ktg-plugin-marketplace

open/ktg-plugin-marketplace

Fork 0

Commit graph

Author	SHA1	Message	Date
Kjell Tore Guttormsen	ede37219a3	feat(workflow-scanner): E11 part 2 — re-interpolation + auth-bypass + WFL prefix + orchestrator Closes E11. Three new pieces, plus integration: 1. Re-interpolation detector (Appsmith GHSL-2024-277 stealth pattern). The scanner now collects env: bindings (key -> source-expression text) by walking parsed events whose parentChain includes 'env', then for each `${{ env.<KEY> }}` inside run:, re-injects MEDIUM if the binding source matches the 23-field blacklist. This catches the pattern where developers apply env-indirection but then re-interpolate the env var in run:, which cancels the mitigation (template substitution happens before shell parsing). 2. Auth-bypass category (Synacktiv 2023 Dependabot spoofing). Detects `if: ${{ github.actor == 'dependabot[bot]' }}` and variants. MEDIUM, owasp: 'LLM06' (Excessive Agency). Distinct from injection — same expression syntax, different threat class. Recommendation steers users to `github.event.pull_request.user.login`. 3. severity.mjs OWASP map registration. WFL prefix added to all four maps: - OWASP_MAP['WFL'] = ['LLM02', 'LLM06'] - OWASP_AGENTIC_MAP['WFL'] = ['ASI04'] - OWASP_SKILLS_MAP['WFL'] = [] - OWASP_MCP_MAP['WFL'] = [] Empty arrays for skills/MCP are explicit, not omitted — keeps `Object.keys(OWASP_MAP)` symmetric across maps. 4. scan-orchestrator.mjs registration. workflowScan added between supply-chain and toxic-flow (toxic-flow correlates after primaries). Verified via integration: orchestrator emits 9 WFL findings on tests/fixtures/workflows/. Bug fix: extractTriggers in workflow-yaml-state.mjs was collecting sub-properties (`branches:`, `types:`) as triggers. Now tracks the first nested indent level and ignores anything deeper. Tests: - 6 new cases in tests/scanners/workflow-scanner.test.mjs: re-interp TP, no-double-count, auth-bypass TP, auth-bypass FP (startsWith head_ref is not auth-bypass), OWASP map shape, orchestrator import + SCANNERS array entry. - 2 new fixtures: tp-reinterpolation.yml, auth-bypass-dependabot.yml. - Existing 14 scanner tests + 15 state-machine tests unchanged. Test count: 1732 -> 1738 (+6). Wave B total: +53 over baseline 1685. Pre-compact-scan flake unchanged (passes in isolation).	2026-04-30 15:57:10 +02:00
Kjell Tore Guttormsen	c31d4b1718	feat(workflow-scanner): E11 part 1 — core file-walk + 23-field blacklist + sink-restriction Adds a deterministic GitHub Actions / Forgejo Actions injection scanner. Detects \${{ <dangerous-field> }} interpolations inside \`run:\` step blocks under privileged or semi-privileged triggers. Sink-restricted: \`if:\` / \`with:\` / \`env:\` (block-level) are evaluated by the runner expression engine, not the shell, so they are NOT injection sinks and are suppressed at parser level. Why: workflow expression injection is the most prevalent SAST class on GitHub (CodeQL preview: 800K+ findings across 158K repos). The graduated severity matrix (HIGH for pull_request_target / discussion / workflow_run; MEDIUM for pull_request / workflow_dispatch) is the community-converged calibration target — uniform HIGH causes alert fatigue. Components: - scanners/lib/workflow-yaml-state.mjs — line-based YAML state machine. Tracks indentation, parent-context stack, and \`run: \|\` / \`run: >\` block-scalar entry/exit. Zero deps. - scanners/workflow-scanner.mjs — discoverWorkflows() probes .github/workflows/ and .forgejo/workflows/ directly (file-discovery has no glob include). 23-field blacklist (GHSL 17 + 6 GlueStack- class additions). Platform encoded via file path; no schema extension to finding(). Forgejo-specific: workflow_run advisory emitted to stderr; recommendation text mentions Forgejo's server-level token scoping (job-level permissions: is ignored). - knowledge/workflow-injection-patterns.md — 23-field blacklist, trigger taxonomy, severity matrix, Forgejo divergences, NVD CVE corpus. Tests (47 new): - tests/lib/workflow-yaml-state.test.mjs (15): trigger forms (string / inline-list / block-list / block-mapping), single-line run, block-scalar \| and > tracking, env/with sink-mismatch, multi-line, comment stripping, line-number accuracy. - tests/scanners/workflow-scanner.test.mjs (14): TP head_ref pull_request_target, TP discussion.title gluestack pattern, TP comment.body pull_request, TP issue.body block-scalar, FP if-context, FP env-block, INFO numeric, Forgejo TP, Forgejo workflow_run advisory, envelope shape, WFL prefix. - 9 fixtures in tests/fixtures/workflows/{.github,.forgejo}/workflows/. Out of scope (B4 / Batch D): - Re-interpolation detection (env.VAR after env: from blacklisted source) - github.actor authorization-bypass category - WFL prefix in severity.mjs OWASP maps + scan-orchestrator registration (B4) - Composite-action input tracing, GITHUB_ENV poisoning (Batch D) Test count: 1685 → 1732 (+47). Pre-compact-scan flake unchanged (passes in isolation).	2026-04-30 15:48:48 +02:00

Author

SHA1

Message

Date

Kjell Tore Guttormsen

ede37219a3

feat(workflow-scanner): E11 part 2 — re-interpolation + auth-bypass + WFL prefix + orchestrator

Closes E11. Three new pieces, plus integration:

1. Re-interpolation detector (Appsmith GHSL-2024-277 stealth pattern).
   The scanner now collects env: bindings (key -> source-expression
   text) by walking parsed events whose parentChain includes 'env',
   then for each `${{ env.<KEY> }}` inside run:, re-injects MEDIUM
   if the binding source matches the 23-field blacklist. This
   catches the pattern where developers apply env-indirection but
   then re-interpolate the env var in run:, which cancels the
   mitigation (template substitution happens before shell parsing).

