line.nil?
+          key.line += 1 if key.respond_to? :line
+          key.freeze
+          if [TrueClass, FalseClass, NilClass, Integer].include? key.class
+            val.line = 0 if val.respond_to? :line and val.line.nil?
+            val.line += 1 if val.respond_to? :line
+          end
+
+          hash[key] = val
+        end
+
+        hash
+      end
+    end
+  end
+end
+
+class TreeBuilderWithLines < Psych::TreeBuilder
+  attr_accessor :parser
+
+  def scalar(value, anchor, tag, plain, quoted, style) # rubocop:disable Metrics/ParameterLists
+    # github uses "on" in its schema for workflows, which
+    # YAML 1.1 turns into a boolean. YAML 1.2 does not, but
+    # Psych doesn't support that.
+    # https://github.com/ruby/psych/blob/56d545e278/test/psych/test_boolean.rb#L9-L13
+    quoted = true if value.downcase == "on"
+
+    super(value, anchor, tag, plain, quoted, style).tap do |l|
+      l.line = parser.mark.line
+    end
+  end
+
+  def start_document(version, tag_directives, implicit)
+    super(version, tag_directives, implicit).tap do |l|
+      l.line = parser.mark.line
+    end
+  end
+
+  def start_sequence(anchor, tag, implicit, style)
+    super(anchor, tag, implicit, style).tap do |l|
+      l.line = parser.mark.line
+    end
+  end
+
+  def start_stream(encoding)
+    super(encoding).tap do |l|
+      l.line = parser.mark.line
+    end
+  end
+
+  def start_mapping(anchor, tag, implicit, style)
+    super(anchor, tag, implicit, style).tap do |l|
+      l.line = parser.mark.line
+    end
+  end
+end
+
+class YAMLWithLines
+  def self.load(blob)
+    handler = TreeBuilderWithLines.new
+    parser = Psych::Parser.new(handler)
+    handler.parser = parser
+    parser.parse(blob)
+    parser.handler.root.to_ruby.first.tap do |c|
+      c.instance_eval do
+        @lines = blob.split("\n")
+
+        def get_line(line:)
+          raise "Line number must be positive and one-indexed" if line < 1
+
+          @lines[line - 1]
+        end
+      end
+    end
+  end
+end

data/lib/claws/engine.rb

@@ -0,0 +1,25 @@
+require "equation"
+
+class ExpressionParser
+  def self.parse_expression(expression)
+    get_engine.parse(rule: expression)
+  end
+
+  def self.get_engine # rubocop:disable Naming/AccessorMethodName, Metrics/AbcSize
+    EquationEngine.new(
+      default: {
+        # workflow: workflow,
+        # jobs: workflow["jobs"],
+        # data: rules["data"],
+      },
+      methods: {
+        contains: ->(haystack, needle) { !haystack.nil? and haystack.include? needle },
+        contains_any: ->(haystack, needles) { !haystack.nil? and needles.any? { |n| haystack.include? n } },
+        startswith: ->(string, needle) { string.to_s.start_with? needle },
+        endswith: ->(string, needle) { string.to_s.end_with? needle },
+        difference: ->(arr1, arr2) { arr1.difference arr2 },
+        count: ->(n) { n.length }
+      }
+    )
+  end
+end

data/lib/claws/formatter/github.rb

@@ -0,0 +1,17 @@
+module Claws
+  module Formatter
+    class Github
+      def self.report_violations(violations)
+        violations.each do |v|
+          printf(
+            "::%<severity>s file=%<file>s,line=%<line>d::%<message>s\n",
+            severity: :error,
+            file: v.file,
+            line: v.line,
+            message: v.description.gsub("\n", "%0A")
+          )
+        end
+      end
+    end
+  end
+end

data/lib/claws/formatter/stdout.rb

@@ -0,0 +1,13 @@
+module Claws
+  module Formatter
+    class Stdout
+      def self.report_violations(violations)
+        violations.each do |v|
+          puts "Violation: #{v.name} on #{v.file}:#{v.line}".red
+          puts v.description
+          puts v.snippet unless v.snippet.nil?
+        end
+      end
+    end
+  end
+end

data/lib/claws/formatters.rb

@@ -0,0 +1,4 @@
+require "claws"
+require "claws/cli/color"
+require "claws/formatter/stdout"
+require "claws/formatter/github"

