Update argo workflow injection rule (#3681) (#3690)

* Update argo workflow injection rule

* add dashes

Co-authored-by: Pieter De Cremer (Semgrep) <[email protected]>

Author: p4p3r

yaml/argo/security/argo-workflow-parameter-command-injection.test.yaml

@@ -39,6 +39,25 @@ spec:
         # ruleid: argo-workflow-parameter-command-injection
         source: |
           print("{{inputs.parameters.message}}")
+    - script:
+        name: ''
+        image: node:9.1-alpine
+        command:
+          - node
+        resources: {}
+        # ruleid: argo-workflow-parameter-command-injection
+        source: |
+          var rand = Math.floor(Math.random() * 100);
+          console.log("{{inputs.parameters.message}}");
+    - script:
+        name: ''
+        image: ruby:3.0
+        command:
+          - ruby
+        resources: {}
+        # ruleid: argo-workflow-parameter-command-injection
+        source: |
+          puts "{{inputs.parameters.message}}"
     - name: print-message-args
       inputs:
         parameters:
@@ -48,6 +67,41 @@ spec:
         command: [sh, -c]
         # ruleid: argo-workflow-parameter-command-injection
         args: ["echo result was: {{inputs.parameters.message}}"]
+    - name: print-message-python
+      inputs:
+        parameters:
+          - name: message
+      outputs: {}
+      metadata: {}
+      containerSet:
+        containers:
+          - name: main
+            image: python:alpine3.6
+            command:
+              - python
+              - '-c'
+            # ruleid: argo-workflow-parameter-command-injection
+            args: ["echo result was: {{inputs.parameters.message}}"]
+            resources: {}
+    - name: print-message-python2
+      inputs:
+        parameters:
+          - name: message
+      outputs: {}
+      metadata: {}
+      containerSet:
+        containers:
+          - name: main
+            image: python:alpine3.6
+            command:
+              - python
+              - '-c'
+            args:
+            # ruleid: argo-workflow-parameter-command-injection
+              - |
+                print("hi")
+                print("{{inputs.parameters.message}}")
+            resources: {}
     - name: print-message-secure
       inputs:
         parameters:
@@ -73,3 +127,4 @@ spec:
         command: [sh, -c]
         # ok: argo-workflow-parameter-command-injection
         args: ["echo result was: $MESSAGE"]
+

yaml/argo/security/argo-workflow-parameter-command-injection.yaml

@@ -29,64 +29,47 @@ rules:
           metavariable: $VERSION
           regex: (argoproj.io.*)
       - pattern-either:
-          - patterns:
-            - pattern-inside: |
-                command:
-                  ...
-                  - python
-                  ...
-                ...
-                source: 
-                  $SCRIPT
-            - focus-metavariable: $SCRIPT
-            - metavariable-pattern:
-                metavariable: $SCRIPT
-                language: python
-                patterns: 
-                  - pattern: |
-                      $FUNC(..., $PARAM, ...)
-                  - metavariable-pattern:
-                      metavariable: $PARAM
-                      pattern-either: 
-                        - pattern-regex: (.*{{.*inputs.parameters.*}}.*)
-                        - pattern-regex: (.*{{.*workflow.parameters.*}}.*)
           - patterns:
             - pattern-inside: |
                 command:
                   ...
                   - $LANG
                   ...
                 ...
-                source: 
+                source:
                   $SCRIPT
             - metavariable-regex:
                 metavariable: $LANG
-                regex: (bash|sh)
-            - focus-metavariable: $SCRIPT
+                regex: .*(sh|bash|ksh|csh|tcsh|zsh|python|python3|node|perl|ruby|php|lua|awk|sed|powershell|fish|dash|R|grooby|scala|clj|elixir|coffee|dart|haskell|ocaml).*
             - metavariable-pattern:
                 metavariable: $SCRIPT
-                language: bash
-                patterns: 
-                  - pattern: |
-                      $CMD ... $PARAM  ...
-                  - metavariable-pattern:
-                      metavariable: $PARAM
-                      pattern-either: 
-                        - pattern-regex: (.*{{.*inputs.parameters.*}}.*)
-                        - pattern-regex: (.*{{.*workflow.parameters.*}}.*)
+                pattern-either:
+                  - pattern-regex: (.*{{.*inputs.parameters.*}}.*)
+                  - pattern-regex: (.*{{.*workflow.parameters.*}}.*)
+            - focus-metavariable: $SCRIPT
           - patterns:
-            - pattern-inside: |
-                container:
-                  ...
-                  command: $LANG
-                  ...
-                  args: $PARAM
+            - pattern-either:
+              - pattern-inside: |
+                  container:
+                    ...
+                    command: $LANG
+                    ...
+                    args: $PARAM
+              - pattern-inside: |
+                  containerSet:
+                    ...
+                    containers:
+                      - ...
+                        command: $LANG
+                        ...
+                        args: $PARAM
             - metavariable-regex:
                 metavariable: $LANG
-                regex: .*(sh|bash|ksh|csh|tcsh|zsh).*
+                regex: .*(sh|bash|ksh|csh|tcsh|zsh|python|python3|node|perl|ruby|php|lua|awk|sed|powershell|fish|dash|R|grooby|scala|clj|elixir|coffee|dart|haskell|ocaml).*
             - metavariable-pattern:
                 metavariable: $PARAM
-                pattern-either: 
+                pattern-either:
                   - pattern-regex: (.*{{.*inputs.parameters.*}}.*)
                   - pattern-regex: (.*{{.*workflow.parameters.*}}.*)
             - focus-metavariable: $PARAM
+