2. Auth-bypass category (Synacktiv 2023 Dependabot spoofing).
   Detects `if: ${{ github.actor == 'dependabot[bot]' }}` and
   variants. MEDIUM, owasp: 'LLM06' (Excessive Agency). Distinct
   from injection — same expression syntax, different threat class.
   Recommendation steers users to `github.event.pull_request.user.login`.

3. severity.mjs OWASP map registration. WFL prefix added to all
   four maps:
   - OWASP_MAP['WFL'] = ['LLM02', 'LLM06']
   - OWASP_AGENTIC_MAP['WFL'] = ['ASI04']
   - OWASP_SKILLS_MAP['WFL'] = []
   - OWASP_MCP_MAP['WFL'] = []
   Empty arrays for skills/MCP are explicit, not omitted — keeps
   `Object.keys(OWASP_MAP)` symmetric across maps.

4. scan-orchestrator.mjs registration. workflowScan added between
   supply-chain and toxic-flow (toxic-flow correlates after primaries).
   Verified via integration: orchestrator emits 9 WFL findings on
   tests/fixtures/workflows/.

Bug fix: extractTriggers in workflow-yaml-state.mjs was collecting
sub-properties (`branches:`, `types:`) as triggers. Now tracks the
first nested indent level and ignores anything deeper.

Tests:
- 6 new cases in tests/scanners/workflow-scanner.test.mjs:
  re-interp TP, no-double-count, auth-bypass TP, auth-bypass FP
  (startsWith head_ref is not auth-bypass), OWASP map shape,
  orchestrator import + SCANNERS array entry.
- 2 new fixtures: tp-reinterpolation.yml, auth-bypass-dependabot.yml.
- Existing 14 scanner tests + 15 state-machine tests unchanged.

Test count: 1732 -> 1738 (+6). Wave B total: +53 over baseline 1685.
Pre-compact-scan flake unchanged (passes in isolation).

2026-04-30 15:57:10 +02:00

Kjell Tore Guttormsen

c31d4b1718

feat(workflow-scanner): E11 part 1 — core file-walk + 23-field blacklist + sink-restriction

Adds a deterministic GitHub Actions / Forgejo Actions injection
scanner. Detects \${{ <dangerous-field> }} interpolations inside
\`run:\` step blocks under privileged or semi-privileged triggers.
Sink-restricted: \`if:\` / \`with:\` / \`env:\` (block-level) are
evaluated by the runner expression engine, not the shell, so they
are NOT injection sinks and are suppressed at parser level.

Why: workflow expression injection is the most prevalent SAST class
on GitHub (CodeQL preview: 800K+ findings across 158K repos). The
graduated severity matrix (HIGH for pull_request_target / discussion
/ workflow_run; MEDIUM for pull_request / workflow_dispatch) is the
community-converged calibration target — uniform HIGH causes alert
fatigue.

Components:
- scanners/lib/workflow-yaml-state.mjs — line-based YAML state
  machine. Tracks indentation, parent-context stack, and
  \`run: |\` / \`run: >\` block-scalar entry/exit. Zero deps.
- scanners/workflow-scanner.mjs — discoverWorkflows() probes
  .github/workflows/ and .forgejo/workflows/ directly (file-discovery
  has no glob include). 23-field blacklist (GHSL 17 + 6 GlueStack-
  class additions). Platform encoded via file path; no schema
  extension to finding(). Forgejo-specific: workflow_run advisory
  emitted to stderr; recommendation text mentions Forgejo's
  server-level token scoping (job-level permissions: is ignored).
- knowledge/workflow-injection-patterns.md — 23-field blacklist,
  trigger taxonomy, severity matrix, Forgejo divergences, NVD CVE
  corpus.

Tests (47 new):
- tests/lib/workflow-yaml-state.test.mjs (15): trigger forms
  (string / inline-list / block-list / block-mapping), single-line
  run, block-scalar | and > tracking, env/with sink-mismatch,
  multi-line, comment stripping, line-number accuracy.
- tests/scanners/workflow-scanner.test.mjs (14): TP head_ref
  pull_request_target, TP discussion.title gluestack pattern,
  TP comment.body pull_request, TP issue.body block-scalar,
  FP if-context, FP env-block, INFO numeric, Forgejo TP, Forgejo
  workflow_run advisory, envelope shape, WFL prefix.
- 9 fixtures in tests/fixtures/workflows/{.github,.forgejo}/workflows/.

Out of scope (B4 / Batch D):
- Re-interpolation detection (env.VAR after env: from blacklisted source)
- github.actor authorization-bypass category
- WFL prefix in severity.mjs OWASP maps + scan-orchestrator
  registration (B4)
- Composite-action input tracing, GITHUB_ENV poisoning (Batch D)

Test count: 1685 → 1732 (+47). Pre-compact-scan flake unchanged
(passes in isolation).

2026-04-30 15:48:48 +02:00

2 commits