Add GitHub workflow specific rules

Author: NicholasEllul

packages/semgrep-action/rules/src/github-actions/checkout-pr-on-issue-comment.yaml

@@ -0,0 +1,91 @@
+rules:
+- id: checkout-pr-on-issue-comment
+  languages:
+    - yaml
+  message: >-
+    A workflow triggered by an `issue_comment` event is checking out a pull request. This could allow an attacker to inject malicious code by commenting on an issue in a way that causes unintended execution. Ensure proper validation is in place before checking out PRs.
+  severity: ERROR
+  patterns:
+    - pattern-either:
+      - pattern-inside: |
+          on:
+            ...
+            issue_comment: ...
+            ...
+          ...
+      - pattern-inside: |
+          on: [..., issue_comment, ...]
+          ...
+      - pattern-inside: |
+          on: issue_comment
+          ...
+    - pattern-inside: |
+        jobs:
+          ...
+          $JOBNAME:
+            ...
+            steps:
+              ...
+    - pattern: |
+        run: $CMD
+    - metavariable-regex:
+        metavariable: $CMD
+        regex: ".*gh pr checkout.*"
+  metadata:
+    category: security
+    cwe:
+      - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+    owasp:
+      - A08:2021 - Software and Data Integrity Failures
+    references:
+      - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
+    technology:
+      - github-actions
+      - actions/checkout
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+      - audit
+    likelihood: MEDIUM
+    impact: HIGH
+    confidence: MEDIUM
+
+- id: publish-actions-cache-used
+  languages:
+    - yaml
+  severity: WARNING
+  metadata:
+    category: security
+    cwe:
+      - "CWE-494: Download of Code Without Integrity Check"
+    owasp:
+      - A08:2021 - Software and Data Integrity Failures
+    references:
+      - https://github.com/MetaMask/MetaMask-planning/issues/3925
+    technology:
+      - github-actions
+      - actions/cache
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+      - audit
+    likelihood: MEDIUM
+    impact: HIGH
+    confidence: MEDIUM
+    tags: [security]
+    shortDescription: Potential cache poisoning risk by using `actions/cache` in a publishing workflow.
+    help: |
+      ## Remediation
+      We recommend avoiding using `actions/cache` if this workflow publishes a release or has access to sensitive secrets. 
+      If caching is required, please see https://github.com/MetaMask/MetaMask-planning/issues/3925 for a workaround.
+  message: >-
+      Using GitHub's Action Cache in publishing workflows, especially in open source repositories, can be dangerous. See
+      https://github.com/MetaMask/MetaMask-planning/issues/3925 for more details and alternative recommendations.
+  patterns:
+      - pattern: "uses: $ACTION_NAME"
+      - metavariable-regex:
+          metavariable: $ACTION_NAME
+          regex: actions/cache@.+
+  paths:
+    include:
+      - ".github/**/*publish*.yml"

packages/semgrep-action/rules/src/github-actions/curl-eval.yaml

@@ -0,0 +1,33 @@
+rules:
+  - id: curl-eval
+    languages:
+      - yaml
+    severity: ERROR
+    metadata:
+      tags: [security]
+      shortDescription: Risk of code injection through curl and eval combination
+      confidence: LOW
+      help: |
+        ## Remediation
+        Avoid eval'ing data fetched from curl commands. If this operation is necessary, 
+        verify the integrity of downloaded content by checking its SHA sum before evaluation.
+        See GitHub's security guidance for more details on script injection risks.
+    message: >-
+      Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl`
+      command could inject malicious code into the `eval`, resulting in a system compromise. Avoid eval'ing
+      untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned
+      by the server to verify its integrity.
+    patterns:
+      - pattern-inside: 'steps: [...]'
+      - pattern-inside: |
+          - run: ...
+            ...
+      - pattern: 'run: $SHELL'
+      - metavariable-pattern:
+          language: bash
+          metavariable: $SHELL
+          patterns:
+            - pattern: |
+                $DATA=<... curl ...>
+                ...
+                eval <... $DATA ...>

