feat(workflow-scanner): E11 part 2 — re-interpolation + auth-bypass + WFL prefix + orchestrator
Closes E11. Three new pieces, plus integration:
1. Re-interpolation detector (Appsmith GHSL-2024-277 stealth pattern).
The scanner now collects env: bindings (key -> source-expression
text) by walking parsed events whose parentChain includes 'env',
then for each `${{ env.<KEY> }}` inside run:, re-injects MEDIUM
if the binding source matches the 23-field blacklist. This
catches the pattern where developers apply env-indirection but
then re-interpolate the env var in run:, which cancels the
mitigation (template substitution happens before shell parsing).
2. Auth-bypass category (Synacktiv 2023 Dependabot spoofing).
Detects `if: ${{ github.actor == 'dependabot[bot]' }}` and
variants. MEDIUM, owasp: 'LLM06' (Excessive Agency). Distinct
from injection — same expression syntax, different threat class.
Recommendation steers users to `github.event.pull_request.user.login`.
3. severity.mjs OWASP map registration. WFL prefix added to all
four maps:
- OWASP_MAP['WFL'] = ['LLM02', 'LLM06']
- OWASP_AGENTIC_MAP['WFL'] = ['ASI04']
- OWASP_SKILLS_MAP['WFL'] = []
- OWASP_MCP_MAP['WFL'] = []
Empty arrays for skills/MCP are explicit, not omitted — keeps
`Object.keys(OWASP_MAP)` symmetric across maps.
4. scan-orchestrator.mjs registration. workflowScan added between
supply-chain and toxic-flow (toxic-flow correlates after primaries).
Verified via integration: orchestrator emits 9 WFL findings on
tests/fixtures/workflows/.
Bug fix: extractTriggers in workflow-yaml-state.mjs was collecting
sub-properties (`branches:`, `types:`) as triggers. Now tracks the
first nested indent level and ignores anything deeper.
Tests:
- 6 new cases in tests/scanners/workflow-scanner.test.mjs:
re-interp TP, no-double-count, auth-bypass TP, auth-bypass FP
(startsWith head_ref is not auth-bypass), OWASP map shape,
orchestrator import + SCANNERS array entry.
- 2 new fixtures: tp-reinterpolation.yml, auth-bypass-dependabot.yml.
- Existing 14 scanner tests + 15 state-machine tests unchanged.
Test count: 1732 -> 1738 (+6). Wave B total: +53 over baseline 1685.
Pre-compact-scan flake unchanged (passes in isolation).
This commit is contained in:
Kjell Tore Guttormsen
parent
c31d4b1718
commit
ede37219a3
7 changed files with 180 additions and 4 deletions
|
|
@ -141,6 +141,7 @@ export const OWASP_MAP = Object.freeze({
|
|||
MEM: ['LLM01'],
|
||||
SCR: ['LLM03'],
|
||||
PST: ['LLM01', 'LLM06'],
|
||||
WFL: ['LLM02', 'LLM06'],
|
||||
});
|
||||
|
||||
/**
|
||||
|
|
@ -159,6 +160,7 @@ export const OWASP_AGENTIC_MAP = Object.freeze({
|
|||
MEM: ['ASI01', 'ASI02'],
|
||||
SCR: ['ASI04'],
|
||||
PST: ['ASI02', 'ASI03', 'ASI04', 'ASI05'],
|
||||
WFL: ['ASI04'],
|
||||
});
|
||||
|
||||
/**
|
||||
|
|
@ -177,6 +179,7 @@ export const OWASP_SKILLS_MAP = Object.freeze({
|
|||
MEM: ['AST01', 'AST05'],
|
||||
SCR: ['AST06'],
|
||||
PST: ['AST01', 'AST03'],
|
||||
WFL: [],
|
||||
});
|
||||
|
||||
/**
|
||||
|
|
@ -195,6 +198,7 @@ export const OWASP_MCP_MAP = Object.freeze({
|
|||
MEM: ['MCP05', 'MCP06'],
|
||||
SCR: ['MCP04'],
|
||||
PST: ['MCP02', 'MCP07'],
|
||||
WFL: [],
|
||||
});
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue