From c1c58d50ebe444f196bc60a5b89e86b566cb3fa2 Mon Sep 17 00:00:00 2001 From: Brandon Trautmann <8343465+btrautmann@users.noreply.github.com> Date: Mon, 11 Aug 2025 15:41:53 -0400 Subject: [PATCH 1/6] fix(CommandInjection): only throw on usages of github.event.inputs|inputs --- lib/claws/rule/command_injection.rb | 2 +- spec/claws/rule/command_injection_spec.rb | 24 +++++++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/lib/claws/rule/command_injection.rb b/lib/claws/rule/command_injection.rb index 79cfa77..e1dc46c 100644 --- a/lib/claws/rule/command_injection.rb +++ b/lib/claws/rule/command_injection.rb @@ -8,7 +8,7 @@ class CommandInjection < BaseRule https://github.com/betterment/claws/blob/main/README.md#commandinjection DESC - on_step '$step.run =~ ".*{{[ ]+.*(github.event|inputs).*}}.*"', highlight: "run" + on_step '$step.run =~ ".*{{[ ]+.*(github.event.inputs|inputs).*}}.*"', highlight: "run" end end end diff --git a/spec/claws/rule/command_injection_spec.rb b/spec/claws/rule/command_injection_spec.rb index 09166fa..747e212 100644 --- a/spec/claws/rule/command_injection_spec.rb +++ b/spec/claws/rule/command_injection_spec.rb @@ -55,5 +55,29 @@ expect(violations.count).to eq(0) end + + it "doesn't flag non-inputs usages of github.event" do + violations = analyze(<<~YAML) + name: Greeting + + on: + workflow_dispatch: + inputs: + name: + description: 'Who I should say hello to?' + required: true + + jobs: + greet: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v1 + - name: Greet + run: ./scripts/greet.sh "${{ github.event_name }}" + YAML + + expect(violations.count).to eq(0) + end end end From a6d52b5d430041fdaf6e73c9cbe14cd79bac25bc Mon Sep 17 00:00:00 2001 From: Brandon Trautmann <8343465+btrautmann@users.noreply.github.com> Date: Mon, 11 Aug 2025 15:49:49 -0400 Subject: [PATCH 2/6] specify github.event\. instead of github.event.inputs --- lib/claws/rule/command_injection.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/claws/rule/command_injection.rb b/lib/claws/rule/command_injection.rb index e1dc46c..28e0008 100644 --- a/lib/claws/rule/command_injection.rb +++ b/lib/claws/rule/command_injection.rb @@ -8,7 +8,7 @@ class CommandInjection < BaseRule https://github.com/betterment/claws/blob/main/README.md#commandinjection DESC - on_step '$step.run =~ ".*{{[ ]+.*(github.event.inputs|inputs).*}}.*"', highlight: "run" + on_step '$step.run =~ ".*{{[ ]+.*(github.event\.|inputs).*}}.*"', highlight: "run" end end end From e023ff7ea64d85bf38fe5aff313472734dbb29f3 Mon Sep 17 00:00:00 2001 From: Brandon Trautmann Date: Tue, 12 Aug 2025 14:37:43 -0400 Subject: [PATCH 3/6] Update lib/claws/rule/command_injection.rb Co-authored-by: Omar A. <47008591+6f6d6172@users.noreply.github.com> --- lib/claws/rule/command_injection.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/claws/rule/command_injection.rb b/lib/claws/rule/command_injection.rb index 28e0008..7708b79 100644 --- a/lib/claws/rule/command_injection.rb +++ b/lib/claws/rule/command_injection.rb @@ -8,7 +8,7 @@ class CommandInjection < BaseRule https://github.com/betterment/claws/blob/main/README.md#commandinjection DESC - on_step '$step.run =~ ".*{{[ ]+.*(github.event\.|inputs).*}}.*"', highlight: "run" + on_step '$step.run =~ ".*{{.*(github.event|inputs)\..*}}.*"', highlight: "run" end end end From ca37396bcbd9cfc7a4577ca8c6bfe8b3f4515fdd Mon Sep 17 00:00:00 2001 From: Brandon Trautmann <8343465+btrautmann@users.noreply.github.com> Date: Tue, 12 Aug 2025 14:40:40 -0400 Subject: [PATCH 4/6] add spec for spaceless expressions --- spec/claws/rule/command_injection_spec.rb | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/spec/claws/rule/command_injection_spec.rb b/spec/claws/rule/command_injection_spec.rb index 747e212..8b94440 100644 --- a/spec/claws/rule/command_injection_spec.rb +++ b/spec/claws/rule/command_injection_spec.rb @@ -30,6 +30,27 @@ expect(violations[0].name).to eq("CommandInjection") end + it "flags a step with github expression without spaces" do + violations = analyze(<<~YAML) + name: Pull Request Number + + on: + pull_request: + + jobs: + greet: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v1 + - name: Show PR Number + # This expression does not contain a space between the enclosing brace and its contents + run: echo "PR number is ${{github.event.pull_request.number}}" + YAML + + expect(violations.count).to eq(1) + end + it "doesn't flag a step if it executes a command safely" do violations = analyze(<<~YAML) name: Greeting From 29ca54ee032b69f5ce057f27c9d4799c01ae2146 Mon Sep 17 00:00:00 2001 From: Brandon Trautmann <8343465+btrautmann@users.noreply.github.com> Date: Tue, 12 Aug 2025 14:42:42 -0400 Subject: [PATCH 5/6] tweak test case --- spec/claws/rule/command_injection_spec.rb | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/spec/claws/rule/command_injection_spec.rb b/spec/claws/rule/command_injection_spec.rb index 8b94440..76a8a61 100644 --- a/spec/claws/rule/command_injection_spec.rb +++ b/spec/claws/rule/command_injection_spec.rb @@ -32,10 +32,14 @@ it "flags a step with github expression without spaces" do violations = analyze(<<~YAML) - name: Pull Request Number + name: Greeting on: - pull_request: + workflow_dispatch: + inputs: + name: + description: 'Who I should say hello to?' + required: true jobs: greet: @@ -43,9 +47,8 @@ steps: - name: Checkout uses: actions/checkout@v1 - - name: Show PR Number - # This expression does not contain a space between the enclosing brace and its contents - run: echo "PR number is ${{github.event.pull_request.number}}" + - name: Greet + run: ./scripts/greet.sh "${{join(github.event.inputs.name)}}" YAML expect(violations.count).to eq(1) From 1b99bfc73f59e5b0375ea71013702ee254d35946 Mon Sep 17 00:00:00 2001 From: Brandon Trautmann Date: Tue, 12 Aug 2025 14:43:36 -0400 Subject: [PATCH 6/6] Update lib/claws/rule/command_injection.rb Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- lib/claws/rule/command_injection.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/claws/rule/command_injection.rb b/lib/claws/rule/command_injection.rb index 7708b79..7cfe23d 100644 --- a/lib/claws/rule/command_injection.rb +++ b/lib/claws/rule/command_injection.rb @@ -8,7 +8,7 @@ class CommandInjection < BaseRule https://github.com/betterment/claws/blob/main/README.md#commandinjection DESC - on_step '$step.run =~ ".*{{.*(github.event|inputs)\..*}}.*"', highlight: "run" + on_step '$step.run =~ ".*{{.*(github\.event|inputs)\..*}}.*"', highlight: "run" end end end