mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-05-18 23:03:06 +08:00
e06d038257
Two round-1 review findings, fixed together because they touch the
same regex/loop region of `findViolations`:
1. **cubic P0 — quoted write-all bypass**.
`WRITE_ALL_PATTERN` was `/^\s*permissions:\s*write-all\b/m`, which
does not match the perfectly valid YAML forms
`permissions: "write-all"` and `permissions: 'write-all'`. A
workflow that quoted the shorthand slipped right through the
persist-credentials gate the previous commit was supposed to close.
Reproduced before this commit:
$ cat /tmp/q.yml
name: bad
on: [push]
permissions: "write-all"
jobs:
do:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
$ ECC_WORKFLOWS_DIR=/tmp node scripts/ci/validate-workflow-security.js
Validated workflow security for 1 workflow files
exit=0
Fix: tighten the regex to
/^\s*permissions:\s*["']?write-all["']?\s*$/m
which accepts the bare, double-quoted, and single-quoted YAML forms
while still anchoring on the `permissions:` key. The trailing `\s*$`
prevents accidentally matching keys whose value happens to start
with `write-all` (e.g. some future literal `write-all-something`).
2. **greptile P2 — duplicate violation when both patterns match**.
A `ref: refs/pull/${{ github.event.pull_request.head.sha }}/merge`
value matches both the `pull_request_target` rule's
`expressionPattern` (the `head.sha` interpolation) and its
`refPattern` (the `refs/pull/` literal). Each push generates an
ERROR line with the same description and just a different
`expression:` echo, so the reviewer sees the same violation twice.
Fix: track `stepFlagged` inside the per-step loop and skip the
`refPattern` fallback once any `expressionPattern` match has already
produced a violation for this step. The `refPattern` is a fallback
for ref-only forms (`refs/pull/123/head`, `${{ env.X }}` whose
resolved value is a PR ref); when the more specific expression
already fires, the fallback is redundant by definition.
After both fixes, the round-1 reproductions resolve cleanly:
$ # quoted form now blocks
$ ECC_WORKFLOWS_DIR=/tmp/q1/.github/workflows node scripts/ci/validate-workflow-security.js
ERROR: quoted.yml:8 - workflows with write permissions must disable checkout credential persistence
exit=1
$ # combined head.sha + refs/pull now prints one ERROR, not two
$ ECC_WORKFLOWS_DIR=/tmp/q2/.github/workflows node scripts/ci/validate-workflow-security.js
ERROR: dup.yml:10 - pull_request_target must not checkout an untrusted pull_request head ref/repository
Unsafe expression: ${{ github.event.pull_request.head.sha }}
exit=1
Test additions land in the next commit.
266 lines
9.1 KiB
JavaScript
266 lines
9.1 KiB
JavaScript
#!/usr/bin/env node
|
|
/**
|
|
* Reject unsafe GitHub Actions patterns that execute or checkout untrusted PR code
|
|
* from privileged events such as workflow_run or pull_request_target.
|
|
*/
|
|
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
|
|
const DEFAULT_WORKFLOWS_DIR = path.join(__dirname, '../../.github/workflows');
|
|
|
|
const RULES = [
|
|
{
|
|
event: 'workflow_run',
|
|
eventPattern: /\bworkflow_run\s*:/m,
|
|
description: 'workflow_run must not checkout an untrusted workflow_run head ref/repository',
|
|
expressionPattern: /\$\{\{\s*github\.event\.workflow_run\.(?:head_branch|head_sha|head_repository(?:\.[A-Za-z0-9_.]+)?)\s*\}\}|\$\{\{\s*github\.event\.workflow_run\.pull_requests\[\d+\]\.head\.(?:ref|sha|repo\.full_name)\s*\}\}/g,
|
|
},
|
|
{
|
|
event: 'pull_request_target',
|
|
eventPattern: /\bpull_request_target\s*:/m,
|
|
description: 'pull_request_target must not checkout an untrusted pull_request head ref/repository',
|
|
expressionPattern: /\$\{\{\s*github\.event\.pull_request\.head\.(?:ref|sha|repo\.full_name)\s*\}\}/g,
|
|
// Even without the standard `github.event.pull_request.head.*` expression,
|
|
// a checkout under `pull_request_target` that fetches a `refs/pull/<N>/{head,merge}`
|
|
// ref pulls attacker-controlled code into a workflow with write-scoped
|
|
// tokens. GitHub's security guidance treats both forms equivalently;
|
|
// we match the ref value directly so any interpolation that resolves
|
|
// to such a ref (`refs/pull/${{ github.event.pull_request.number }}/merge`,
|
|
// a hardcoded `refs/pull/123/head`, a `${{ env.X }}` that the maintainer
|
|
// assumes is safe, etc.) trips the same rule.
