c31d4b1718
Adds a deterministic GitHub Actions / Forgejo Actions injection
scanner. Detects \${{ <dangerous-field> }} interpolations inside
\`run:\` step blocks under privileged or semi-privileged triggers.
Sink-restricted: \`if:\` / \`with:\` / \`env:\` (block-level) are
evaluated by the runner expression engine, not the shell, so they
are NOT injection sinks and are suppressed at parser level.
Why: workflow expression injection is the most prevalent SAST class
on GitHub (CodeQL preview: 800K+ findings across 158K repos). The
graduated severity matrix (HIGH for pull_request_target / discussion
/ workflow_run; MEDIUM for pull_request / workflow_dispatch) is the
community-converged calibration target — uniform HIGH causes alert
fatigue.
Components:
- scanners/lib/workflow-yaml-state.mjs — line-based YAML state
machine. Tracks indentation, parent-context stack, and
\`run: |\` / \`run: >\` block-scalar entry/exit. Zero deps.
- scanners/workflow-scanner.mjs — discoverWorkflows() probes
.github/workflows/ and .forgejo/workflows/ directly (file-discovery
has no glob include). 23-field blacklist (GHSL 17 + 6 GlueStack-
class additions). Platform encoded via file path; no schema
extension to finding(). Forgejo-specific: workflow_run advisory
emitted to stderr; recommendation text mentions Forgejo's
server-level token scoping (job-level permissions: is ignored).
- knowledge/workflow-injection-patterns.md — 23-field blacklist,
trigger taxonomy, severity matrix, Forgejo divergences, NVD CVE
corpus.
Tests (47 new):
- tests/lib/workflow-yaml-state.test.mjs (15): trigger forms
(string / inline-list / block-list / block-mapping), single-line
run, block-scalar | and > tracking, env/with sink-mismatch,
multi-line, comment stripping, line-number accuracy.
- tests/scanners/workflow-scanner.test.mjs (14): TP head_ref
pull_request_target, TP discussion.title gluestack pattern,
TP comment.body pull_request, TP issue.body block-scalar,
FP if-context, FP env-block, INFO numeric, Forgejo TP, Forgejo
workflow_run advisory, envelope shape, WFL prefix.
- 9 fixtures in tests/fixtures/workflows/{.github,.forgejo}/workflows/.
Out of scope (B4 / Batch D):
- Re-interpolation detection (env.VAR after env: from blacklisted source)
- github.actor authorization-bypass category
- WFL prefix in severity.mjs OWASP maps + scan-orchestrator
registration (B4)
- Composite-action input tracing, GITHUB_ENV poisoning (Batch D)
Test count: 1685 → 1732 (+47). Pre-compact-scan flake unchanged
(passes in isolation).
228 lines
7.1 KiB
JavaScript
228 lines
7.1 KiB
JavaScript
// workflow-yaml-state.mjs — Line-based YAML state machine for E11
|
|
// (workflow-scanner). Zero dependencies. Tracks indentation, parent
|
|
// context, and `run:` block-scalar entry/exit so the scanner can
|
|
// distinguish injection sinks (`run:`) from sink-mismatch contexts
|
|
// (`if:`, `env:`, `with:`).
|
|
//
|
|
// Why hand-roll instead of importing a YAML library:
|
|
// - Zero-dependency invariant (CLAUDE.md)
|
|
// - Workflows live in `.github/workflows/` and `.forgejo/workflows/`,
|
|
// have a constrained shape (top-level `on:`, `jobs:`, with each
|
|
// job a mapping of {steps, env, …}). A line-based state machine
|
|
// captures everything we need without a full YAML parser.
