From e33e3f8fc899067ed963f6f5557c3b20f38bc3f4 Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Thu, 7 Nov 2024 16:38:04 -0500 Subject: [PATCH 01/11] First pass at bearer --- .github/workflows/reviewdog.yml | 28 ++++++++++++++++++++++++++++ bearer.ignore | 8 ++++++++ reviewdog.json | 1 + 3 files changed, 37 insertions(+) create mode 100644 .github/workflows/reviewdog.yml create mode 100644 bearer.ignore create mode 100644 reviewdog.json diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml new file mode 100644 index 00000000..97934ea3 --- /dev/null +++ b/.github/workflows/reviewdog.yml @@ -0,0 +1,28 @@ +name: Automated Code Reviews +on: [pull_request] + +permissions: + contents: read + pull-requests: write + +jobs: + bearer: + name: Bearer Security Analysis + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: reviewdog/action-setup@v1 + with: + reviewdog_version: latest + - name: Bearer + uses: bearer/bearer-action@v2 + with: + diff: true + format: rdjson + output: bearer_todo.json + - name: Run reviewdog + if: always() + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + cat reviewdog.json | reviewdog -f=rdjson -reporter=github-pr-check diff --git a/bearer.ignore b/bearer.ignore new file mode 100644 index 00000000..d80332a7 --- /dev/null +++ b/bearer.ignore @@ -0,0 +1,8 @@ +{ + "2314bd71cca49a48fe84485b966be0b6_0": { + "author": "Jill Klang", + "comment": "Ignoring this finding for now", + "false_positive": false, + "ignored_at": "2024-11-07T21:37:47Z" + } +} diff --git a/reviewdog.json b/reviewdog.json new file mode 100644 index 00000000..6a88e74e --- /dev/null +++ b/reviewdog.json @@ -0,0 +1 @@ +{"source":{"name":"Bearer","url":"https://docs.bearer.com/"},"diagnostics":[{"message":"\n# Usage of dangerous 'eval' function\n## Description\n\nThe use of the `eval` function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.\n\n## Remediations\n\n- **Do not** use the `eval` function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.\n ```ruby\n eval(\"def hello_world; puts 'Hello world!'; end\")\n ```\n- **Do** explore safer alternatives to `eval`. Use language features or libraries specifically designed for the task you're trying to accomplish with `eval`.\n- **Do** validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.\n- **Do** use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.\n\n## References\n\n- [OWASP: Eval Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection)\n- [MDN Web Docs: Never use eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)","location":{"path":"packages/consent/lib/consent/dsl.rb","range":{"start":{"line":20,"column":9},"end":{"line":20,"column":36}}},"severity":"ERROR","suggestions":[],"code":{"value":"ruby_lang_eval_linter","url":"https://docs.bearer.com/reference/rules/ruby_lang_eval_linter"}}]} From 049357823414f53d2a91b4245670e0d14bc31e44 Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Thu, 7 Nov 2024 16:41:53 -0500 Subject: [PATCH 02/11] Trigger a warning --- packages/consent/lib/consent/dsl.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/consent/lib/consent/dsl.rb b/packages/consent/lib/consent/dsl.rb index ee06d8ac..d8a6e379 100644 --- a/packages/consent/lib/consent/dsl.rb +++ b/packages/consent/lib/consent/dsl.rb @@ -24,6 +24,7 @@ def eval_view(key, label, collection_conditions) def view(key, label, instance = nil, collection = nil, &block) collection ||= block + eval(collection) @subject.views[key] = View.new(key, label, instance, collection) end From 18269c3d15c84d890172fd0aeb002869beb80c9d Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Thu, 7 Nov 2024 17:16:03 -0500 Subject: [PATCH 03/11] Debug github action --- .github/workflows/reviewdog.yml | 2 +- reviewdog.json => rd.json | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename reviewdog.json => rd.json (100%) diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 