feat(workflow-scanner): E11 part 2 — re-interpolation + auth-bypass + WFL prefix + orchestrator
Closes E11. Three new pieces, plus integration:
1. Re-interpolation detector (Appsmith GHSL-2024-277 stealth pattern).
The scanner now collects env: bindings (key -> source-expression
text) by walking parsed events whose parentChain includes 'env',
then for each `${{ env.<KEY> }}` inside run:, re-injects MEDIUM
if the binding source matches the 23-field blacklist. This
catches the pattern where developers apply env-indirection but
then re-interpolate the env var in run:, which cancels the
mitigation (template substitution happens before shell parsing).
2. Auth-bypass category (Synacktiv 2023 Dependabot spoofing).
Detects `if: ${{ github.actor == 'dependabot[bot]' }}` and
variants. MEDIUM, owasp: 'LLM06' (Excessive Agency). Distinct
from injection — same expression syntax, different threat class.
Recommendation steers users to `github.event.pull_request.user.login`.
3. severity.mjs OWASP map registration. WFL prefix added to all
four maps:
- OWASP_MAP['WFL'] = ['LLM02', 'LLM06']
- OWASP_AGENTIC_MAP['WFL'] = ['ASI04']
- OWASP_SKILLS_MAP['WFL'] = []
- OWASP_MCP_MAP['WFL'] = []
Empty arrays for skills/MCP are explicit, not omitted — keeps
`Object.keys(OWASP_MAP)` symmetric across maps.
4. scan-orchestrator.mjs registration. workflowScan added between
supply-chain and toxic-flow (toxic-flow correlates after primaries).
Verified via integration: orchestrator emits 9 WFL findings on
tests/fixtures/workflows/.
Bug fix: extractTriggers in workflow-yaml-state.mjs was collecting
sub-properties (`branches:`, `types:`) as triggers. Now tracks the
first nested indent level and ignores anything deeper.
Tests:
- 6 new cases in tests/scanners/workflow-scanner.test.mjs:
re-interp TP, no-double-count, auth-bypass TP, auth-bypass FP
(startsWith head_ref is not auth-bypass), OWASP map shape,
orchestrator import + SCANNERS array entry.
- 2 new fixtures: tp-reinterpolation.yml, auth-bypass-dependabot.yml.
- Existing 14 scanner tests + 15 state-machine tests unchanged.
Test count: 1732 -> 1738 (+6). Wave B total: +53 over baseline 1685.
Pre-compact-scan flake unchanged (passes in isolation).
This commit is contained in:
Kjell Tore Guttormsen
parent
c31d4b1718
commit
ede37219a3
7 changed files with 180 additions and 4 deletions
|
|
@ -116,6 +116,10 @@ const SINK_PARENTS = new Set(['run']);
|
|||
// engine, NOT the shell. These are sink mismatches, not injection.
|
||||
const NON_SINK_PARENTS = new Set(['if', 'with', 'env', 'name', 'runs-on', 'timeout-minutes', 'continue-on-error']);
|
||||
|
||||
// B4: auth-bypass — github.actor or forgejo.actor compared against a
|
||||
// bot identity in if: contexts (Synacktiv 2023 Dependabot spoofing).
|
||||
const AUTH_BYPASS_RE = /\b(?:github|forgejo)\.actor\s*(?:==|!=)\s*['"][\w-]+\[bot\]['"]/;
|
||||
|
||||
// ---------------------------------------------------------------------------
|
||||
// Discovery
|
||||
// ---------------------------------------------------------------------------
|
||||
|
|
@ -241,19 +245,85 @@ async function scanFile(absPath, targetPath, stderrLog) {
|
|||
);
|
||||
}
|
||||
|
||||
const platformLabel = platform === 'forgejo' ? 'Forgejo' : 'GitHub';
|
||||
const triggerList = [...triggers].join(', ') || 'unknown';
|
||||
|
||||
// B4: collect env: bindings (key -> source-expression). Used for
|
||||
// re-interpolation detection. A binding is an event whose parent is
|
||||
// a key under an `env:` block — i.e. parentChain includes 'env'
|
||||
// and the parent is not 'env' itself.