|
|
//
|
|
// Out of scope:
|
|
// - Anchors / aliases (treated as no-op; rarely used in workflows)
|
|
// - Multi-line flow scalars spanning lines via `... \n ...`
|
|
// - Full `${{ <expr> }}` AST (we extract substring text only)
|
|
|
|
const EXPR_RE = /\$\{\{\s*([\s\S]+?)\s*\}\}/g;
|
|
const KV_RE = /^([A-Za-z_][\w-]*)\s*:\s*(.*)$/;
|
|
const LIST_KV_RE = /^-\s+([A-Za-z_][\w-]*)\s*:\s*(.*)$/;
|
|
const TRIGGER_RE = /^([a-z_]+)(?::|$)/;
|
|
const BLOCK_SCALAR_VALUES = new Set(['|', '>', '|-', '>-', '|+', '>+']);
|
|
|
|
/**
|
|
* Strip comments after first unquoted `#`. Workflows rarely embed `#`
|
|
* in strings; an over-eager strip is acceptable since we never write
|
|
* the stripped text back.
|
|
*/
|
|
function stripComments(line) {
|
|
// Preserve `#` inside ${{ }} expressions (rare, but possible)
|
|
return line.replace(/(^|\s)#.*$/, '');
|
|
}
|
|
|
|
/** Count leading spaces. YAML disallows tabs in indent, so we treat them as 1. */
|
|
function getIndent(line) {
|
|
let i = 0;
|
|
while (i < line.length && (line[i] === ' ' || line[i] === '\t')) i++;
|
|
return i;
|
|
}
|
|
|
|
/** Extract `${{ <expr> }}` substrings with line/column metadata. */
|
|
function findExpressions(rawLine, lineNum) {
|
|
const out = [];
|
|
EXPR_RE.lastIndex = 0;
|
|
let m;
|
|
while ((m = EXPR_RE.exec(rawLine)) !== null) {
|
|
out.push({
|
|
line: lineNum,
|
|
column: m.index + 1,
|
|
expr: m[1].trim(),
|
|
});
|
|
}
|
|
return out;
|
|
}
|
|
|
|
/**
|
|
* Extract the set of triggers declared by top-level `on:`. Handles all
|
|
* four common forms (string, inline-list, block-list, block-mapping).
|
|
*
|
|
* @param {string[]} lines
|
|
* @returns {Set<string>}
|
|
*/
|
|
export function extractTriggers(lines) {
|
|
const triggers = new Set();
|
|
for (let i = 0; i < lines.length; i++) {
|
|
const stripped = stripComments(lines[i]);
|
|
const trimmed = stripped.trim();
|
|
if (!trimmed) continue;
|
|
// Top-level keys are at indent 0
|
|
if (getIndent(stripped) !== 0) continue;
|
|
const m = stripped.match(/^on\s*:\s*(.*)$/);
|
|
if (!m) continue;
|
|
const tail = m[1].trim();
|
|
|
|
// Form 1: `on: push` or `on: [push, pull_request]`
|
|
if (tail) {
|
|
if (tail.startsWith('[')) {
|
|
const inner = tail.replace(/^\[|\]$/g, '');
|
|
for (const part of inner.split(',')) {
|
|
const name = part.trim().replace(/^["']|["']$/g, '');
|
|
if (name) triggers.add(name);
|
|
}
|
|
} else {
|
|
const name = tail.replace(/^["']|["']$/g, '');
|
|
if (name) triggers.add(name);
|
|
}
|
|
return triggers;
|
|
}
|
|
|
|
// Form 2/3: block list or block mapping
|
|
for (let j = i + 1; j < lines.length; j++) {
|
|
const sj = stripComments(lines[j]);
|
|
const tj = sj.trim();
|
|
if (!tj) continue;
|
|
const indent = getIndent(sj);
|
|
if (indent === 0) break; // back to top-level key
|
|
// List item: `- push`
|
|
if (tj.startsWith('- ')) {
|
|
const name = tj.slice(2).trim().replace(/^["']|["']$/g, '');
|
|
if (name) triggers.add(name);
|
|
continue;
|
|
}
|
|
// Mapping key: `push:` or `pull_request_target:`
|
|
const tm = tj.match(TRIGGER_RE);
|
|
if (tm) triggers.add(tm[1]);
|
|
}
|
|
return triggers;
|
|
}
|
|
return triggers;
|
|
}
|
|
|
|
/**
|
|
* Walk the workflow text line-by-line and emit `${{ <expr> }}` events
|
|
* tagged with the parent context (`run`, `if`, `with`, `env`, …) and
|
|
* a flag indicating whether the expression appeared inside a `run:`
|
|
* block-scalar body.
