2021-06-04 02:30:37 +03:00
|
|
|
// Copyright 2021 Security Scorecard Authors
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
package checks
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2021-06-04 03:12:56 +03:00
|
|
|
"strings"
|
2021-06-04 02:30:37 +03:00
|
|
|
|
2021-11-08 21:57:03 +03:00
|
|
|
"github.com/rhysd/actionlint"
|
2021-06-04 02:30:37 +03:00
|
|
|
|
2022-01-12 22:49:01 +03:00
|
|
|
"github.com/ossf/scorecard/v4/checker"
|
|
|
|
"github.com/ossf/scorecard/v4/checks/fileparser"
|
|
|
|
sce "github.com/ossf/scorecard/v4/errors"
|
2022-06-29 20:10:15 +03:00
|
|
|
"github.com/ossf/scorecard/v4/remediation"
|
2021-06-04 02:30:37 +03:00
|
|
|
)
|
|
|
|
|
2021-08-01 01:31:34 +03:00
|
|
|
// CheckTokenPermissions is the exported name for Token-Permissions check.
|
2021-12-08 04:18:28 +03:00
|
|
|
const (
|
|
|
|
CheckTokenPermissions = "Token-Permissions"
|
2022-01-11 01:22:39 +03:00
|
|
|
jobLevelPermission = "job level"
|
2021-12-08 04:18:28 +03:00
|
|
|
topLevelPermission = "top level"
|
|
|
|
)
|
2021-06-04 02:30:37 +03:00
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
type permission string
|
|
|
|
|
|
|
|
const (
|
|
|
|
permissionAll = permission("all")
|
|
|
|
permissionStatuses = permission("statuses")
|
|
|
|
permissionChecks = permission("checks")
|
|
|
|
permissionSecurityEvents = permission("security-events")
|
|
|
|
permissionDeployments = permission("deployments")
|
|
|
|
permissionContents = permission("contents")
|
|
|
|
permissionPackages = permission("packages")
|
|
|
|
permissionActions = permission("actions")
|
|
|
|
)
|
|
|
|
|
|
|
|
var permissionsOfInterest = []permission{
|
|
|
|
permissionStatuses, permissionChecks,
|
|
|
|
permissionSecurityEvents, permissionDeployments,
|
|
|
|
permissionContents, permissionPackages, permissionActions,
|
|
|
|
}
|
|
|
|
|
2021-06-04 02:30:37 +03:00
|
|
|
//nolint:gochecknoinits
|
|
|
|
func init() {
|
2022-02-08 03:49:49 +03:00
|
|
|
supportedRequestTypes := []checker.RequestType{
|
|
|
|
checker.FileBased,
|
2022-02-08 06:03:36 +03:00
|
|
|
checker.CommitBased,
|
2022-02-08 03:49:49 +03:00
|
|
|
}
|
|
|
|
if err := registerCheck(CheckTokenPermissions, TokenPermissions, supportedRequestTypes); err != nil {
|
2022-01-13 01:14:18 +03:00
|
|
|
// This should never happen.
|
|
|
|
panic(err)
|
|
|
|
}
|
2021-06-04 02:30:37 +03:00
|
|
|
}
|
|
|
|
|
2021-07-30 03:13:01 +03:00
|
|
|
// Holds stateful data to pass thru callbacks.
|
|
|
|
// Each field correpsonds to a GitHub permission type, and
|
|
|
|
// will hold true if declared non-write, false otherwise.
|
2021-12-17 02:16:02 +03:00
|
|
|
type permissions struct {
|
|
|
|
topLevelWritePermissions map[permission]bool
|
2022-01-11 01:22:39 +03:00
|
|
|
jobLevelWritePermissions map[permission]bool
|
2021-12-17 02:16:02 +03:00
|
|
|
}
|
|
|
|
|
2021-07-30 03:13:01 +03:00
|
|
|
type permissionCbData struct {
|
2021-12-17 02:16:02 +03:00
|
|
|
// map of filename to write permissions used.
|
|
|
|
workflows map[string]permissions
|
2021-07-30 03:13:01 +03:00
|
|
|
}
|
|
|
|
|
2021-08-01 01:31:34 +03:00
|
|
|
// TokenPermissions runs Token-Permissions check.
|
2021-07-30 03:13:01 +03:00
|
|
|
func TokenPermissions(c *checker.CheckRequest) checker.CheckResult {
|
2021-08-03 03:56:45 +03:00
|
|
|
// data is shared across all GitHub workflows.