|
|
refPattern: /^\s*ref:\s*['"]?[^'"\n]*refs\/(?:remotes\/)?pull\/[^'"\n\s]+/m,
|
|
},
|
|
];
|
|
|
|
const WRITE_PERMISSION_PATTERN = /^\s*(?:contents|issues|pull-requests|actions|checks|deployments|discussions|id-token|packages|pages|repository-projects|security-events|statuses):\s*write\b/m;
|
|
// `permissions: write-all` is GitHub Actions' shorthand for granting every
|
|
// scope write access. The named-scope pattern above misses it because there
|
|
// is no scope name on the left of the colon — just the literal `write-all`
|
|
// value at the permissions key. Treat both as equivalent for the purposes
|
|
// of the persist-credentials gate below. The optional single/double quotes
|
|
// match valid YAML `permissions: "write-all"` / `'write-all'` forms.
|
|
const WRITE_ALL_PATTERN = /^\s*permissions:\s*["']?write-all["']?\s*$/m;
|
|
const NPM_AUDIT_PATTERN = /\bnpm\s+audit\b(?!\s+signatures\b)/;
|
|
const NPM_AUDIT_SIGNATURES_PATTERN = /\bnpm\s+audit\s+signatures\b/;
|
|
const ACTIONS_CACHE_PATTERN = /uses:\s*['"]?actions\/cache@/m;
|
|
const ID_TOKEN_WRITE_PATTERN = /^\s*id-token:\s*write\b/m;
|
|
const UNSAFE_INSTALL_PATTERNS = [
|
|
{
|
|
pattern: /\bnpm\s+ci\b(?![^\n]*--ignore-scripts)/g,
|
|
description: 'npm ci must include --ignore-scripts',
|
|
},
|
|
{
|
|
pattern: /\bpnpm\s+install\b(?![^\n]*--ignore-scripts)/g,
|
|
description: 'pnpm install must include --ignore-scripts',
|
|
},
|
|
{
|
|
pattern: /\byarn\s+install\b(?![^\n]*--mode=skip-build)/g,
|
|
description: 'yarn install must use --mode=skip-build',
|
|
},
|
|
{
|
|
pattern: /\bbun\s+install\b(?![^\n]*--ignore-scripts)/g,
|
|
description: 'bun install must include --ignore-scripts',
|
|
},
|
|
];
|
|
|
|
function getWorkflowFiles(workflowsDir) {
|
|
if (!fs.existsSync(workflowsDir)) {
|
|
return [];
|
|
}
|
|
|
|
return fs.readdirSync(workflowsDir)
|
|
.filter(file => /\.(?:yml|yaml)$/i.test(file))
|
|
.map(file => path.join(workflowsDir, file))
|
|
.sort();
|
|
}
|
|
|
|
function getLineNumber(source, index) {
|
|
return source.slice(0, index).split(/\r?\n/).length;
|
|
}
|
|
|
|
function extractCheckoutSteps(source) {
|
|
const blocks = [];
|
|
const lines = source.split(/\r?\n/);
|
|
let current = null;
|
|
|
|
for (let i = 0; i < lines.length; i++) {
|
|
const line = lines[i];
|
|
const stepStart = line.match(/^(\s*)-\s+/);
|
|
|
|
if (stepStart) {
|
|
if (current) {
|
|
blocks.push(current);
|
|
}
|
|
|
|
current = {
|
|
indent: stepStart[1].length,
|
|
startLine: i + 1,
|
|
lines: [line],
|
|
};
|
|
continue;
|
|
}
|
|
|
|
if (current) {
|
|
current.lines.push(line);
|
|
}
|
|
}
|
|
|
|
if (current) {
|
|
blocks.push(current);
|
|
}
|
|
|
|
return blocks
|
|
.map(block => ({
|
|
startLine: block.startLine,
|
|
text: block.lines.join('\n'),
|
|
}))
|
|
.filter(block => /uses:\s*['"]?actions\/checkout@/m.test(block.text));
|
|
}
|
|
|
|
function findViolations(filePath, source) {
|
|
const violations = [];
|
|
const checkoutSteps = extractCheckoutSteps(source);
|
|
|
|
for (const rule of RULES) {
|
|
if (!rule.eventPattern.test(source)) {
|
|
continue;
|
|
}
|
|
|
|
for (const step of checkoutSteps) {
|
|
// Track whether the expression-based rule already produced a
|
|
// violation for this step. If it did, skip the refPattern fallback
|
|
// — a `refs/pull/${{ github.event.pull_request.head.sha }}/merge`
|
|
// value matches both patterns under the same rule, and the second
|
|
// push would print a duplicate ERROR line that says exactly the
|
|
// same thing with a different `expression:` echo.