97934ea3..8b9d28bc 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -25,4 +25,4 @@ jobs: env: REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - cat reviewdog.json | reviewdog -f=rdjson -reporter=github-pr-check + cat rd.json | reviewdog -f=rdjson -reporter=github-pr-check diff --git a/reviewdog.json b/rd.json similarity index 100% rename from reviewdog.json rename to rd.json From 653771e123b4034b168d95df852129faab1ecc4a Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Thu, 7 Nov 2024 17:18:32 -0500 Subject: [PATCH 04/11] Debug github action --- bearer.ignore | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 bearer.ignore diff --git a/bearer.ignore b/bearer.ignore deleted file mode 100644 index d80332a7..00000000 --- a/bearer.ignore +++ /dev/null @@ -1,8 +0,0 @@ -{ - "2314bd71cca49a48fe84485b966be0b6_0": { - "author": "Jill Klang", - "comment": "Ignoring this finding for now", - "false_positive": false, - "ignored_at": "2024-11-07T21:37:47Z" - } -} From efc3346ba01aeec680ef9a5be54485d74a58c1d3 Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Fri, 8 Nov 2024 10:00:49 -0500 Subject: [PATCH 05/11] Add ignore file --- bearer.ignore | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 bearer.ignore diff --git a/bearer.ignore b/bearer.ignore new file mode 100644 index 00000000..3fa9f2d3 --- /dev/null +++ b/bearer.ignore @@ -0,0 +1,8 @@ +{ + "2314bd71cca49a48fe84485b966be0b6_0": { + "author": "Jill Klang", + "comment": "Ignoring this finding for now", + "false_positive": false, + "ignored_at": "2024-11-08T15:00:28Z" + } +} \ No newline at end of file From 0fb4e20c445e53d30ed593e43e2cdb4a3db4aa27 Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Fri, 8 Nov 2024 10:22:36 -0500 Subject: [PATCH 06/11] Consistent naming --- .github/workflows/reviewdog.yml | 4 ++-- rd.json => reviewdog.json | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename rd.json => reviewdog.json (100%) diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 8b9d28bc..77532551 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -19,10 +19,10 @@ jobs: with: diff: true format: rdjson - output: bearer_todo.json + output: reviewdog.json - name: Run reviewdog if: always() env: REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - cat rd.json | reviewdog -f=rdjson -reporter=github-pr-check + cat reviewdog.json | reviewdog -f=rdjson -reporter=github-pr-check diff --git a/rd.json b/reviewdog.json similarity index 100% rename from rd.json rename to reviewdog.json From 21fef6bb87ac623f624332bfd95f183a85bc5cfc Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Fri, 8 Nov 2024 10:41:50 -0500 Subject: [PATCH 07/11] Check to see if this needs to be in sync --- packages/consent/lib/consent/dsl.rb | 3 ++- reviewdog.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/consent/lib/consent/dsl.rb b/packages/consent/lib/consent/dsl.rb index d8a6e379..968c7a5c 100644 --- a/packages/consent/lib/consent/dsl.rb +++ b/packages/consent/lib/consent/dsl.rb @@ -18,13 +18,14 @@ def with_defaults(new_defaults, &block) def eval_view(key, label, collection_conditions) view key, label do |user| eval(collection_conditions) + # triggering a failure + eval(collection) end end # rubocop:enable Lint/UnusedBlockArgument, Security/Eval def view(key, label, instance = nil, collection = nil, &block) collection ||= block - eval(collection) @subject.views[key] = View.new(key, label, instance, collection) end diff --git a/reviewdog.json b/reviewdog.json index 6a88e74e..0967ef42 100644 --- a/reviewdog.json +++ b/reviewdog.json @@ -1 +1 @@ -{"source":{"name":"Bearer","url":"https://docs.bearer.com/"},"diagnostics":[{"message":"\n# Usage of dangerous 'eval' function\n## Description\n\nThe use of the `eval` function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.\n\n## Remediations\n\n- **Do not** use the `eval` function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.\n ```ruby\n eval(\"def hello_world; puts 'Hello world!'; end\")\n ```\n- **Do** explore safer alternatives to `eval`. Use language features or libraries specifically designed for the task you're trying to accomplish with `eval`.\n- **Do** validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.\n- **Do** use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.\n\n## References\n\n- [OWASP: Eval Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection)\n- [MDN Web Docs: Never use eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)","location":{"path":"packages/consent/lib/consent/dsl.rb","range":{"start":{"line":20,"column":9},"end":{"line":20,"column":36}}},"severity":"ERROR","suggestions":[],"code":{"value":"ruby_lang_eval_linter","url":"https://docs.bearer.com/reference/rules/ruby_lang_eval_linter"}}]} +{} From eaed945cee6708062b54cf59ddb11cb1b4f9e420 Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Fri, 8 Nov 2024 11:26:03 -0500 Subject: [PATCH 08/11] Testing --- bearer.ignore | 9 +-------- packages/consent/lib/consent/dsl.rb | 2 -- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/bearer.ignore b/bearer.ignore index 3fa9f2d3..0967ef42 100644 --- a/bearer.ignore +++ b/bearer.ignore @@ -1,8 +1 @@ -{ - "2314bd71cca49a48fe84485b966be0b6_0": { - "author": "Jill Klang", - "comment": "Ignoring this finding for now", - "false_positive": false, - "ignored_at": "2024-11-08T15:00:28Z" - } -} \ No newline at end of file +{} diff --git a/packages/consent/lib/consent/dsl.rb b/packages/consent/lib/consent/dsl.rb index 968c7a5c..ee06d8ac 100644 --- a/packages/consent/lib/consent/dsl.rb +++ b/packages/consent/lib/consent/dsl.rb @@ -18,8 +18,6 @@ def with_defaults(new_defaults, &block) def eval_view(key, label, collection_conditions) view key, label do |user| eval(collection_conditions) - # triggering a failure - eval(collection) end end # rubocop:enable Lint/UnusedBlockArgument, Security/Eval From 4f0f6e3f619a48f3c5e6c958a833c73b7b96142b Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Fri, 8 Nov 2024 12:16:49 -0500 Subject: [PATCH 09/11] Simplify logic --- .github/workflows/reviewdog.yml | 2 +- reviewdog.json | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 100644 reviewdog.json diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 77532551..e23e0f66 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -25,4 +25,4 @@ jobs: env: REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - cat reviewdog.json | reviewdog -f=rdjson -reporter=github-pr-check + touch reviewdog.json && cat reviewdog.json | reviewdog -f=rdjson -reporter=github-pr-check diff --git a/reviewdog.json b/reviewdog.json deleted file mode 100644 index 0967ef42..00000000 --- a/reviewdog.json +++ /dev/null @@ -1 +0,0 @@ -{} From cd59f07fe5960582c6fc0dde15e60a252317f6ab Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Fri, 8 Nov 2024 12:21:21 -0500 Subject: [PATCH 10/11] Remove ignorefile --- bearer.ignore | 1 - 1 file changed, 1 deletion(-) delete mode 100644 bearer.ignore diff --git a/bearer.ignore b/bearer.ignore deleted file mode 100644 index 0967ef42..00000000 --- a/bearer.ignore +++ /dev/null @@ -1 +0,0 @@ -{} From 9d07bf352673ee87dcc4d7ed244bdb3332fa96b1 Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Fri, 8 Nov 2024 12:25:42 -0500 Subject: [PATCH 11/11] Trigger a warning --- packages/consent/lib/consent/dsl.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/packages/consent/lib/consent/dsl.rb b/packages/consent/lib/consent/dsl.rb index ee06d8ac..4b288a6b 100644 --- a/packages/consent/lib/consent/dsl.rb +++ b/packages/consent/lib/consent/dsl.rb @@ -18,6 +18,8 @@ def with_defaults(new_defaults, &block) def eval_view(key, label, collection_conditions) view key, label do |user| eval(collection_conditions) + # trigger failure + eval(collection_conditions) end end # rubocop:enable Lint/UnusedBlockArgument, Security/Eval