|
|
|
|
data := permissionCbData{
|
2021-12-17 02:16:02 +03:00
|
|
|
workflows: make(map[string]permissions),
|
2021-08-03 03:56:45 +03:00
|
|
|
}
|
2022-05-06 22:52:30 +03:00
|
|
|
|
2022-06-29 20:10:15 +03:00
|
|
|
if err := remediation.Setup(c); err != nil {
|
2022-05-06 22:52:30 +03:00
|
|
|
createResultForLeastPrivilegeTokens(data, err)
|
|
|
|
}
|
|
|
|
|
2022-02-23 02:40:34 +03:00
|
|
|
err := fileparser.OnMatchingFileContentDo(c.RepoClient, fileparser.PathMatcher{
|
|
|
|
Pattern: ".github/workflows/*",
|
|
|
|
CaseSensitive: false,
|
|
|
|
}, validateGitHubActionTokenPermissions, c.Dlogger, &data)
|
2021-07-30 03:13:01 +03:00
|
|
|
return createResultForLeastPrivilegeTokens(data, err)
|
2021-06-04 02:30:37 +03:00
|
|
|
}
|
|
|
|
|
2022-02-23 02:40:34 +03:00
|
|
|
// Check file content.
|
|
|
|
var validateGitHubActionTokenPermissions fileparser.DoWhileTrueOnFileContent = func(path string,
|
|
|
|
content []byte,
|
2022-03-23 05:23:39 +03:00
|
|
|
args ...interface{},
|
|
|
|
) (bool, error) {
|
2022-02-23 02:40:34 +03:00
|
|
|
if !fileparser.IsWorkflowFile(path) {
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
// Verify the type of the data.
|
|
|
|
if len(args) != 2 {
|
|
|
|
return false, fmt.Errorf(
|
|
|
|
"validateGitHubActionTokenPermissions requires exactly 2 arguments: %w", errInvalidArgLength)
|
|
|
|
}
|
|
|
|
pdata, ok := args[1].(*permissionCbData)
|
|
|
|
if !ok {
|
|
|
|
return false, fmt.Errorf(
|
|
|
|
"validateGitHubActionTokenPermissions requires arg[0] of type *permissionCbData: %w", errInvalidArgType)
|
|
|
|
}
|
|
|
|
dl, ok := args[0].(checker.DetailLogger)
|
|
|
|
if !ok {
|
|
|
|
return false, fmt.Errorf(
|
|
|
|
"validateGitHubActionTokenPermissions requires arg[1] of type checker.DetailLogger: %w", errInvalidArgType)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !fileparser.CheckFileContainsCommands(content, "#") {
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
workflow, errs := actionlint.Parse(content)
|
|
|
|
if len(errs) > 0 && workflow == nil {
|
|
|
|
return false, fileparser.FormatActionlintError(errs)
|
|
|
|
}
|
|
|
|
|
|
|
|
// 1. Top-level permission definitions.
|
|
|
|
//nolint
|
|
|
|
// https://docs.github.com/en/actions/reference/authentication-in-a-workflow#example-1-passing-the-github_token-as-an-input,
|
|
|
|
// https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/,
|
|
|
|
// https://docs.github.com/en/actions/reference/authentication-in-a-workflow#modifying-the-permissions-for-the-github_token.
|
|
|
|
if err := validateTopLevelPermissions(workflow, path, dl, pdata); err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// 2. Run-level permission definitions,
|
|
|
|
// see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions.
|
|
|
|
ignoredPermissions := createIgnoredPermissions(workflow, path, dl)
|
|
|
|
if err := validatejobLevelPermissions(workflow, path, dl, pdata, ignoredPermissions); err != nil {
|
|
|
|
return false, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// TODO(laurent): 2. Identify github actions that require write and add checks.
|
|
|
|
|
|
|
|
// TODO(laurent): 3. Read a few runs and ensures they have the same permissions.
|
|
|
|
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
func validatePermission(permissionKey permission, permissionValue *actionlint.PermissionScope,
|
|
|
|
permLevel, path string, dl checker.DetailLogger, pPermissions map[permission]bool,
|
2022-03-23 05:23:39 +03:00
|
|
|
ignoredPermissions map[permission]bool,
|
|
|
|
) error {
|
2021-11-08 21:57:03 +03:00
|
|
|
if permissionValue.Value == nil {
|
2021-09-10 18:50:33 +03:00
|
|
|
return sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
|
2021-06-04 02:30:37 +03:00
|
|
|
}
|
2021-11-08 21:57:03 +03:00
|
|
|
val := permissionValue.Value.Value
|
2021-12-14 07:14:35 +03:00
|
|
|
lineNumber := fileparser.GetLineNumber(permissionValue.Value.Pos)
|
2021-06-04 03:12:56 +03:00
|
|
|
if strings.EqualFold(val, "write") {
|
2021-11-08 21:57:03 +03:00
|
|
|
if isPermissionOfInterest(permissionKey, ignoredPermissions) {
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Warn(&checker.LogMessage{
|
2022-05-06 22:52:30 +03:00
|
|
|
Path: path,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: lineNumber,
|
|
|
|
Text: fmt.Sprintf("%s '%v' permission set to '%v'", permLevel, permissionKey, val),
|
|
|
|
Snippet: val,
|
2022-06-29 20:10:15 +03:00
|
|
|
Remediation: remediation.CreateWorkflowPermissionRemediation(path),
|
2021-08-24 03:54:22 +03:00
|
|
|
})
|
2021-12-17 02:16:02 +03:00
|
|
|
recordPermissionWrite(pPermissions, permissionKey)
|
2021-07-30 03:13:01 +03:00
|
|
|
} else {
|
|
|
|
// Only log for debugging, otherwise
|
|
|
|
// it may confuse users.
