feat: Azure Pipelines #160
Conversation
| @@ -77,3 +77,27 @@ results contains poutine.finding(rule, pkg.purl, { | |||
| exprs := gl_injections(script) | |||
| count(exprs) > 0 | |||
| } | |||
|
|
|||
| # Azure Pipelines | |||
| patterns.azure contains `\$\((Build\.(SourceBranchName|SourceBranch|SourceVersionMessage)|System\.PullRequest\.SourceBranch)\)` | |||
There was a problem hiding this comment.
Practically speaking it looks like only System.PullRequest.SourceBranch is truly user controllable, but the fact remains that all the others fit the definition, just that in all my test scenarios so far they are referirng to merge commit and the merge commit message.
That being said, the other may or may not be exploitable when the PR gets merged though... likely , I'll need to test, but good let's keep the regex like this
| if len(p.Stages) == 0 { | ||
| stage := AzureStage{} | ||
| if err := node.Decode(&stage); err != nil { | ||
| return err | ||
| } | ||
|
|
||
| if len(stage.Jobs) == 0 { | ||
| job := AzureJob{} | ||
| if err := node.Decode(&job); err != nil { | ||
| return err | ||
| } | ||
|
|
||
| stage.Jobs = append(stage.Jobs, job) | ||
| } | ||
|
|
||
| p.Stages = append(p.Stages, stage) | ||
| } |
There was a problem hiding this comment.
Great. I was wondering how you would handle this polymorphic thing.
|
|
||
| func (s *Scanner) AzurePipelines() ([]models.AzurePipeline, error) { | ||
| pipelines := []models.AzurePipeline{} | ||
| err := filepath.Walk(s.Path, |
There was a problem hiding this comment.
^ Note to self and @SUSTAPLE117 , we should consider optimizing this because we now have a 4th filepath.Walk(). So we will loop through all files multiple times.
We should refactor to have a single Walk loop and then conditionally call the SCM / CI specific parsing.
Filed an issue #161
|
LGTM, I'd like to do some basic smoke test before merging |
|
Tested against various orgs, no measurable performance delta. Stable. |
unverified_script_exec&injectionto analyze Azure Pipelines.pkg:azurepipelinestask