packages/semgrep-action/rules/src/github-actions/github-script-injection.yaml

@@ -0,0 +1,77 @@
+rules:
+  - id: github-script-injection
+    languages:
+      - yaml
+    severity: ERROR
+    metadata:
+      tags: [security]
+      shortDescription: Risk of code injection when using `github` context data in `actions/github-script`.
+      confidence: HIGH
+      help: |
+        ## Remediation
+        Instead of using variable interpolation with `github` context data directly in the script,
+        use an intermediate environment variable:
+        
+        1. Store the data using `env:`
+        2. Reference the environment variable in the script using double-quotes: "$ENVVAR"
+      category: security
+      cwe:
+        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
+      owasp:
+        - A03:2021 - Injection
+      references:
+        - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
+        - https://securitylab.github.com/research/github-actions-untrusted-input/
+        - https://github.com/actions/github-script
+      technology:
+        - github-actions
+      cwe2022-top25: true
+      subcategory:
+        - vuln
+      likelihood: HIGH
+      impact: HIGH
+    message: >-
+      Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s
+      `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context
+      data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment
+      variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes
+      the environment variable, like this: "$ENVVAR".
+    patterns:
+      - pattern-inside: 'steps: [...]'
+      - pattern-inside: |
+          uses: $ACTION
+          ...
+      - pattern-inside: |
+          with:
+            ...
+            script: ...
+            ...
+      - pattern: 'script: $SHELL'
+      - metavariable-regex:
+          metavariable: $ACTION
+          regex: actions/github-script@.*
+      - metavariable-pattern:
+          language: generic
+          metavariable: $SHELL
+          patterns:
+            - pattern-either:
+              - pattern: ${{ github.event.issue.title }}
+              - pattern: ${{ github.event.issue.body }}
+              - pattern: ${{ github.event.pull_request.title }}
+              - pattern: ${{ github.event.pull_request.body }}
+              - pattern: ${{ github.event.comment.body }}
+              - pattern: ${{ github.event.review.body }}
+              - pattern: ${{ github.event.review_comment.body }}
+              - pattern: ${{ github.event.pages. ... .page_name}}
+              - pattern: ${{ github.event.head_commit.message }}
+              - pattern: ${{ github.event.head_commit.author.email }}
+              - pattern: ${{ github.event.head_commit.author.name }}
+              - pattern: ${{ github.event.commits ... .author.email }}
+              - pattern: ${{ github.event.commits ... .author.name }}
+              - pattern: ${{ github.event.pull_request.head.ref }}
+              - pattern: ${{ github.event.pull_request.head.label }}
+              - pattern: ${{ github.event.pull_request.head.repo.default_branch }}
+              - pattern: ${{ github.head_ref }}
+              - pattern: ${{ github.event.inputs ... }}
+              - pattern: ${{ github.event.discussion.title }}
+              - pattern: ${{ github.event.discussion.body }}

packages/semgrep-action/rules/src/github-actions/pull-request-target-code-checkout.yaml

@@ -0,0 +1,77 @@
+rules:
+- id: pull-request-target-code-checkout
+  languages:
+  - yaml
+  message: >-
+    This GitHub Actions workflow file uses `pull_request_target` and checks out code
+    from the incoming pull request. When using `pull_request_target`, the Action
+    runs in the context of the target repository, which includes access to all repository
+    secrets. Normally, this is safe because the Action only runs code from the target
+    repository, not the incoming PR. However, by checking out the incoming PR code, you're now using
+    the incoming code for the rest of the action. You may be inadvertently executing arbitrary code
+    from the incoming PR with access to repository secrets, which would let an attacker steal repository
+    secrets.
+    This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation
+    scripts (e.g., `python setup.py install`).
+    Audit your workflow file to make sure no code from the incoming PR is executed.
+    Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional
+    mitigations.
+  metadata:
+    tags: [security]
+    shortDescription: Unsafe code checkout in pull_request_target workflow
+    confidence: LOW
+    help: |
+      ## Remediation
+      When using `pull_request_target`, avoid checking out code from the incoming PR. If you must check out PR code, 
+      ensure no untrusted code is executed (including build scripts and dependency installation).
+      See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.
+    category: security
+    owasp:
+    - A01:2021 - Broken Access Control
+    cwe:
+    - 'CWE-913: Improper Control of Dynamically-Managed Code Resources'
+    references:
+    - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
+    - https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md
+    technology:
+    - github-actions
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+  patterns:
+  - pattern-either:
+    - pattern-inside: |
+        on:
+          ...
+          pull_request_target: ...
+          ...
+        ...
+    - pattern-inside: |
+        on: [..., pull_request_target, ...]
+        ...
+    - pattern-inside: |
+        on: pull_request_target
+        ...
+  - pattern-inside: |
+      jobs:
+        ...
+        $JOBNAME:
+          ...
+          steps:
+            ...
+  - pattern: |
+      ...
+      uses: "$ACTION"
+      with:
+        ...
+        ref: $EXPR
+  - metavariable-regex:
+      metavariable: $ACTION
+      regex: actions/checkout@.*
+  - metavariable-pattern:
+      language: generic
+      metavariable: $EXPR
+      patterns:
+      - pattern: ${{ github.event.pull_request ... }}
+  severity: WARNING