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Debug(&checker.LogMessage{
|
2022-05-06 22:52:30 +03:00
|
|
|
Path: path,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: lineNumber,
|
|
|
|
Text: fmt.Sprintf("%s '%v' permission set to '%v'", permLevel, permissionKey, val),
|
|
|
|
Snippet: val,
|
2022-06-29 20:10:15 +03:00
|
|
|
Remediation: remediation.CreateWorkflowPermissionRemediation(path),
|
2021-08-24 03:54:22 +03:00
|
|
|
})
|
2021-07-30 03:13:01 +03:00
|
|
|
}
|
|
|
|
return nil
|
2021-06-04 03:12:56 +03:00
|
|
|
}
|
|
|
|
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Info(&checker.LogMessage{
|
2022-02-15 21:26:06 +03:00
|
|
|
Path: path,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: lineNumber,
|
|
|
|
Text: fmt.Sprintf("%s '%v' permission set to '%v'", permLevel, permissionKey, val),
|
2021-08-24 03:54:22 +03:00
|
|
|
// TODO: set Snippet.
|
|
|
|
})
|
2021-07-30 03:13:01 +03:00
|
|
|
return nil
|
2021-06-04 02:30:37 +03:00
|
|
|
}
|
|
|
|
|
2021-12-08 04:18:28 +03:00
|
|
|
func validateMapPermissions(scopes map[string]*actionlint.PermissionScope, permLevel, path string,
|
2021-12-17 02:16:02 +03:00
|
|
|
dl checker.DetailLogger, pPermissions map[permission]bool,
|
2022-03-23 05:23:39 +03:00
|
|
|
ignoredPermissions map[permission]bool,
|
|
|
|
) error {
|
2021-11-08 21:57:03 +03:00
|
|
|
for key, v := range scopes {
|
2021-12-17 02:16:02 +03:00
|
|
|
if err := validatePermission(permission(key), v, permLevel, path, dl, pPermissions, ignoredPermissions); err != nil {
|
2021-07-30 03:13:01 +03:00
|
|
|
return err
|
2021-06-04 03:12:56 +03:00
|
|
|
}
|
2021-06-04 02:30:37 +03:00
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
func recordPermissionWrite(pPermissions map[permission]bool, perm permission) {
|
|
|
|
pPermissions[perm] = true
|
|
|
|
}
|
|
|
|
|
|
|
|
func getWritePermissionsMap(p *permissionCbData, path, permLevel string) map[permission]bool {
|
|
|
|
if _, exists := p.workflows[path]; !exists {
|
|
|
|
p.workflows[path] = permissions{
|
|
|
|
topLevelWritePermissions: make(map[permission]bool),
|
2022-01-11 01:22:39 +03:00
|
|
|
jobLevelWritePermissions: make(map[permission]bool),
|
2021-12-17 02:16:02 +03:00
|
|
|
}
|
|
|
|
}
|
2022-01-11 01:22:39 +03:00
|
|
|
if permLevel == jobLevelPermission {
|
|
|
|
return p.workflows[path].jobLevelWritePermissions
|
2021-12-17 02:16:02 +03:00
|
|
|
}
|
|
|
|
return p.workflows[path].topLevelWritePermissions
|
2021-07-30 03:13:01 +03:00
|
|
|
}
|
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
func recordAllPermissionsWrite(p *permissionCbData, permLevel, path string) {
|
2021-07-30 03:13:01 +03:00
|
|
|
// Special case: `all` does not correspond
|
|
|
|
// to a GitHub permission.
