-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* semgrep fix * test semgrep * add changeset * change * revert interface * semgrep test * add changeset * revert * delete changeset * test * changes * fixes --------- Co-authored-by: gradio-pr-bot <[email protected]>
- Loading branch information
1 parent
99c9e26
commit 136c12f
Showing
2 changed files
with
98 additions
and
33 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,45 +1,110 @@ | ||
rules: | ||
- id: third-party-action-not-pinned-to-commit-sha | ||
pattern-either: | ||
- pattern: uses: $ACTION@$REF | ||
metavariable-regex: | ||
$ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$ | ||
$REF: ^(v?\d+(\.\d+){0,2}|[^@]+)$ | ||
- pattern: uses: $ACTION | ||
metavariable-regex: | ||
$ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$ | ||
message: > | ||
Third-party GitHub Action is not pinned to a specific commit SHA. | ||
This can be a security risk as the action may be modified unexpectedly. | ||
Consider using a full length commit SHA instead of a tag or branch name. | ||
patterns: | ||
- pattern-inside: "{steps: ...}" | ||
- pattern: | | ||
uses: "$USES" | ||
- metavariable-pattern: | ||
metavariable: $USES | ||
language: generic | ||
patterns: | ||
- pattern-not-regex: ^[.]/ | ||
- pattern-not-regex: ^actions/ | ||
- pattern-not-regex: ^github/ | ||
- pattern-not-regex: ^gradio-app/gradio | ||
- pattern-not-regex: ^gradio-app/github | ||
- pattern-not-regex: "@[0-9a-f]{40}$" | ||
- pattern-not-regex: ^docker://.*@sha256:[0-9a-f]{64}$ | ||
- pattern-not-regex: ^docker://docker$ | ||
message: | ||
An action sourced from a third-party repository on GitHub is not pinned | ||
to a full length commit SHA. Pinning an action to a full length commit SHA | ||
is currently the only way to use an action as an immutable release. | ||
Pinning to a particular SHA helps mitigate the risk of a bad actor adding | ||
a backdoor to the action's repository, as they would need to generate a | ||
SHA-1 collision for a valid Git object payload. | ||
languages: | ||
- yaml | ||
severity: WARNING | ||
languages: [yaml] | ||
paths: | ||
include: | ||
- '**/workflows/*.yml' | ||
- '**/workflows/*.yaml' | ||
metadata: | ||
cwe: | ||
- "CWE-1357: Reliance on Insufficiently Trustworthy Component" | ||
- "CWE-353: Missing Support for Integrity Check" | ||
owasp: A06:2021 - Vulnerable and Outdated Components | ||
references: | ||
- https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components | ||
- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions | ||
category: security | ||
technology: | ||
- github-actions | ||
references: | ||
- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions | ||
subcategory: | ||
- vuln | ||
likelihood: LOW | ||
impact: LOW | ||
confidence: HIGH | ||
license: Commons Clause License Condition v1.0[LGPL-2.1-only] | ||
vulnerability_class: | ||
- Cryptographic Issues | ||
- Other | ||
|
||
- id: insecure-file-permissions | ||
pattern: os.chmod(..., $PERMS) | ||
message: > | ||
Detected a call to os.chmod() with potentially insecure permissions. | ||
Ensure that file permissions are set correctly to prevent unauthorized access. | ||
severity: WARNING | ||
languages: [python] | ||
languages: | ||
- python | ||
severity: ERROR | ||
message: These permissions `$BITS` are widely permissive and grant access to | ||
more people than may be necessary. A good default is `0o644` which gives | ||
read and write access to yourself and read access to everyone else. | ||
patterns: | ||
- pattern-inside: os.$METHOD(...) | ||
- pattern-either: | ||
- patterns: | ||
- pattern: os.$METHOD($FILE, $BITS, ...) | ||
- metavariable-comparison: | ||
comparison: $BITS >= 0o650 and $BITS < 0o100000 | ||
- patterns: | ||
- pattern: os.$METHOD($FILE, $BITS) | ||
- metavariable-comparison: | ||
comparison: $BITS >= 0o100650 | ||
- patterns: | ||
- pattern: os.$METHOD($FILE, $BITS, ...) | ||
- metavariable-pattern: | ||
metavariable: $BITS | ||
patterns: | ||
- pattern-either: | ||
- pattern: <... stat.S_IWGRP ...> | ||
- pattern: <... stat.S_IXGRP ...> | ||
- pattern: <... stat.S_IWOTH ...> | ||
- pattern: <... stat.S_IXOTH ...> | ||
- pattern: <... stat.S_IRWXO ...> | ||
- pattern: <... stat.S_IRWXG ...> | ||
- patterns: | ||
- pattern: os.$METHOD($FILE, $EXPR | $MOD, ...) | ||
- metavariable-comparison: | ||
comparison: $MOD == 0o111 | ||
- metavariable-pattern: | ||
metavariable: $METHOD | ||
patterns: | ||
- pattern-either: | ||
- pattern: chmod | ||
- pattern: lchmod | ||
- pattern: fchmod | ||
metadata: | ||
category: security | ||
owasp: | ||
- A01:2021 - Broken Access Control | ||
cwe: | ||
- "CWE-276: Incorrect Default Permissions" | ||
technology: | ||
- python | ||
references: | ||
- https://docs.python.org/3/library/os.html#os.chmod | ||
- https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File | ||
fix-regex: | ||
regex: os\.chmod\((.*?),\s*(.*?)\) | ||
replacement: os.chmod($1, 0o600) | ||
|
||
- https://owasp.org/Top10/A01_2021-Broken_Access_Control | ||
cwe2022-top25: true | ||
cwe2021-top25: true | ||
subcategory: | ||
- vuln | ||
likelihood: LOW | ||
impact: MEDIUM | ||
confidence: MEDIUM | ||
license: Commons Clause License Condition v1.0[LGPL-2.1-only] | ||
vulnerability_class: | ||
- Improper Authorization |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters