More updates

AdnaneKhan · Apr 23, 2024 · d491508 · d491508
1 parent 373681a
commit d491508
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 12 deletions.
diff --git a/gato/enumerate/recommender.py b/gato/enumerate/recommender.py
@@ -81,8 +81,8 @@ def print_repo_attack_recommendations(
 
                     if details['confidence'] and details['confidence'] == 'MEDIUM' and designation in ['UNKNOWN','LOW']:
                         designation = details['confidence']
-                    else:
-                        Output.info(f'Job: {candidate}')
+
+                    Output.info(f'Job: {candidate}')
 
                     if details.get('if_check', ''):
                         Output.info(f'Job if check: {details["if_check"]}')

diff --git a/gato/workflow_parser/components/step.py b/gato/workflow_parser/components/step.py
@@ -113,14 +113,19 @@ def __process_action(self, uses):
         # Custom checkout - capture the params
         if '/checkout' in uses and 'with' in self.step_data and 'ref' in self.step_data['with']:
             ref_param = self.step_data['with']['ref']
-            if '${{' in ref_param and 'base' not in ref_param:
+            if 'path' in self.step_data['with']:
+                # Custom path means that the checkout probably is not executed.
+                self.is_checkout = False
+            elif '${{' in ref_param and 'base' not in ref_param:
                 self.metadata = ref_param
                 self.is_checkout = True
+
+
         elif 'gradle-build-action' in uses and 'with' in self.step_data and 'arguments' in self.step_data['with']:
             self.metadata =  self.step_data['with']
         elif 'github-script' in uses and 'with' in self.step_data and 'script' in self.step_data['with']:
             self.contents = self.step_data['with']['script']
-            if 'getCollaboratorPermissionLevel' in self.contents:
+            if 'getCollaboratorPermissionLevel' in self.contents or 'checkMembershipForUser' in self.contents:
                 self.is_gate = True
             self.is_script = True
         elif 'get-user-teams-membership' in uses:

diff --git a/gato/workflow_parser/workflow_parser.py b/gato/workflow_parser/workflow_parser.py
@@ -98,7 +98,7 @@ def extract_composite_actions(self):
                         "args": step.step_data.get('with', {})
                     }
 
-                    # Don't investigate GitHub maintained actions, there aren't going to be vulnerable.
+                    # Don't investigate GitHub maintained actions, they aren't going to be vulnerable.
                     if not action_parts['path'].startswith('actions/'):
                         composite_actions.append(action_parts)
 
@@ -142,12 +142,18 @@ def get_vulnerable_triggers(self, alternate=False):
     def backtrack_gate(self, needs_name):
         """Attempts to find if a job needed by a specific job has a gate check.
         """
-        for job in self.jobs:
-            if job.job_name == needs_name and job.has_gate:
-                return True
-            # If the job it needs does't have a gate, then check if it does.
-            elif job.job_name == needs_name and not job.has_gate:
-                return self.backtrack_gate(job.needs)
+        if type(needs_name) == list:
+            for need in needs_name:
+                if self.backtrack_gate(need):
+                    return True
+            return False
+        else:
+            for job in self.jobs:
+                if job.job_name == needs_name and job.has_gate:
+                    return True
+                # If the job it needs does't have a gate, then check if it does.
+                elif job.job_name == needs_name and not job.has_gate:
+                    return self.backtrack_gate(job.needs)
         return False
 
 
@@ -180,7 +186,9 @@ def analyze_checkouts(self):
                     if job.needs:
                         job_content['gated'] = self.backtrack_gate(job.needs)
                     # If the step is a checkout and the ref is pr sha, then no TOCTOU is possible.
-                    if job_content['gated'] and 'github.event.pull_request.head.sha' in step.metadata.lower():
+                    if job_content['gated'] and ('github.event.pull_request.head.sha' in step.metadata.lower() 
+                                                 or ('sha' in step.metadata.lower() 
+                                                 and 'env.' in step.metadata.lower())):
                         early_exit = True
                     else:
                         step_details.append({"ref": step.metadata, "if_check": step.if_condition, "step_name": step.name})
@@ -288,6 +296,8 @@ def check_token(token, container):
                     if step.if_condition:
                         injection_risk[job.job_name][step.name]['if_checks'] = step.if_condition
 
+        if injection_risk:
+            injection_risk['triggers'] = vulnerable_triggers
 
         return injection_risk