diff --git a/lib/claws/rule/command_injection.rb b/lib/claws/rule/command_injection.rb index 79cfa77..7cfe23d 100644 --- a/lib/claws/rule/command_injection.rb +++ b/lib/claws/rule/command_injection.rb @@ -8,7 +8,7 @@ class CommandInjection < BaseRule https://github.com/betterment/claws/blob/main/README.md#commandinjection DESC - on_step '$step.run =~ ".*{{[ ]+.*(github.event|inputs).*}}.*"', highlight: "run" + on_step '$step.run =~ ".*{{.*(github\.event|inputs)\..*}}.*"', highlight: "run" end end end diff --git a/spec/claws/rule/command_injection_spec.rb b/spec/claws/rule/command_injection_spec.rb index 09166fa..76a8a61 100644 --- a/spec/claws/rule/command_injection_spec.rb +++ b/spec/claws/rule/command_injection_spec.rb @@ -30,6 +30,30 @@ expect(violations[0].name).to eq("CommandInjection") end + it "flags a step with github expression without spaces" do + violations = analyze(<<~YAML) + name: Greeting + + on: + workflow_dispatch: + inputs: + name: + description: 'Who I should say hello to?' + required: true + + jobs: + greet: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v1 + - name: Greet + run: ./scripts/greet.sh "${{join(github.event.inputs.name)}}" + YAML + + expect(violations.count).to eq(1) + end + it "doesn't flag a step if it executes a command safely" do violations = analyze(<<~YAML) name: Greeting @@ -55,5 +79,29 @@ expect(violations.count).to eq(0) end + + it "doesn't flag non-inputs usages of github.event" do + violations = analyze(<<~YAML) + name: Greeting + + on: + workflow_dispatch: + inputs: + name: + description: 'Who I should say hello to?' + required: true + + jobs: + greet: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v1 + - name: Greet + run: ./scripts/greet.sh "${{ github.event_name }}" + YAML + + expect(violations.count).to eq(0) + end end end