From fea221acac72c1dc32eb0620d0b197917ce7b15e Mon Sep 17 00:00:00 2001 From: shubham-stepsecurity Date: Fri, 6 Sep 2024 17:01:10 +0530 Subject: [PATCH] Do not set permissions for jobs with GITHUB_TOKEN in job level env --- remediation/workflow/metadata/actionmetadata.go | 1 + remediation/workflow/permissions/permissions.go | 16 ++++++++++++++++ .../input/github-token-in-job-env.yml | 16 ++++++++++++++++ .../output/github-token-in-job-env.yml | 1 + 4 files changed, 34 insertions(+) create mode 100644 testfiles/joblevelpermskb/input/github-token-in-job-env.yml create mode 100644 testfiles/joblevelpermskb/output/github-token-in-job-env.yml diff --git a/remediation/workflow/metadata/actionmetadata.go b/remediation/workflow/metadata/actionmetadata.go index 1fb20302..98cf4b6c 100644 --- a/remediation/workflow/metadata/actionmetadata.go +++ b/remediation/workflow/metadata/actionmetadata.go @@ -30,6 +30,7 @@ type Step struct { type Job struct { Permissions Permissions `yaml:"permissions"` Uses string `yaml:"uses"` + Env Env `yaml:"env"` // RunsOn []string `yaml:"runs-on"` Steps []Step `yaml:"steps"` } diff --git a/remediation/workflow/permissions/permissions.go b/remediation/workflow/permissions/permissions.go index b26d63a3..8ffa5d7a 100644 --- a/remediation/workflow/permissions/permissions.go +++ b/remediation/workflow/permissions/permissions.go @@ -38,6 +38,7 @@ const errorMissingAction = "KnownIssue-4: Action %s is not in the knowledge base const errorAlreadyHasPermissions = "KnownIssue-5: Permissions were not added to the job since it already had permissions defined" const errorDockerAction = "KnownIssue-6: Action %s is a docker action which uses Github token. Docker actions that uses token are not supported" const errorReusableWorkflow = "KnownIssue-7: Action %s is a reusable workflow. Reusable workflows are not supported as of now." +const errorGithubTokenInJobEnv = "KnownIssue-8: Permissions were not added to the jobs since it has GITHUB_TOKEN in job level env variable" const errorIncorrectYaml = "Unable to parse the YAML workflow file" // To avoid a typo while adding the permissions @@ -78,6 +79,15 @@ func alreadyHasWorkflowPermissions(workflow metadata.Workflow) bool { return workflow.Permissions.IsSet } +func githubTokenInJobLevelEnv(job metadata.Job) bool { + for _, envValue := range job.Env { + if strings.Contains(envValue, "secrets.GITHUB_TOKEN") || strings.Contains(envValue, "github.token") { + return true + } + } + return false +} + func AddWorkflowLevelPermissions(inputYaml string, addProjectComment bool) (string, error) { workflow := metadata.Workflow{} @@ -177,6 +187,12 @@ func AddJobLevelPermissions(inputYaml string) (*SecureWorkflowReponse, error) { continue } + if githubTokenInJobLevelEnv(job) { + fixWorkflowPermsReponse.HasErrors = true + errors[jobName] = append(errors[jobName], errorGithubTokenInJobEnv) + continue + } + if metadata.IsCallingReusableWorkflow(job) { fixWorkflowPermsReponse.HasErrors = true errors[jobName] = append(errors[jobName], fmt.Sprintf(errorReusableWorkflow, job.Uses)) diff --git a/testfiles/joblevelpermskb/input/github-token-in-job-env.yml b/testfiles/joblevelpermskb/input/github-token-in-job-env.yml new file mode 100644 index 00000000..a1368dcb --- /dev/null +++ b/testfiles/joblevelpermskb/input/github-token-in-job-env.yml @@ -0,0 +1,16 @@ +name: Job level env +on: + pull_request: + branches: [main] + +jobs: + job-with-error: + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + - name: some step that uses token + run: | + npm ci \ No newline at end of file diff --git a/testfiles/joblevelpermskb/output/github-token-in-job-env.yml b/testfiles/joblevelpermskb/output/github-token-in-job-env.yml new file mode 100644 index 00000000..19a913d7 --- /dev/null +++ b/testfiles/joblevelpermskb/output/github-token-in-job-env.yml @@ -0,0 +1 @@ +KnownIssue-8: Permissions were not added to the jobs since it has GITHUB_TOKEN in job level env variable \ No newline at end of file