|
2021-12-17 02:16:02 +03:00
|
|
|
m := getWritePermissionsMap(p, path, permLevel)
|
|
|
|
m[permissionAll] = true
|
2021-06-04 02:30:37 +03:00
|
|
|
}
|
|
|
|
|
2021-12-08 04:18:28 +03:00
|
|
|
func validatePermissions(permissions *actionlint.Permissions, permLevel, path string,
|
2021-12-17 02:16:02 +03:00
|
|
|
dl checker.DetailLogger, pdata *permissionCbData,
|
2022-03-23 05:23:39 +03:00
|
|
|
ignoredPermissions map[permission]bool,
|
|
|
|
) error {
|
2021-11-08 21:57:03 +03:00
|
|
|
allIsSet := permissions != nil && permissions.All != nil && permissions.All.Value != ""
|
|
|
|
scopeIsSet := permissions != nil && len(permissions.Scopes) > 0
|
|
|
|
if permissions == nil || (!allIsSet && !scopeIsSet) {
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Info(&checker.LogMessage{
|
2022-02-15 21:26:06 +03:00
|
|
|
Path: path,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: checker.OffsetDefault,
|
|
|
|
Text: fmt.Sprintf("%s permissions set to 'none'", permLevel),
|
2021-08-24 03:54:22 +03:00
|
|
|
})
|
2021-11-08 21:57:03 +03:00
|
|
|
}
|
|
|
|
if allIsSet {
|
|
|
|
val := permissions.All.Value
|
2021-12-14 07:14:35 +03:00
|
|
|
lineNumber := fileparser.GetLineNumber(permissions.All.Pos)
|
2021-06-07 21:01:18 +03:00
|
|
|
if !strings.EqualFold(val, "read-all") && val != "" {
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Warn(&checker.LogMessage{
|
2022-05-06 22:52:30 +03:00
|
|
|
Path: path,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: lineNumber,
|
|
|
|
Text: fmt.Sprintf("%s permissions set to '%v'", permLevel, val),
|
|
|
|
Snippet: val,
|
2022-06-29 20:10:15 +03:00
|
|
|
Remediation: remediation.CreateWorkflowPermissionRemediation(path),
|
2021-08-24 03:54:22 +03:00
|
|
|
})
|
2021-12-17 02:16:02 +03:00
|
|
|
recordAllPermissionsWrite(pdata, permLevel, path)
|
2021-07-30 03:13:01 +03:00
|
|
|
return nil
|
2021-06-04 02:30:37 +03:00
|
|
|
}
|
2021-08-24 03:54:22 +03:00
|
|
|
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Info(&checker.LogMessage{
|
2022-05-06 22:52:30 +03:00
|
|
|
Path: path,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: lineNumber,
|
|
|
|
Text: fmt.Sprintf("%s permissions set to '%v'", permLevel, val),
|
|
|
|
Snippet: val,
|
2022-06-29 20:10:15 +03:00
|
|
|
Remediation: remediation.CreateWorkflowPermissionRemediation(path),
|
2021-08-24 03:54:22 +03:00
|
|
|
})
|
2021-12-17 02:16:02 +03:00
|
|
|
} else /* scopeIsSet == true */ if err := validateMapPermissions(permissions.Scopes,
|
|
|
|
permLevel, path, dl, getWritePermissionsMap(pdata, path, permLevel), ignoredPermissions); err != nil {
|
2021-11-08 21:57:03 +03:00
|
|
|
return err
|
2021-08-03 03:56:45 +03:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-11-08 21:57:03 +03:00
|
|
|
func validateTopLevelPermissions(workflow *actionlint.Workflow, path string,
|
2022-03-23 05:23:39 +03:00
|
|
|
dl checker.DetailLogger, pdata *permissionCbData,
|
|
|
|
) error {
|
2021-08-03 03:56:45 +03:00
|
|
|
// Check if permissions are set explicitly.
|
2021-11-08 21:57:03 +03:00
|
|
|
if workflow.Permissions == nil {
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Warn(&checker.LogMessage{
|
2022-05-06 22:52:30 +03:00
|
|
|
Path: path,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: checker.OffsetDefault,
|
|
|
|
Text: fmt.Sprintf("no %s permission defined", topLevelPermission),
|
2022-06-29 20:10:15 +03:00
|
|
|
Remediation: remediation.CreateWorkflowPermissionRemediation(path),
|
2021-08-24 03:54:22 +03:00
|
|
|
})
|
2021-12-17 02:16:02 +03:00
|
|
|
recordAllPermissionsWrite(pdata, topLevelPermission, path)
|
2021-08-03 03:56:45 +03:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-12-08 04:18:28 +03:00
|
|
|
return validatePermissions(workflow.Permissions, topLevelPermission, path, dl,
|
2021-12-17 02:16:02 +03:00
|
|
|
pdata, map[permission]bool{})
|
2021-08-03 03:56:45 +03:00
|
|
|
}
|
|
|
|
|
2022-01-11 01:22:39 +03:00
|
|
|
func validatejobLevelPermissions(workflow *actionlint.Workflow, path string,
|
2021-08-03 03:56:45 +03:00
|
|
|
dl checker.DetailLogger, pdata *permissionCbData,
|
2022-03-23 05:23:39 +03:00
|
|
|
ignoredPermissions map[permission]bool,
|
|
|
|
) error {
|
2021-11-08 21:57:03 +03:00
|
|
|
for _, job := range workflow.Jobs {
|
2021-08-03 03:56:45 +03:00
|
|
|
// Run-level permissions may be left undefined.
|
|
|
|
// For most workflows, no write permissions are needed,
|
|
|
|
// so only top-level read-only permissions need to be declared.
|
2021-11-08 21:57:03 +03:00
|
|
|
if job.Permissions == nil {
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Debug(&checker.LogMessage{
|
2022-05-06 22:52:30 +03:00
|
|
|
Path: path,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: fileparser.GetLineNumber(job.Pos),
|
|
|
|
Text: fmt.Sprintf("no %s permission defined", jobLevelPermission),
|
2022-06-29 20:10:15 +03:00
|
|
|
Remediation: remediation.CreateWorkflowPermissionRemediation(path),
|
2021-08-24 03:54:22 +03:00
|
|
|
})
|
2022-01-11 01:22:39 +03:00
|
|
|
recordAllPermissionsWrite(pdata, jobLevelPermission, path)
|
2021-08-03 03:56:45 +03:00
|
|
|
continue
|
|
|
|
}
|
2022-01-11 01:22:39 +03:00
|
|
|
err := validatePermissions(job.Permissions, jobLevelPermission,
|
2021-12-17 02:16:02 +03:00
|
|
|
path, dl, pdata, ignoredPermissions)
|
2021-08-03 03:56:45 +03:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
func isPermissionOfInterest(name permission, ignoredPermissions map[permission]bool) bool {
|
|
|
|
for _, p := range permissionsOfInterest {
|
2021-08-03 03:56:45 +03:00
|
|
|
_, present := ignoredPermissions[p]
|
2021-12-17 02:16:02 +03:00
|
|
|
if strings.EqualFold(string(name), string(p)) && !present {
|
2021-08-03 03:56:45 +03:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
func permissionIsPresent(perms permissions, name permission) bool {
|
|
|
|
return permissionIsPresentInTopLevel(perms, name) ||
|
|
|
|
permissionIsPresentInRunLevel(perms, name)
|
2021-12-08 04:18:28 +03:00
|
|
|
}
|
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
func permissionIsPresentInTopLevel(perms permissions, name permission) bool {
|
|
|
|
_, ok := perms.topLevelWritePermissions[name]
|
2021-12-08 04:18:28 +03:00
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
func permissionIsPresentInRunLevel(perms permissions, name permission) bool {
|
2022-01-11 01:22:39 +03:00
|
|
|
_, ok := perms.jobLevelWritePermissions[name]
|
2021-12-08 04:18:28 +03:00
|
|
|
return ok
|
2021-07-30 03:13:01 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// Calculate the score.
|
|
|
|
func calculateScore(result permissionCbData) int {
|
|
|
|
// See list https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/.
|
|
|
|
// Note: there are legitimate reasons to use some of the permissions like checks, deployments, etc.
|
|
|
|
// in CI/CD systems https://docs.travis-ci.com/user/github-oauth-scopes/.
|
2021-08-03 03:56:45 +03:00
|
|
|
|
|
|
|
// Start with a perfect score.
|
2021-07-30 03:13:01 +03:00
|
|
|
score := float32(checker.MaxResultScore)
|
2021-08-03 03:56:45 +03:00
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
// Retrieve the overall results.
|
|
|
|
for _, perms := range result.workflows {
|
|
|
|
// If no top level permissions are defined, all the permissions
|
|
|
|
// are enabled by default, hence permissionAll. In this case,
|
|
|
|
if permissionIsPresentInTopLevel(perms, permissionAll) {
|
|
|
|
if permissionIsPresentInRunLevel(perms, permissionAll) {
|
|
|
|
// ... give lowest score if no run level permissions are defined either.
|
|
|
|
return checker.MinResultScore
|
|
|
|
}
|
|
|
|
// ... reduce score if run level permissions are defined.
|
|
|
|
score -= 0.5
|
2021-12-08 04:18:28 +03:00
|
|
|
}
|
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
// status: https://docs.github.com/en/rest/reference/repos#statuses.
|
|
|
|
// May allow an attacker to change the result of pre-submit and get a PR merged.
|
|
|
|
// Low risk: -0.5.
|
|
|
|
if permissionIsPresent(perms, permissionStatuses) {
|
|
|
|
score -= 0.5
|
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
// checks.
|
|
|
|
// May allow an attacker to edit checks to remove pre-submit and introduce a bug.
|
|
|
|
// Low risk: -0.5.
|
|
|
|
if permissionIsPresent(perms, permissionChecks) {
|
|
|
|
score -= 0.5
|
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
// secEvents.
|
|
|
|
// May allow attacker to read vuln reports before patch available.
|
|
|
|
// Low risk: -1
|
|
|
|
if permissionIsPresent(perms, permissionSecurityEvents) {
|
|
|
|
score--
|
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
// deployments: https://docs.github.com/en/rest/reference/repos#deployments.
|
|
|
|
// May allow attacker to charge repo owner by triggering VM runs,
|
|
|
|
// and tiny chance an attacker can trigger a remote
|
|
|
|
// service with code they own if server accepts code/location var unsanitized.
|
|
|
|
// Low risk: -1
|
|
|
|
if permissionIsPresent(perms, permissionDeployments) {
|
|
|
|
score--
|
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
// contents.
|
|
|
|
// Allows attacker to commit unreviewed code.
|
|
|
|
// High risk: -10
|
|
|
|
if permissionIsPresent(perms, permissionContents) {
|
|
|
|
score -= checker.MaxResultScore
|
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
// packages: https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages.
|
|
|
|
// Allows attacker to publish packages.
|
|
|
|
// High risk: -10
|
|
|
|
if permissionIsPresent(perms, permissionPackages) {
|
|
|
|
score -= checker.MaxResultScore
|
|
|
|
}
|
|
|
|
|
|
|
|
// actions.
|
2022-02-26 01:47:11 +03:00
|
|
|
// May allow an attacker to steal GitHub secrets by approving to run an action that needs approval.
|
2021-12-17 02:16:02 +03:00
|
|
|
// High risk: -10
|
|
|
|
if permissionIsPresent(perms, permissionActions) {
|
|
|
|
score -= checker.MaxResultScore
|
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
if score < checker.MinResultScore {
|
|
|
|
break
|
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
}
|
|
|
|
|
2021-08-03 03:56:45 +03:00
|
|
|
// We're done, calculate the final score.
|
2021-07-30 03:13:01 +03:00
|
|
|
if score < checker.MinResultScore {
|
|
|
|
return checker.MinResultScore
|
|
|
|
}
|
|
|
|
|
|
|
|
return int(score)
|
2021-06-04 02:30:37 +03:00
|
|
|
}
|
|
|
|
|
2021-07-21 19:21:43 +03:00
|
|
|
// Create the result.
|
2021-07-30 03:13:01 +03:00
|
|
|
func createResultForLeastPrivilegeTokens(result permissionCbData, err error) checker.CheckResult {
|
2021-07-21 19:21:43 +03:00
|
|
|
if err != nil {
|
2021-07-30 03:13:01 +03:00
|
|
|
return checker.CreateRuntimeErrorResult(CheckTokenPermissions, err)
|
2021-07-21 19:21:43 +03:00
|
|
|
}
|
2021-07-30 03:13:01 +03:00
|
|
|
|
|
|
|
score := calculateScore(result)
|
|
|
|
|
|
|
|
if score != checker.MaxResultScore {
|
|
|
|
return checker.CreateResultWithScore(CheckTokenPermissions,
|
|
|
|
"non read-only tokens detected in GitHub workflows", score)
|
2021-07-21 19:21:43 +03:00
|
|
|
}
|
|
|
|
|
2021-07-30 03:13:01 +03:00
|
|
|
return checker.CreateMaxScoreResult(CheckTokenPermissions,
|
2021-07-21 19:21:43 +03:00
|
|
|
"tokens are read-only in GitHub workflows")
|
|
|
|
}
|
|
|
|
|
2021-12-17 02:16:02 +03:00
|
|
|
func createIgnoredPermissions(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) map[permission]bool {
|
|
|
|
ignoredPermissions := make(map[permission]bool)
|
2021-12-14 07:14:35 +03:00
|
|
|
if requiresPackagesPermissions(workflow, fp, dl) {
|
2021-12-17 02:16:02 +03:00
|
|
|
ignoredPermissions[permissionPackages] = true
|
2021-08-03 03:56:45 +03:00
|
|
|
}
|
2021-12-14 07:14:35 +03:00
|
|
|
if requiresContentsPermissions(workflow, fp, dl) {
|
2021-12-17 02:16:02 +03:00
|
|
|
ignoredPermissions[permissionContents] = true
|
2021-11-16 06:03:54 +03:00
|
|
|
}
|
2021-12-14 07:14:35 +03:00
|
|
|
if isSARIFUploadWorkflow(workflow, fp, dl) {
|
2021-12-17 02:16:02 +03:00
|
|
|
ignoredPermissions[permissionSecurityEvents] = true
|
2021-08-03 03:56:45 +03:00
|
|
|
}
|
2021-08-05 20:10:34 +03:00
|
|
|
|
2021-08-03 03:56:45 +03:00
|
|
|
return ignoredPermissions
|
|
|
|
}
|
|
|
|
|
2021-08-05 20:10:34 +03:00
|
|
|
// Scanning tool run externally and SARIF file uploaded.