data/lib/claws/rule/automatic_merge.rb

@@ -0,0 +1,49 @@
+module Claws
+  module Rule
+    class AutomaticMerge < BaseRule
+      description <<~DESC
+        This workflow automatically merges user-supplied pull requests.
+        Please review the workflow to ensure this is necessary and its logic is sound.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#automaticmerge
+      DESC
+
+      on_step %(
+        contains_any($workflow.meta.triggers, $data.pr_events) && (
+          $step.run =~ "gh\s*pr\s*merge"
+        )
+      ), highlight: "run"
+
+      on_step %(
+        contains_any($workflow.meta.triggers, $data.pr_events) && (
+          $step.meta.action.name in $data.automerge_actions
+        )
+      ), highlight: "uses"
+
+      def data
+        {
+          "automerge_actions":
+            configuration.fetch("automerge_actions", default_automerge_actions),
+          "pr_events":
+            configuration.fetch("pr_events", default_pr_events)
+        }
+      end
+
+      private
+
+      def default_pr_events
+        %w[
+          push pull_request_target pull_request
+          pull_request_comment pull_request_review
+          pull_request_review_comment workflow_dispatch
+          workflow_call
+        ]
+      end
+
+      def default_automerge_actions
+        ["reitermarkus/automerge", "pascalgn/automerge-action"]
+      end
+    end
+  end
+end

data/lib/claws/rule/bulk_permissions.rb

@@ -0,0 +1,20 @@
+module Claws
+  module Rule
+    class BulkPermissions < BaseRule
+      description <<~DESC
+        Permissions should be requested based on access required for a job to complete instead of in bulk.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#bulkpermissions
+      DESC
+
+      on_workflow %(
+        $workflow.permissions in ["write-all", "read-all"]
+      ), highlight: "permissions"
+
+      on_job %(
+        $job.permissions in ["write-all", "read-all"]
+      ), highlight: "permissions"
+    end
+  end
+end

data/lib/claws/rule/command_injection.rb

@@ -0,0 +1,14 @@
+module Claws
+  module Rule
+    class CommandInjection < BaseRule
+      description <<~DESC
+        This step executes commands with user input which may allow an attacker to execute code in the context of this step, exposing source code or credentials. Consider moving user input into an environment variable instead of directly placing it into the shell command.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#commandinjection
+      DESC
+
+      on_step '$step.run =~ ".*{{[ ]+.*(github.event|inputs).*}}.*"', highlight: "run"
+    end
+  end
+end

data/lib/claws/rule/empty_name.rb

@@ -0,0 +1,14 @@
+module Claws
+  module Rule
+    class EmptyName < BaseRule
+      description <<~DESC
+        All workflows must have an easily identifiable name.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#emptyname
+      DESC
+
+      on_workflow "$workflow.name == null"
+    end
+  end
+end

data/lib/claws/rule/inherited_secrets.rb

@@ -0,0 +1,17 @@
+module Claws
+  module Rule
+    class InheritedSecrets < BaseRule
+      description <<~DESC
+        All workflows must explicitly state the secrets necessary for them to function properly.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#inheritedsecrets
+      DESC
+
+      on_job %(
+        contains($workflow.meta.triggers, "workflow_call") &&
+        $job.secrets == "inherit"
+      ), highlight: "secrets"
+    end
+  end
+end

data/lib/claws/rule/no_containers.rb

@@ -0,0 +1,28 @@
+module Claws
+  module Rule
+    class NoContainers < BaseRule
+      description <<~DESC
+        This job uses non-standard container images.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#nocontainers
+      DESC
+
+      on_job %(
+        $job.meta.container != null &&
+        !contains($data.approved_images, $job.meta.container.full)
+      ), highlight: "container.image"
+
+      on_step %(
+        $step.uses =~ "^docker://" &&
+        !contains($data.approved_images, $step.uses)
+      ), highlight: :uses
+
+      def data
+        {
+          'approved_images': configuration.fetch("approved_images", [])
+        }
+      end
+    end
+  end
+end

data/lib/claws/rule/risky_triggers.rb

@@ -0,0 +1,32 @@
+module Claws
+  module Rule
+    class RiskyTriggers < BaseRule
+      description <<~DESC
+        This flags workflows that may be using risky triggers to execute.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#riskytriggers
+      DESC
+
+      on_workflow %(
+        contains($data.triggers, $workflow.meta.triggers) ||
+        contains_any($workflow.meta.triggers, $data.triggers)
+      ), highlight: "on"
+
+      def data
+        {
+          'triggers': risky_triggers
+        }
+      end
+
+      private
+
+      def risky_triggers
+        configuration.fetch(
+          "risky_triggers",
+          %w[pull_request_target workflow_dispatch]
+        )
+      end
+    end
+  end
+end

