mirror/gradio
2
0
Fork 0
mirror of https://github.com/gradio-app/gradio.git synced 2024-11-21 01:01:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

test semgrep (#9551)

Browse Source 
* semgrep fix

* test semgrep

* add changeset

* change

* revert interface

* semgrep test

* add changeset

* revert

* delete changeset

* test

* changes

* fixes

---------

Co-authored-by: gradio-pr-bot <gradio-pr-bot@users.noreply.github.com>
This commit is contained in:
Abubakar Abid 2024-10-05 17:24:20 -07:00 committed by GitHub
parent 99c9e26614
commit 136c12f785
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 98 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
.github/configs/semgrep_rules.yaml vendored
View File

@ -1,45 +1,110 @@
rules:
- id: third-party-action-not-pinned-to-commit-sha
pattern-either:
- pattern: uses: $ACTION@$REF
metavariable-regex:
$ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$
$REF: ^(v?\d+(\.\d+){0,2}|[^@]+)$
- pattern: uses: $ACTION
metavariable-regex:
$ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$
message: >
Third-party GitHub Action is not pinned to a specific commit SHA.
This can be a security risk as the action may be modified unexpectedly.
Consider using a full length commit SHA instead of a tag or branch name.
patterns:
- pattern-inside: "{steps: ...}"
- pattern: |
uses: "$USES"
- metavariable-pattern:
metavariable: $USES
language: generic
patterns:
- pattern-not-regex: ^[.]/
- pattern-not-regex: ^actions/
- pattern-not-regex: ^github/
- pattern-not-regex: ^gradio-app/gradio
- pattern-not-regex: ^gradio-app/github
- pattern-not-regex: "@[0-9a-f]{40}$"
- pattern-not-regex: ^docker://.*@sha256:[0-9a-f]{64}$
- pattern-not-regex: ^docker://docker$
message:
An action sourced from a third-party repository on GitHub is not pinned
to a full length commit SHA. Pinning an action to a full length commit SHA
is currently the only way to use an action as an immutable release.
Pinning to a particular SHA helps mitigate the risk of a bad actor adding
a backdoor to the action's repository, as they would need to generate a
SHA-1 collision for a valid Git object payload.
languages:
- yaml
severity: WARNING
languages: [yaml]
paths:
include:
- '**/workflows/*.yml'
- '**/workflows/*.yaml'
metadata:
cwe:
- "CWE-1357: Reliance on Insufficiently Trustworthy Component"
- "CWE-353: Missing Support for Integrity Check"
owasp: A06:2021 - Vulnerable and Outdated Components
references:
- https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components
- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
category: security
technology:
- github-actions
references:
- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
- Other
- id: insecure-file-permissions
pattern: os.chmod(..., $PERMS)
message: >
Detected a call to os.chmod() with potentially insecure permissions.
Ensure that file permissions are set correctly to prevent unauthorized access.
severity: WARNING
languages: [python]
languages:
- python
severity: ERROR
message: These permissions `$BITS` are widely permissive and grant access to
more people than may be necessary. A good default is `0o644` which gives
read and write access to yourself and read access to everyone else.
patterns:
- pattern-inside: os.$METHOD(...)
- pattern-either:
- patterns:
- pattern: os.$METHOD($FILE, $BITS, ...)
- metavariable-comparison:
comparison: $BITS >= 0o650 and $BITS < 0o100000
- patterns:
- pattern: os.$METHOD($FILE, $BITS)
- metavariable-comparison:
comparison: $BITS >= 0o100650
- patterns:
- pattern: os.$METHOD($FILE, $BITS, ...)
- metavariable-pattern:
metavariable: $BITS
patterns:
- pattern-either:
- pattern: <... stat.S_IWGRP ...>
- pattern: <... stat.S_IXGRP ...>
- pattern: <... stat.S_IWOTH ...>
- pattern: <... stat.S_IXOTH ...>
- pattern: <... stat.S_IRWXO ...>
- pattern: <... stat.S_IRWXG ...>
- patterns:
- pattern: os.$METHOD($FILE, $EXPR | $MOD, ...)
- metavariable-comparison:
comparison: $MOD == 0o111
- metavariable-pattern:
metavariable: $METHOD
patterns:
- pattern-either:
- pattern: chmod
- pattern: lchmod
- pattern: fchmod
metadata:
category: security
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-276: Incorrect Default Permissions"
technology:
- python
references:
- https://docs.python.org/3/library/os.html#os.chmod
- https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File
fix-regex:
regex: os\.chmod\((.*?),\s*(.*?)\)
replacement: os.chmod($1, 0o600)
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization

4
.github/workflows/website-deploy.yml vendored
View File

@ -67,7 +67,7 @@ jobs:
- name: Deploy Preview Website to Cloudflare Pages
if: needs.changes.outputs.pr_number != 'false'
id: cloudflare-preview
uses: cloudflare/wrangler-action@v3
uses: cloudflare/wrangler-action@93fff4f65695eb901ed8bbdaa2e6a3ead4f6b345
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
@ -77,7 +77,7 @@ jobs:
- name: Deploy Production Website to Cloudflare Pages
if: needs.changes.outputs.source_repo == 'gradio-app/gradio' && needs.changes.outputs.source_branch == 'refs/heads/main'
id: cloudflare-production
uses: cloudflare/wrangler-action@v3
uses: cloudflare/wrangler-action@93fff4f65695eb901ed8bbdaa2e6a3ead4f6b345
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}