Skip to content

Commit 3724c69

Browse files
AdamKorczAdamKorcz
committed
🌱 add cases for alerts in dangerous workflow pattern detection
Signed-off-by: Adam Korczynski <[email protected]>
1 parent c29a04d commit 3724c69

File tree

2 files changed

+49
-0
lines changed

2 files changed

+49
-0
lines changed

checks/raw/dangerous_workflow.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,15 @@ func containsUntrustedContextPattern(variable string) bool {
4545
`head_commit\.author\.name|` +
4646
`commits.*\.author\.email|` +
4747
`commits.*\.author\.name|` +
48+
`alert\.resolved_by\.name|` +
49+
`alert\.resolved_by\.email|` +
50+
`alert\.resolution_comment|` +
51+
`push_protection_bypassed_by\.name|` +
52+
`push_protection_bypassed_by\.email|` +
53+
`push_protection_bypass_request_reviewer\.name|` +
54+
`push_protection_bypass_request_reviewer\.email|` +
55+
`push_protection_bypass_request_reviewer_comment|` +
56+
`push_protection_bypass_request_comment|` +
4857
`pull_request\.head\.ref|` +
4958
`pull_request\.head\.label|` +
5059
`pull_request\.head\.repo\.default_branch).*`)

checks/raw/dangerous_workflow_test.go

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,46 @@ func TestUntrustedContextVariables(t *testing.T) {
7676
variable: "github.event.commits[0].id",
7777
expected: false,
7878
},
79+
{
80+
name: "alert resolved by name",
81+
variable: "github.event.secret_scanning_alert.alert.resolved_by.name",
82+
expected: true,
83+
},
84+
{
85+
name: "alert resolved by email",
86+
variable: "github.event.secret_scanning_alert.alert.resolved_by.name",
87+
expected: true,
88+
},
89+
{
90+
name: "alert push_protection_bypassed_by name",
91+
variable: "github.event.secret_scanning_alert.alert.push_protection_bypassed_by.name",
92+
expected: true,
93+
},
94+
{
95+
name: "alert push_protection_bypassed_by email",
96+
variable: "github.event.secret_scanning_alert.alert.push_protection_bypassed_by.email",
97+
expected: true,
98+
},
99+
{
100+
name: "alert push_protection_bypass_request_reviewer name",
101+
variable: "github.event.secret_scanning_alert.alert.push_protection_bypass_request_reviewer.name",
102+
expected: true,
103+
},
104+
{
105+
name: "alert push_protection_bypass_request_reviewer email",
106+
variable: "github.event.secret_scanning_alert.alert.push_protection_bypass_request_reviewer.email",
107+
expected: true,
108+
},
109+
{
110+
name: "alert push_protection_bypass_request_reviewer_comment",
111+
variable: "github.event.secret_scanning_alert.alert.push_protection_bypass_request_reviewer_comment",
112+
expected: true,
113+
},
114+
{
115+
name: "alert push_protection_bypass_request_comment",
116+
variable: "github.event.secret_scanning_alert.alert.push_protection_bypass_request_comment",
117+
expected: true,
118+
},
79119
}
80120
for _, tt := range tests {
81121
t.Run(tt.name, func(t *testing.T) {

0 commit comments

Comments
 (0)