data/lib/claws/rule/shellcheck.rb

@@ -0,0 +1,109 @@
+require "open3"
+
+module Claws
+  module Rule
+    class Shellcheck < BaseRule
+      description <<~DESC
+        This shell script did not pass Shellcheck.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#shellcheck
+      DESC
+
+      on_step :shellcheck
+
+      def shellcheck(workflow:, job:, step:) # rubocop:disable Lint/UnusedMethodArgument, Metrics/AbcSize
+        unless File.exist? shellcheck_bin
+          warn "Couldn't find shellcheck binary (#{shellcheck_bin}).\n"
+          warn "Make sure it's installed and configure `shellcheck_bin` appropriately."
+          exit 1
+        end
+
+        return if step["run"].nil?
+
+        shell = if step["shell"].nil?
+                  identify_shell(step["run"])
+                else
+                  step["shell"]
+                end
+
+        return if shell.nil?
+
+        exit_status, stdout, = analyze_script(step["run"], shell)
+
+        return unless exit_status == 1
+
+        Violation.new(
+          line: step.keys.filter { |x| x == "run" }.first.line,
+          description: "Shellcheck found some issues with this shell script:\n#{stdout}"
+        )
+      end
+
+      private
+
+      def sanitize_script(script)
+        mapping = {}
+
+        new_script = script.gsub(/\$\{\{\s*(.*?)\s*\}\}/) do
+          inner_content = ::Regexp.last_match(1).strip
+          placeholder_name = "GITHUB_ACTION_PLACEHOLDER_#{inner_content.gsub(/[^a-zA-Z0-9]/, "_").upcase}"
+
+          mapping[placeholder_name] = "${{ #{inner_content} }}"
+          "$#{placeholder_name}"
+        end
+
+        [new_script.to_s, mapping]
+      end
+
+      def unsanitize_script(script, mapping)
+        mapping.each do |k, v|
+          script = script.gsub(k, v)
+        end
+
+        script
+      end
+
+      def analyze_script(script, shell)
+        sanitized_script, variables = *sanitize_script(script)
+
+        Open3.popen3(
+          shellcheck_bin, "-", "-s", shell
+        ) do |stdin, stdout, stderr, wait_thr|
+          stdin.write(sanitized_script)
+          stdin.close
+
+          stdout_buffer = stdout.read
+          stderr_buffer = stderr.read
+
+          stderr.close
+          stdout.close
+
+          return [
+            wait_thr.value.exitstatus,
+            unsanitize_script(stdout_buffer, variables),
+            unsanitize_script(stderr_buffer, variables)
+          ]
+        end
+      end
+
+      def identify_shell(command)
+        return "bash" unless command.lines.first.start_with? "#!"
+
+        supported_shells.select do |shell|
+          command.lines.first.start_with? "#!/bin/#{shell}"
+        end.first
+      end
+
+      def supported_shells
+        %w[bash sh dash ksh]
+      end
+
+      def shellcheck_bin
+        configuration.fetch(
+          "shellcheck_bin",
+          "/opt/homebrew/bin/shellcheck"
+        )
+      end
+    end
+  end
+end

data/lib/claws/rule/special_permissions.rb

@@ -0,0 +1,37 @@
+module Claws
+  module Rule
+    class SpecialPermissions < BaseRule
+      # Unfortunately because `highlight` is a static key, we can't
+      # dynamically highlight the specific, problematic permission.
+      #
+      # This means ignoring SpecialPermissions will ignore any new
+      # special permissions that might be added at a later date.
+      description <<~DESC
+        Confirm whether this job needs these write permissions.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#specialpermissions
+      DESC
+
+      on_workflow %(
+        count(intersection($workflow.meta.permissions.write, $data.sensitive_writes)) > 0
+      ), highlight: "permissions"
+
+      on_job %(
+        count(intersection($job.meta.permissions.write, $data.sensitive_writes)) > 0
+      ), highlight: "permissions"
+
+      def data
+        {
+          sensitive_writes: %w[
+            checks
+            id-token
+            packages
+            security-events
+            statuses
+          ]
+        }
+      end
+    end
+  end
+end

data/lib/claws/rule/unapproved_runners.rb

@@ -0,0 +1,31 @@
+module Claws
+  module Rule
+    class UnapprovedRunners < BaseRule
+      description <<~DESC
+        This workflow is using an unapproved runner.
+
+        For more information:
+        https://github.com/betterment/claws/blob/main/README.md#unapprovedrunners
+      DESC
+
+      on_job %(
+        $job.runs_on != null && !contains($data.allowed_runners, $job.runs_on)
+      ), highlight: "runs_on"
+
+      def data
+        {
+          'allowed_runners': allowed_runners
+        }
+      end
+
+      private
+
+      def allowed_runners
+        configuration.fetch(
+          "allowed_runners",
+          %w[ubuntu-latest]
+        )
+      end
+    end
+  end
+end