-
Notifications
You must be signed in to change notification settings - Fork 37
Expand file tree
/
Copy pathunverified_script_exec.rego
More file actions
90 lines (79 loc) · 2.44 KB
/
unverified_script_exec.rego
File metadata and controls
90 lines (79 loc) · 2.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# METADATA
# title: Unverified Script Execution
# description: |-
# The pipeline executes a script or binary fetched from a remote
# server without verifying its integrity.
# custom:
# level: note
package rules.unverified_script_exec
import data.poutine
import rego.v1
rule := poutine.rule(rego.metadata.chain())
patterns.shell contains sprintf("(%s)", [concat("|", [
`(bash|source) <\(curl [^\)\n]+?\)`,
`(curl|wget|iwr)[^\n]{0,256}(\|(|.*?[^a-z])((ba)?sh|python|php|node|iex|perl)|chmod ([aug]?\+x|[75]))`,
`iex[^\n]{0,512}\.DownloadString\([^\)]+?\)`,
`deno (run|install) (-A|--allow-all)[^\n]{0,128}https://[^\s]{0,128}`,
])])
patterns.safe contains sprintf("(%s)", [concat("|", [
`https://raw\.githubusercontent\.com/[^/]+/[^/]+/[a-f0-9]{40}/`,
`https://github\.com/[^/]+/[^/]+/raw/[a-f0-9]{40}/`,
])])
results contains poutine.finding(rule, pkg_purl, _scripts[pkg_purl][_])
_unverified_scripts(script) = [sprintf("Command: %s", [match]) |
match := regex.find_n(patterns.shell[_], script, -1)[_]
not _is_safe(match)
]
_is_safe(match) = regex.match(patterns.safe[_], match)
_scripts[pkg.purl] contains {
"path": workflow.path,
"step": step_id,
"job": job.id,
"line": step.lines.run,
"details": details,
"event_triggers": [event | event := workflow.events[j].name],
} if {
pkg := input.packages[_]
workflow := pkg.github_actions_workflows[_]
job := workflow.jobs[_]
step := job.steps[step_id]
details := _unverified_scripts(step.run)[_]
}
_scripts[pkg.purl] contains {
"path": action.path,
"step": step_id,
"line": step.lines.run,
"details": details,
} if {
pkg := input.packages[_]
action := pkg.github_actions_metadata[_]
step := action.runs.steps[step_id]
details := _unverified_scripts(step.run)[_]
}
_scripts[pkg.purl] contains {
"path": config.path,
"line": script.line,
"job": job.name,
"details": details,
} if {
some attr in {"before_script", "after_script", "script"}
pkg := input.packages[_]
config := pkg.gitlabci_configs[_]
job := array.concat(config.jobs, [config["default"]])[_]
script := job[attr][_]
details := _unverified_scripts(script.run)[_]
}
_scripts[pkg.purl] contains {
"path": pipeline.path,
"job": job.job,
"step": step_id,
"line": step.lines[attr],
"details": details,
} if {
some attr in {"script", "powershell", "pwsh", "bash"}
pkg := input.packages[_]
pipeline := pkg.azure_pipelines[_]
job := pipeline.stages[_].jobs[_]
step := job.steps[step_id]
details := _unverified_scripts(step[attr])[_]
}