Merge pull request #3419 from semgrep/merge-develop-to-release

Merge Develop into Release
semgrep · Jul 3, 2024 · b8a8db7 · b8a8db7
2 parents f36052b + a4ee962
commit b8a8db7
Show file tree

Hide file tree

Showing 4 changed files with 88 additions and 1 deletion.
diff --git a/python/flask/security/injection/raw-html-concat.py b/python/flask/security/injection/raw-html-concat.py
@@ -82,3 +82,11 @@ def load_model(model):
 def ok():
     # ok: raw-html-format
     return "<a href='https://example.com'>Click me!</a>"
+
+@app.route("/post_param_branch", methods=["POST"])
+def post_param_branch():
+    param = flask.request.form['param']
+    part = flask.render_template("link.html", data=param)
+    if True:
+        # ok:raw-html-format
+        return "<a href='%s'>Click me!</a>" % part
diff --git a/python/flask/security/injection/raw-html-concat.yaml b/python/flask/security/injection/raw-html-concat.yaml
@@ -34,7 +34,11 @@ rules:
   pattern-sanitizers:
   - pattern: jinja2.escape(...)
   - pattern: flask.escape(...)
-  - pattern: flask.render_template("~=/.*\.html", ...)
+  - patterns:
+    - pattern: flask.render_template($TPL, ...)
+    - metavariable-regex:
+        metavariable: $TPL
+        regex: .*\.html
   pattern-sources:
   - patterns:
     - pattern-either:

diff --git a/yaml/github-actions/security/audit/unsafe-add-mask-workflow-command.test.yaml b/yaml/github-actions/security/audit/unsafe-add-mask-workflow-command.test.yaml
@@ -0,0 +1,38 @@
+name: Test Workflow
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  test-job:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Setup Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.8'
+
+      - name: Run script to generate token
+        run: |
+          TOKEN=$(openssl rand -hex 16)
+          # ruleid: unsafe-add-mask-workflow-command
+          echo "::add-mask::$TOKEN"
+          echo "TOKEN=$TOKEN" >> $GITHUB_ENV
+
+      - name: Use the token
+        run: |
+          echo "Using the token in the next step"
+          curl -H "Authorization: Bearer $TOKEN" https://api.example.com
+
+      - name: Print GitHub context
+        run: |
+          echo "GitHub context:"
+          echo "${{ toJSON(github) }}"
+          # ruleid: unsafe-add-mask-workflow-command
+          echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
diff --git a/yaml/github-actions/security/audit/unsafe-add-mask-workflow-command.yaml b/yaml/github-actions/security/audit/unsafe-add-mask-workflow-command.yaml
@@ -0,0 +1,37 @@
+rules:
+- id: unsafe-add-mask-workflow-command
+  patterns:
+  - pattern-regex: '::add-mask::'
+  languages:
+  - yaml
+  severity: WARNING
+  message: GitHub Actions provides the **'add-mask'** workflow command to mask sensitive
+    data in the workflow logs. If **'add-mask'** is not used or if workflow commands
+    have been stopped, sensitive data can leaked into the workflow logs. An attacker
+    could simply copy the workflow to another branch and add the following payload
+    `echo "::stop-commands::$stopMarker"` to stop workflow command processing ([described
+    here](https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#stopping-and-starting-workflow-commands)),
+    which will cause the secret token to be exposed despite the **'add-mask'** usage.
+    For more information, please refer to the [GitHub documentation](https://github.com/actions/toolkit/blob/main/docs/commands.md#register-a-secret).
+  metadata:
+    cwe:
+    - 'CWE-200: Exposure of Sensitive Information to an Unauthorized Actor'
+    owasp: A06:2017 - Security Misconfiguration
+    category: security
+    technology:
+    - github-actions
+    subcategory:
+    - audit
+    likelihood: LOW
+    impact: MEDIUM
+    confidence: LOW
+    license: Commons Clause License Condition v1.0[LGPL-2.1-only]
+    vulnerability_class:
+    - Dangerous Method or Function
+    references:
+    - https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
+    - https://github.com/actions/runner/issues/159
+    - https://github.com/actions/runner/issues/475
+    - https://github.com/actions/runner/issues/807
+    - https://0xn3va.gitbook.io/cheat-sheets/ci-cd/github/actions#misuse-of-sensitive-data-in-workflows
+    - https://github.com/github/docs/blob/main/content/actions/using-workflows/workflow-commands-for-github-actions.md#masking-a-value-in-a-log