|
|
let stepFlagged = false;
|
|
for (const match of step.text.matchAll(rule.expressionPattern)) {
|
|
violations.push({
|
|
filePath,
|
|
event: rule.event,
|
|
description: rule.description,
|
|
expression: match[0],
|
|
line: step.startLine + getLineNumber(step.text, match.index) - 1,
|
|
});
|
|
stepFlagged = true;
|
|
}
|
|
if (rule.refPattern && !stepFlagged) {
|
|
const refMatch = step.text.match(rule.refPattern);
|
|
if (refMatch) {
|
|
violations.push({
|
|
filePath,
|
|
event: rule.event,
|
|
description: rule.description,
|
|
expression: refMatch[0].trim(),
|
|
line: step.startLine + getLineNumber(step.text, refMatch.index) - 1,
|
|
});
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if (WRITE_PERMISSION_PATTERN.test(source) || WRITE_ALL_PATTERN.test(source)) {
|
|
for (const step of checkoutSteps) {
|
|
if (!/persist-credentials:\s*['"]?false['"]?\b/m.test(step.text)) {
|
|
violations.push({
|
|
filePath,
|
|
event: 'write-permission checkout',
|
|
description: 'workflows with write permissions must disable checkout credential persistence',
|
|
expression: 'actions/checkout without persist-credentials: false',
|
|
line: step.startLine,
|
|
});
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
for (const installRule of UNSAFE_INSTALL_PATTERNS) {
|
|
for (const match of source.matchAll(installRule.pattern)) {
|
|
violations.push({
|
|
filePath,
|
|
event: 'dependency install scripts',
|
|
description: `workflow dependency installs must not run lifecycle scripts: ${installRule.description}`,
|
|
expression: match[0],
|
|
line: getLineNumber(source, match.index),
|
|
});
|
|
}
|
|
}
|
|
|
|
if (ID_TOKEN_WRITE_PATTERN.test(source) && ACTIONS_CACHE_PATTERN.test(source)) {
|
|
violations.push({
|
|
filePath,
|
|
event: 'id-token cache',
|
|
description: 'workflows with id-token: write must not restore or save shared dependency caches',
|
|
expression: 'id-token: write + actions/cache',
|
|
line: getLineNumber(source, source.search(ID_TOKEN_WRITE_PATTERN)),
|
|
});
|
|
}
|
|
|
|
if (ACTIONS_CACHE_PATTERN.test(source)) {
|
|
violations.push({
|
|
filePath,
|
|
event: 'dependency cache',
|
|
description: 'GitHub Actions dependency caches are disabled during active supply-chain hardening',
|
|
expression: 'actions/cache',
|
|
line: getLineNumber(source, source.search(ACTIONS_CACHE_PATTERN)),
|
|
});
|
|
}
|
|
|
|
if (/\bpull_request_target\s*:/m.test(source) && ACTIONS_CACHE_PATTERN.test(source)) {
|
|
violations.push({
|
|
filePath,
|
|
event: 'pull_request_target cache',
|
|
description: 'pull_request_target workflows must not restore or save shared dependency caches',
|
|
expression: 'pull_request_target + actions/cache',
|
|
line: getLineNumber(source, source.search(/\bpull_request_target\s*:/m)),
|
|
});
|
|
}
|
|
|
|
if (NPM_AUDIT_PATTERN.test(source) && !NPM_AUDIT_SIGNATURES_PATTERN.test(source)) {
|
|
violations.push({
|
|
filePath,
|
|
event: 'npm audit signatures',
|
|
description: 'workflows that run npm audit must also verify registry signatures',
|
|
expression: 'npm audit without npm audit signatures',
|
|
line: getLineNumber(source, source.search(NPM_AUDIT_PATTERN)),
|
|
});
|
|
}
|
|
|
|
return violations;
|
|
}
|
|
|
|
function validateWorkflowSecurity(workflowsDir = DEFAULT_WORKFLOWS_DIR) {
|
|
const files = getWorkflowFiles(workflowsDir);
|
|
const violations = [];
|
|
|
|
for (const filePath of files) {
|
|
const source = fs.readFileSync(filePath, 'utf8');
|
|
violations.push(...findViolations(filePath, source));
|
|
}
|
|
|
|
if (violations.length > 0) {
|
|
for (const violation of violations) {
|
|
console.error(
|
|
`ERROR: ${path.basename(violation.filePath)}:${violation.line} - ${violation.description}`,
|
|
);
|
|
console.error(` Unsafe expression: ${violation.expression}`);
|
|
}
|
|
return 1;
|
|
}
|
|
|
|
console.log(`Validated workflow security for ${files.length} workflow files`);
|
|
return 0;
|
|
}
|
|
|
|
if (require.main === module) {
|
|
process.exit(validateWorkflowSecurity(process.env.ECC_WORKFLOWS_DIR || DEFAULT_WORKFLOWS_DIR));
|
|
}
|
|
|
|
module.exports = {
|
|
DEFAULT_WORKFLOWS_DIR,
|
|
extractCheckoutSteps,
|
|
findViolations,
|
|
validateWorkflowSecurity,
|
|
};
|