|
|
*
|
|
* @param {string} text
|
|
* @returns {{
|
|
* triggers: Set<string>,
|
|
* events: {
|
|
* line: number,
|
|
* column: number,
|
|
* expr: string,
|
|
* parent: string,
|
|
* parentChain: string[],
|
|
* blockScalar: boolean,
|
|
* }[],
|
|
* }}
|
|
*/
|
|
export function parseWorkflow(text) {
|
|
const lines = text.split('\n');
|
|
const triggers = extractTriggers(lines);
|
|
const events = [];
|
|
/** @type {{indent: number, key: string, isBlockScalar: boolean}[]} */
|
|
const stack = [];
|
|
|
|
for (let i = 0; i < lines.length; i++) {
|
|
const raw = lines[i];
|
|
const stripped = stripComments(raw);
|
|
const trimmed = stripped.trim();
|
|
if (!trimmed) continue;
|
|
|
|
const indent = getIndent(stripped);
|
|
|
|
// Pop frames whose indent >= current indent. Block-scalar frames
|
|
// are popped when we leave the scalar body (indent shallower).
|
|
while (stack.length && stack[stack.length - 1].indent >= indent) {
|
|
stack.pop();
|
|
}
|
|
|
|
const top = stack.length ? stack[stack.length - 1] : null;
|
|
|
|
// Inside a block-scalar body? Body lines have indent strictly
|
|
// greater than the opener; the opener frame is on top of stack.
|
|
if (top && top.isBlockScalar) {
|
|
const exprs = findExpressions(raw, i + 1);
|
|
for (const e of exprs) {
|
|
events.push({
|
|
...e,
|
|
parent: top.key,
|
|
parentChain: stack.map(s => s.key),
|
|
blockScalar: true,
|
|
});
|
|
}
|
|
continue;
|
|
}
|
|
|
|
// Try `<key>: <value>` first
|
|
const kv = trimmed.match(KV_RE);
|
|
if (kv) {
|
|
const key = kv[1];
|
|
const value = kv[2];
|
|
const isBlock = BLOCK_SCALAR_VALUES.has(value);
|
|
const exprs = !isBlock && value ? findExpressions(raw, i + 1) : [];
|
|
for (const e of exprs) {
|
|
events.push({
|
|
...e,
|
|
parent: key,
|
|
parentChain: [...stack.map(s => s.key), key],
|
|
blockScalar: false,
|
|
});
|
|
}
|
|
stack.push({ indent, key, isBlockScalar: isBlock });
|
|
continue;
|
|
}
|
|
|
|
// List item: `- <key>: <value>` or just `- <value>`
|
|
const lkv = trimmed.match(LIST_KV_RE);
|
|
if (lkv) {
|
|
const key = lkv[1];
|
|
const value = lkv[2];
|
|
const isBlock = BLOCK_SCALAR_VALUES.has(value);
|
|
const exprs = !isBlock && value ? findExpressions(raw, i + 1) : [];
|
|
for (const e of exprs) {
|
|
events.push({
|
|
...e,
|
|
parent: key,
|
|
parentChain: [...stack.map(s => s.key), key],
|
|
blockScalar: false,
|
|
});
|
|
}
|
|
// List items create a deeper synthetic indent so subsequent
|
|
// sibling keys at the same column still resolve to this item.
|
|
stack.push({ indent: indent + 2, key, isBlockScalar: isBlock });
|
|
continue;
|
|
}
|
|
|
|
// Plain list item `- something` — no key. Still scan for ${{ ... }}
|
|
// (rare but possible) and tag with the enclosing parent.
|
|
if (trimmed.startsWith('- ')) {
|
|
const exprs = findExpressions(raw, i + 1);
|
|
const enclosing = top ? top.key : '';
|
|
for (const e of exprs) {
|
|
events.push({
|
|
...e,
|
|
parent: enclosing,
|
|
parentChain: stack.map(s => s.key),
|
|
blockScalar: false,
|
|
});
|
|
}
|
|
continue;
|
|
}
|
|
}
|
|
|
|
return { triggers, events };
|
|
}
|