Merge pull request #2480 from step-security/issue2479

Do not set permissions for jobs with GITHUB_TOKEN in job level env
step-security · Sep 6, 2024 · 95abd71 · 95abd71
2 parents 99b254c + fea221a
commit 95abd71
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 0 deletions.
diff --git a/remediation/workflow/metadata/actionmetadata.go b/remediation/workflow/metadata/actionmetadata.go
@@ -30,6 +30,7 @@ type Step struct {
 type Job struct {
 	Permissions Permissions `yaml:"permissions"`
 	Uses        string      `yaml:"uses"`
+	Env         Env         `yaml:"env"`
 	// RunsOn      []string    `yaml:"runs-on"`
 	Steps []Step `yaml:"steps"`
 }

diff --git a/remediation/workflow/permissions/permissions.go b/remediation/workflow/permissions/permissions.go
@@ -38,6 +38,7 @@ const errorMissingAction = "KnownIssue-4: Action %s is not in the knowledge base
 const errorAlreadyHasPermissions = "KnownIssue-5: Permissions were not added to the job since it already had permissions defined"
 const errorDockerAction = "KnownIssue-6: Action %s is a docker action which uses Github token. Docker actions that uses token are not supported"
 const errorReusableWorkflow = "KnownIssue-7: Action %s is a reusable workflow. Reusable workflows are not supported as of now."
+const errorGithubTokenInJobEnv = "KnownIssue-8: Permissions were not added to the jobs since it has GITHUB_TOKEN in job level env variable"
 const errorIncorrectYaml = "Unable to parse the YAML workflow file"
 
 // To avoid a typo while adding the permissions
@@ -78,6 +79,15 @@ func alreadyHasWorkflowPermissions(workflow metadata.Workflow) bool {
 	return workflow.Permissions.IsSet
 }
 
+func githubTokenInJobLevelEnv(job metadata.Job) bool {
+	for _, envValue := range job.Env {
+		if strings.Contains(envValue, "secrets.GITHUB_TOKEN") || strings.Contains(envValue, "github.token") {
+			return true
+		}
+	}
+	return false
+}
+
 func AddWorkflowLevelPermissions(inputYaml string, addProjectComment bool) (string, error) {
 	workflow := metadata.Workflow{}
 
@@ -177,6 +187,12 @@ func AddJobLevelPermissions(inputYaml string) (*SecureWorkflowReponse, error) {
 			continue
 		}
 
+		if githubTokenInJobLevelEnv(job) {
+			fixWorkflowPermsReponse.HasErrors = true
+			errors[jobName] = append(errors[jobName], errorGithubTokenInJobEnv)
+			continue
+		}
+
 		if metadata.IsCallingReusableWorkflow(job) {
 			fixWorkflowPermsReponse.HasErrors = true
 			errors[jobName] = append(errors[jobName], fmt.Sprintf(errorReusableWorkflow, job.Uses))

diff --git a/testfiles/joblevelpermskb/input/github-token-in-job-env.yml b/testfiles/joblevelpermskb/input/github-token-in-job-env.yml
@@ -0,0 +1,16 @@
+name: Job level env
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  job-with-error:
+    env:
+      GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+    runs-on: ubuntu-latest
+    steps:
+
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+      - name: some step that uses token
+        run: |
+          npm ci
diff --git a/testfiles/joblevelpermskb/output/github-token-in-job-env.yml b/testfiles/joblevelpermskb/output/github-token-in-job-env.yml
@@ -0,0 +1 @@
+KnownIssue-8: Permissions were not added to the jobs since it has GITHUB_TOKEN in job level env variable