Class: Rules::CurlPipeShell

Inherits:

Base

• Object
• Base
• Rules::CurlPipeShell

Defined in:

lib/rules/curl_pipe_shell.rb

Constant Summary

PIPE_PATTERN =

/curl\s.*\|\s*(sudo\s+)?(sh|bash|zsh|source|\.)/

WGET_PIPE =

/wget\s.*-O\s*-\s*\|\s*(sudo\s+)?(sh|bash|zsh)/

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/curl_pipe_shell.rb', line 10

def check(workflow)
    findings = []

    workflow.raw_lines.each_with_index do |line, i|
        next if line.strip.start_with?("#")

        if line.match?(PIPE_PATTERN) || line.match?(WGET_PIPE)
            findings << finding(workflow,
                line: i + 1,
                code: line.strip,
                message: "Remote script piped to shell — no integrity verification, mutable endpoint",
                fix: "Download first, verify checksum, then execute; or use a pinned GitHub Action instead"
            )
        end
    end

    findings
end

#description ⇒ Object

# File 'lib/rules/curl_pipe_shell.rb', line 4

def description = "Remote script piped directly to shell without integrity check"

#name ⇒ Object

# File 'lib/rules/curl_pipe_shell.rb', line 3

def name = "curl-pipe-shell"

#severity ⇒ Object

# File 'lib/rules/curl_pipe_shell.rb', line 5

def severity = :high