11use github_actions_models:: {
2- common:: { expr :: LoE , Env , EnvValue } ,
2+ common:: { Env , EnvValue , expr :: LoE } ,
33 workflow:: job:: StepBody ,
44} ;
55
6- use super :: { audit_meta , Audit } ;
7- use crate :: { finding:: Confidence , models :: Job } ;
6+ use super :: { Audit , audit_meta } ;
7+ use crate :: finding:: Confidence ;
88
99pub ( crate ) struct SecretsOutsideEnvironment ;
1010
@@ -22,59 +22,61 @@ impl Audit for SecretsOutsideEnvironment {
2222 Ok ( Self )
2323 }
2424
25- fn audit_raw < ' w > (
25+ fn audit_step < ' w > (
2626 & self ,
27- input : & ' w super :: AuditInput ,
27+ step : & crate :: models :: Step < ' w > ,
2828 ) -> anyhow:: Result < Vec < crate :: finding:: Finding < ' w > > > {
2929 let mut findings = vec ! [ ] ;
3030
31- if let super :: AuditInput :: Workflow ( w) = input {
32- for job in w. jobs ( ) {
33- if let Job :: NormalJob ( j) = job {
34- if j. environment ( ) . is_some ( ) {
35- continue ;
36- }
37-
38- for step in j. steps ( ) {
39- let body = & step. body ;
40- let eenv: & Env ;
41-
42- match body {
43- StepBody :: Uses { uses : _, with } => {
44- eenv = with;
45- }
46- StepBody :: Run {
47- run : _,
48- shell : _,
49- env,
50- working_directory : _,
51- } => match env {
52- LoE :: Expr ( _) => {
53- // TODO: Implement this.
54- panic ! ( "We don't handle Expr yet!" )
55- }
56- LoE :: Literal ( env) => eenv = env,
57- } ,
58- }
31+ if step. parent . environment ( ) . is_some ( ) {
32+ return Ok ( findings) ;
33+ }
5934
60- for v in eenv. values ( ) {
61- if let EnvValue :: String ( s ) = v {
62- if s . contains ( "secrets" ) {
63- findings . push (
64- Self :: finding ( )
65- . add_location ( step . location ( ) . primary ( ) )
66- . confidence ( Confidence :: High )
67- . severity ( crate :: finding :: Severity :: High )
68- . build ( input ) ? ,
69- ) ;
70- }
71- }
72- }
73- }
35+ let eenv: & Env ;
36+ match & step . body {
37+ StepBody :: Uses { uses : _ , with } => {
38+ eenv = with ;
39+ }
40+ StepBody :: Run {
41+ run : _ ,
42+ shell : _ ,
43+ env ,
44+ working_directory : _ ,
45+ } => match env {
46+ LoE :: Expr ( e ) => {
47+ Self :: check_secrets_access ( e . as_bare ( ) , step , & mut findings ) ? ;
48+ return Ok ( findings ) ;
7449 }
50+ LoE :: Literal ( env) => eenv = env,
51+ } ,
52+ }
53+
54+ for v in eenv. values ( ) {
55+ if let EnvValue :: String ( s) = v {
56+ Self :: check_secrets_access ( s, step, & mut findings) ?
7557 }
7658 }
7759
7860 Ok ( findings)
7961 }
8062}
63+
64+ impl SecretsOutsideEnvironment {
65+ fn check_secrets_access < ' w > (
66+ s : & str ,
67+ step : & crate :: models:: Step < ' w > ,
68+ findings : & mut Vec < crate :: finding:: Finding < ' w > > ,
69+ ) -> anyhow:: Result < ( ) > {
70+ if s. contains ( "secrets" ) {
71+ findings. push (
72+ Self :: finding ( )
73+ . add_location ( step. location ( ) . primary ( ) )
74+ . confidence ( Confidence :: High )
75+ . severity ( crate :: finding:: Severity :: High )
76+ . build ( step. workflow ( ) ) ?,
77+ ) ;
78+ }
79+
80+ Ok ( ( ) )
81+ }
82+ }
0 commit comments