|
2021-12-14 07:14:35 +03:00
|
|
|
func isSARIFUploadWorkflow(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
|
2021-08-05 20:10:34 +03:00
|
|
|
//nolint
|
|
|
|
// CodeQl analysis workflow automatically sends sarif file to GitHub.
|
|
|
|
// https://docs.github.com/en/code-security/secure-coding/integrating-with-code-scanning/uploading-a-sarif-file-to-github#about-sarif-file-uploads-for-code-scanning.
|
|
|
|
// `The CodeQL action uploads the SARIF file automatically when it completes analysis`.
|
2021-12-14 07:14:35 +03:00
|
|
|
if isCodeQlAnalysisWorkflow(workflow, fp, dl) {
|
2021-08-05 20:10:34 +03:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
//nolint
|
|
|
|
// Third-party scanning tools use the SARIF-upload action from code-ql.
|
|
|
|
// https://docs.github.com/en/code-security/secure-coding/integrating-with-code-scanning/uploading-a-sarif-file-to-github#uploading-a-code-scanning-analysis-with-github-actions
|
|
|
|
// We only support CodeQl today.
|
2021-12-14 07:14:35 +03:00
|
|
|
if isSARIFUploadAction(workflow, fp, dl) {
|
2021-08-05 20:10:34 +03:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// TODO: some third party tools may upload directly thru their actions.
|
|
|
|
// Very unlikely.
|
|
|
|
// See https://github.com/marketplace for tools.
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// CodeQl run externally and SARIF file uploaded.
|
2021-12-14 07:14:35 +03:00
|
|
|
func isSARIFUploadAction(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
|
|
|
|
for _, job := range workflow.Jobs {
|
|
|
|
for _, step := range job.Steps {
|
|
|
|
uses := fileparser.GetUses(step)
|
|
|
|
if uses == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if strings.HasPrefix(uses.Value, "github/codeql-action/upload-sarif@") {
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Debug(&checker.LogMessage{
|
2022-02-15 21:26:06 +03:00
|
|
|
Path: fp,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: fileparser.GetLineNumber(uses.Pos),
|
|
|
|
Text: "codeql SARIF upload workflow detected",
|
2021-12-14 07:14:35 +03:00
|
|
|
// TODO: set Snippet.
|
|
|
|
})
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
2021-08-05 20:10:34 +03:00
|
|
|
}
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Debug(&checker.LogMessage{
|
2022-02-15 21:26:06 +03:00
|
|
|
Path: fp,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: checker.OffsetDefault,
|
|
|
|
Text: "not a codeql upload SARIF workflow",
|
2021-08-24 03:54:22 +03:00
|
|
|
})
|
2021-08-05 20:10:34 +03:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
//nolint
|
|
|
|
// CodeQl run within GitHub worklow automatically bubbled up to
|
|
|
|
// security events, see
|
|
|
|
// https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning.
|
2021-12-14 07:14:35 +03:00
|
|
|
func isCodeQlAnalysisWorkflow(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
|
|
|
|
for _, job := range workflow.Jobs {
|
|
|
|
for _, step := range job.Steps {
|
|
|
|
uses := fileparser.GetUses(step)
|
|
|
|
if uses == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if strings.HasPrefix(uses.Value, "github/codeql-action/analyze@") {
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Debug(&checker.LogMessage{
|
2022-02-15 21:26:06 +03:00
|
|
|
Path: fp,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: fileparser.GetLineNumber(uses.Pos),
|
|
|
|
Text: "codeql workflow detected",
|
2021-12-14 07:14:35 +03:00
|
|
|
// TODO: set Snippet.
|
|
|
|
})
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
2021-08-03 03:56:45 +03:00
|
|
|
}
|
2022-02-12 02:48:58 +03:00
|
|
|
dl.Debug(&checker.LogMessage{
|
2022-02-15 21:26:06 +03:00
|
|
|
Path: fp,
|
|
|
|
Type: checker.FileTypeSource,
|
|
|
|
Offset: checker.OffsetDefault,
|
|
|
|
Text: "not a codeql workflow",
|
2021-08-24 03:54:22 +03:00
|
|
|
})
|
2021-08-03 03:56:45 +03:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
// A packaging workflow using GitHub's supported packages:
|
|
|
|
// https://docs.github.com/en/packages.
|
2021-12-14 07:14:35 +03:00
|
|
|
func requiresPackagesPermissions(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
|
2021-08-03 03:56:45 +03:00
|
|
|
// TODO: add support for GitHub registries.
|
|
|
|
// Example: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry.
|
|
|
|
// This feature requires parsing actions properly.
|
|
|
|
// For now, we just re-use the Packaging check to verify that the
|
|
|
|
// workflow is a packaging workflow.
|
2021-12-14 07:14:35 +03:00
|
|
|
return isPackagingWorkflow(workflow, fp, dl)
|
2021-08-03 03:56:45 +03:00
|
|
|
}
|
2021-11-16 06:03:54 +03:00
|
|
|
|
2022-02-23 03:23:07 +03:00
|
|
|
// requiresContentsPermissions returns true if the workflow requires the `contents: write` permission.
|
2021-12-14 07:14:35 +03:00
|
|
|
func requiresContentsPermissions(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
|
2022-05-12 04:41:37 +03:00
|
|
|
return isReleasingWorkflow(workflow, fp, dl) || isGitHubPagesDeploymentWorkflow(workflow, fp, dl)
|
|
|
|
}
|
|
|
|
|
|
|
|
// isGitHubPagesDeploymentWorkflow returns true if the workflow involves pushing static pages to GitHub pages.
|
|
|
|
func isGitHubPagesDeploymentWorkflow(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
|
|
|
|
jobMatchers := []fileparser.JobMatcher{
|
|
|
|
{
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "peaceiris/actions-gh-pages",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate GitHub page deployment workflow using peaceiris/actions-gh-pages",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
return fileparser.AnyJobsMatch(workflow, jobMatchers, fp, dl, "not a GitHub Pages deployment workflow")
|
2022-02-23 03:23:07 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
// isReleasingWorkflow returns true if the workflow involves creating a release on GitHub.
|
|
|
|
func isReleasingWorkflow(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
|
|
|
|
jobMatchers := []fileparser.JobMatcher{
|
|
|
|
{
|
|
|
|
// Python packages.
|
|
|
|
// This is a custom Python packaging/releasing workflow based on semantic versioning.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "relekang/python-semantic-release",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate python publishing workflow using python-semantic-release",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Go packages.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "actions/setup-go",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Uses: "goreleaser/goreleaser-action",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate golang publishing workflow",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
return fileparser.AnyJobsMatch(workflow, jobMatchers, fp, dl, "not a releasing workflow")
|
2021-11-16 06:03:54 +03:00
|
|
|
}
|
2022-06-01 19:41:20 +03:00
|
|
|
|
|
|
|
// TODO: remove when migrated to raw results.
|
2022-06-29 20:10:15 +03:00
|
|
|
// Should be using the definition in raw/packaging.go.
|
2022-06-01 19:41:20 +03:00
|
|
|
func isPackagingWorkflow(workflow *actionlint.Workflow, fp string, dl checker.DetailLogger) bool {
|
|
|
|
jobMatchers := []fileparser.JobMatcher{
|
|
|
|
{
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "actions/setup-node",
|
|
|
|
With: map[string]string{"registry-url": "https://registry.npmjs.org"},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Run: "npm.*publish",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate node publishing workflow using npm",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Java packages with maven.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "actions/setup-java",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Run: "mvn.*deploy",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate java publishing workflow using maven",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Java packages with gradle.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "actions/setup-java",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Run: "gradle.*publish",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate java publishing workflow using gradle",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Ruby packages.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Run: "gem.*push",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate ruby publishing workflow using gem",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// NuGet packages.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Run: "nuget.*push",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate nuget publishing workflow",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Docker packages.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Run: "docker.*push",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate docker publishing workflow",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Docker packages.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "docker/build-push-action",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate docker publishing workflow",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Python packages.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "actions/setup-python",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Uses: "pypa/gh-action-pypi-publish",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate python publishing workflow using pypi",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Python packages.
|
|
|
|
// This is a custom Python packaging workflow based on semantic versioning.
|
|
|
|
// TODO(#1642): accept custom workflows through a separate configuration.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "relekang/python-semantic-release",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate python publishing workflow using python-semantic-release",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Go packages.
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Uses: "actions/setup-go",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
Uses: "goreleaser/goreleaser-action",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate golang publishing workflow",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
// Rust packages. https://doc.rust-lang.org/cargo/reference/publishing.html
|
|
|
|
Steps: []*fileparser.JobMatcherStep{
|
|
|
|
{
|
|
|
|
Run: "cargo.*publish",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
LogText: "candidate rust publishing workflow using cargo",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
return fileparser.AnyJobsMatch(workflow, jobMatchers, fp, dl, "not a publishing workflow")
|
|
|
|
}
|