|
||||
const envBindings = new Map();
|
||||
for (const ev of parsed.events) {
|
||||
if (!ev.parentChain.includes('env')) continue;
|
||||
if (ev.parent === 'env') continue;
|
||||
if (SINK_PARENTS.has(ev.parent)) continue;
|
||||
if (NON_SINK_PARENTS.has(ev.parent)) continue;
|
||||
envBindings.set(ev.parent, ev.expr);
|
||||
}
|
||||
|
||||
for (const ev of parsed.events) {
|
||||
// B4: auth-bypass first — fires only on if: events
|
||||
if (ev.parent === 'if' && AUTH_BYPASS_RE.test(ev.expr)) {
|
||||
findings.push(finding({
|
||||
scanner: SCANNER_PREFIX,
|
||||
severity: SEVERITY.MEDIUM,
|
||||
title: `Actor auth-bypass: ${platformLabel} workflow trusts bot identity`,
|
||||
description:
|
||||
`Actor auth-bypass: if-condition trusts bot identity that can be ` +
|
||||
`spoofed via pull_request_target. ${platformLabel} workflow at ` +
|
||||
`${relPath}: ${ev.expr}.`,
|
||||
file: relPath,
|
||||
line: ev.line,
|
||||
evidence: `\${{ ${ev.expr} }}`,
|
||||
owasp: 'LLM06',
|
||||
recommendation:
|
||||
'Use `github.event.pull_request.user.login` (immutable per PR) ' +
|
||||
'instead of `github.actor` for authorization decisions. The actor ' +
|
||||
'name can be spoofed via Synacktiv-2023 Dependabot path. If the ' +
|
||||
'check must remain, gate it on an `id-token` OIDC claim.',
|
||||
}));
|
||||
continue;
|
||||
}
|
||||
|
||||
if (NON_SINK_PARENTS.has(ev.parent)) continue;
|
||||
if (!SINK_PARENTS.has(ev.parent)) continue;
|
||||
|
||||
// B4: re-interpolation pattern — `${{ env.<KEY> }}` inside run:
|
||||
// where <KEY> was bound from a blacklisted field via top-level
|
||||
// or job-level env:. Cancels the env-indirection mitigation.
|
||||
const reinterpMatch = ev.expr.match(/^env\.([\w-]+)$/);
|
||||
if (reinterpMatch) {
|
||||
const key = reinterpMatch[1];
|
||||
const source = envBindings.get(key);
|
||||
if (source && DANGEROUS_RE.test(source)) {
|
||||
findings.push(finding({
|
||||
scanner: SCANNER_PREFIX,
|
||||
severity: SEVERITY.MEDIUM,
|
||||
title: `Re-interpolation: env.${key} re-injects ${source.split(/\s+/)[0]} at ${platformLabel} run:`,
|
||||
description:
|
||||
`Re-interpolation: env.${key} was set from \${{ ${source} }}; reading via ` +
|
||||
`\${{ env.${key} }} in run: re-injects the unsafe value (Appsmith ` +
|
||||
`GHSL-2024-277 stealth pattern). Workflow: ${relPath}.`,
|
||||
file: relPath,
|
||||
line: ev.line,
|
||||
evidence: `\${{ env.${key} }}`,
|
||||
owasp: 'LLM02',
|
||||
recommendation:
|
||||
`Consume the env var via \$${key} (shell variable) inside run:, ` +
|
||||
`not via \${{ env.${key} }}. Template substitution happens before ` +
|
||||
`shell parsing — re-interpolating cancels the env-indirection ` +
|
||||
'mitigation and re-introduces the original injection.',
|
||||
}));
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
const fieldClass = classifyField(ev.expr);
|
||||
if (fieldClass === 'other') continue;
|
||||
|
||||
const severity = severityFor(triggers, fieldClass);
|
||||
if (!severity) continue;
|
||||
|
||||
const platformLabel = platform === 'forgejo' ? 'Forgejo' : 'GitHub';
|
||||
const triggerList = [...triggers].join(', ') || 'unknown';
|
||||
|
||||
findings.push(finding({
|
||||
scanner: SCANNER_PREFIX,
|
||||
severity,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue