Class: Rules::DangerousTriggers

Inherits:

Base

• Object
• Base
• Rules::DangerousTriggers

Defined in:

lib/rules/dangerous_triggers.rb

Instance Method Summary

• #check(workflow) ⇒ Object
• #description ⇒ Object
• #name ⇒ Object
• #severity ⇒ Object

Instance Method Details

#check(workflow) ⇒ Object

# File 'lib/rules/dangerous_triggers.rb', line 7

def check(workflow)
  findings = []
  triggers = workflow.triggers

  has_prt = case triggers
            when Hash then triggers.key?("pull_request_target")
            when Array then triggers.include?("pull_request_target")
            when String then triggers == "pull_request_target"
            else false
            end

  return findings unless has_prt

  workflow.jobs.each do |_job_id, job|
    workflow.steps(job).each do |step|
      next unless step["uses"]&.include?("checkout")

      with = step["with"] || {}
      ref = with["ref"]&.to_s || ""

      if ref.match?(/\bgithub\.event\.pull_request\.head\b|\.head_ref\b|pull_request\.head\.sha/i) ||
         ref.match?(/\$\{\{\s*github\.head_ref\s*\}\}/)
        line = workflow.line_of(/ref:.*head/i) || workflow.line_of(/checkout/)
        findings << finding(workflow,
          line: line || 0,
          code: "ref: #{ref}",
          message: "pull_request_target + checkout of PR head — fork code runs with base repo secrets",
          fix: "Use pull_request trigger instead, or don't checkout PR head code"
        )
      end
    end
  end

  findings
end

#description ⇒ Object

# File 'lib/rules/dangerous_triggers.rb', line 4

def description = "pull_request_target with fork code checkout"

#name ⇒ Object

# File 'lib/rules/dangerous_triggers.rb', line 3

def name = "dangerous-triggers"

#severity ⇒ Object

# File 'lib/rules/dangerous_triggers.rb', line 5

def severity = :critical