From 0d66ffa3462492608cca0a387810f4bb639c392f Mon Sep 17 00:00:00 2001 From: AdnaneKhan Date: Fri, 13 Dec 2024 10:25:13 -0500 Subject: [PATCH] Add a final pass for upgrading injectable fields to MEDIUM for potential branch injection. --- gatox/configuration/workflow_parsing.json | 3 +++ gatox/enumerate/reports/actions.py | 4 ++++ gatox/workflow_parser/utility.py | 11 +++++++++++ 3 files changed, 18 insertions(+) diff --git a/gatox/configuration/workflow_parsing.json b/gatox/configuration/workflow_parsing.json index 6c7fe94..9948680 100644 --- a/gatox/configuration/workflow_parsing.json +++ b/gatox/configuration/workflow_parsing.json @@ -65,6 +65,9 @@ "github.event.pull_request.head.repo.default_branch", "github.head_ref" ], + "RISKY_CONTEXT_REGEXES": [ + "(pr|PR).*(branch|head|ref)" + ], "SAFE_ISH_CONTEXTS": [ "label", "flag", diff --git a/gatox/enumerate/reports/actions.py b/gatox/enumerate/reports/actions.py index ac9db67..eac3f0c 100644 --- a/gatox/enumerate/reports/actions.py +++ b/gatox/enumerate/reports/actions.py @@ -19,6 +19,7 @@ from gatox.enumerate.reports.report import Report from gatox.models.repository import Repository +from gatox.workflow_parser.utility import check_risky_regexes class ActionsReport(Report): @@ -173,6 +174,9 @@ def ___report_injection(self, candidate, details): in ConfigurationManager().WORKFLOW_PARSING["UNSAFE_CONTEXTS"] ): confidence = "HIGH" + elif confidence == "UNKNOWN" and var and check_risky_regexes(var): + confidence = "MEDIUM" + lines.append(f'Variables: {", ".join(val["variables"])}') if "if_checks" in val and val["if_checks"]: lines.append(f' Step If-check: {val["if_checks"]}') diff --git a/gatox/workflow_parser/utility.py b/gatox/workflow_parser/utility.py index 29ca1d3..2d15f68 100644 --- a/gatox/workflow_parser/utility.py +++ b/gatox/workflow_parser/utility.py @@ -1,3 +1,5 @@ +import re + from gatox.configuration.configuration_manager import ConfigurationManager from gatox.workflow_parser.expression_parser import ExpressionParser from gatox.workflow_parser.expression_evaluator import ExpressionEvaluator @@ -39,6 +41,15 @@ def check_sus(item): return False +@staticmethod +def check_risky_regexes(item): + regexes = ConfigurationManager().WORKFLOW_PARSING["RISKY_CONTEXT_REGEXES"] + + for regex in regexes: + if re.search(regex, item): + return True + + @staticmethod def check_pr_ref(item): """