packages/semgrep-action/rules/src/github-actions/run-shell-injection.yaml

@@ -0,0 +1,71 @@
+rules:
+- id: run-shell-injection
+  languages:
+  - yaml
+  message: 'Using variable interpolation `${{...}}` with `github` context data in a `run:` step could
+    allow an attacker to inject their own code into the runner. This would allow them to steal secrets
+    and code. `github` context data can have arbitrary user input and should be treated as untrusted.
+    Instead, use an intermediate environment variable with `env:` to store the data and use the environment
+    variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".'
+  metadata:
+    category: security
+    cwe:
+    - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+    owasp:
+    - A01:2017 - Injection
+    - A03:2021 - Injection
+    references:
+    - https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
+    - https://securitylab.github.com/research/github-actions-untrusted-input/
+    technology:
+    - github-actions
+    cwe2022-top25: true
+    cwe2021-top25: true
+    subcategory:
+    - vuln
+    likelihood: HIGH
+    impact: HIGH
+    confidence: HIGH
+    tags: [security]
+    shortDescription: Shell injection risk in GitHub Actions run steps
+    help: |
+      ## Remediation
+      Instead of using `github` context data directly in `run:` steps, use an intermediate environment variable:
+      ```yaml
+      steps:
+        - run: echo "$MY_VAR"
+          env:
+            MY_VAR: ${{ github.event.issue.title }}
+      ```
+  patterns:
+  - pattern-inside: 'steps: [...]'
+  - pattern-inside: |
+      - run: ...
+        ...
+  - pattern: 'run: $SHELL'
+  - metavariable-pattern:
+      language: generic
+      metavariable: $SHELL
+      patterns:
+      - pattern-either:
+        - pattern: ${{ github.event.issue.title }}
+        - pattern: ${{ github.event.issue.body }}
+        - pattern: ${{ github.event.pull_request.title }}
+        - pattern: ${{ github.event.pull_request.body }}
+        - pattern: ${{ github.event.comment.body }}
+        - pattern: ${{ github.event.review.body }}
+        - pattern: ${{ github.event.review_comment.body }}
+        - pattern: ${{ github.event.pages. ... .page_name}}
+        - pattern: ${{ github.event.head_commit.message }}
+        - pattern: ${{ github.event.head_commit.author.email }}
+        - pattern: ${{ github.event.head_commit.author.name }}
+        - pattern: ${{ github.event.commits ... .author.email }}
+        - pattern: ${{ github.event.commits ... .author.name }}
+        - pattern: ${{ github.event.pull_request.head.ref }}
+        - pattern: ${{ github.event.pull_request.head.label }}
+        - pattern: ${{ github.event.pull_request.head.repo.default_branch }}
+        - pattern: ${{ github.head_ref }}
+        - pattern: ${{ github.event.inputs ... }}
+        - pattern: ${{ github.event.discussion.title }}
+        - pattern: ${{ github.event.discussion.body }}
+  severity: ERROR