Class: Rules::WorkflowDispatchInjection
- Includes:
- GuardPatterns
- Defined in:
- lib/rules/workflow_dispatch_injection.rb
Constant Summary collapse
- PATTERN =
/\$\{\{\s*(?:inputs\.|github\.event\.inputs\.)/
Constants included from GuardPatterns
GuardPatterns::DANGEROUS_CONTEXTS, GuardPatterns::JOB_PROPERTIES, GuardPatterns::SAFE_TRIGGERS
Instance Method Summary collapse
-
#check(workflow) ⇒ Object
NOTE: This rule intentionally does NOT use safe_trigger_only? because dispatch inputs are user-controlled.
- #description ⇒ Object
- #name ⇒ Object
- #severity ⇒ Object
Methods included from GuardPatterns
#guarded_by_safe_event?, #safe_trigger_only?, #strip_inline_comment
Instance Method Details
#check(workflow) ⇒ Object
NOTE: This rule intentionally does NOT use safe_trigger_only? because dispatch inputs are user-controlled. workflow_dispatch IS in SAFE_TRIGGERS for other rules, but this rule specifically targets $inputs.* } in run blocks — those inputs are always attacker-controlled.
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
# File 'lib/rules/workflow_dispatch_injection.rb', line 18 def check(workflow) findings = [] workflow.lines_of(PATTERN).each do |line_num| line = workflow.line_content(line_num) next if line.strip.start_with?('#') next unless in_run_block?(workflow, line_num) match = line.match(/\$\{\{\s*((?:inputs|github\.event\.inputs)\.[^\s}]+)/) next unless match findings << finding(workflow, line: line_num, code: workflow.line_content(line_num).strip, message: "User-controlled input ${{ #{match[1]} }} in run: block — shell injection risk", fix: "Move to env: block and reference as $ENV_VAR" ) end findings end |
#description ⇒ Object
8 |
# File 'lib/rules/workflow_dispatch_injection.rb', line 8 def description = "User-controlled workflow_dispatch input in run: block" |
#name ⇒ Object
7 |
# File 'lib/rules/workflow_dispatch_injection.rb', line 7 def name = "workflow-dispatch-injection" |
#severity ⇒ Object
9 |
# File 'lib/rules/workflow_dispatch_injection.rb', line 9 def severity = :high |