diff --git a/.github/configs/semgrep_rules.yaml b/.github/configs/semgrep_rules.yaml index 2c0e014466..e96b4808fc 100644 --- a/.github/configs/semgrep_rules.yaml +++ b/.github/configs/semgrep_rules.yaml @@ -1,45 +1,110 @@ rules: - id: third-party-action-not-pinned-to-commit-sha - pattern-either: - - pattern: uses: $ACTION@$REF - metavariable-regex: - $ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$ - $REF: ^(v?\d+(\.\d+){0,2}|[^@]+)$ - - pattern: uses: $ACTION - metavariable-regex: - $ACTION: ^(?!.*?/\.)(?!actions/).*?/.*?$ - message: > - Third-party GitHub Action is not pinned to a specific commit SHA. - This can be a security risk as the action may be modified unexpectedly. - Consider using a full length commit SHA instead of a tag or branch name. + patterns: + - pattern-inside: "{steps: ...}" + - pattern: | + uses: "$USES" + - metavariable-pattern: + metavariable: $USES + language: generic + patterns: + - pattern-not-regex: ^[.]/ + - pattern-not-regex: ^actions/ + - pattern-not-regex: ^github/ + - pattern-not-regex: ^gradio-app/gradio + - pattern-not-regex: ^gradio-app/github + - pattern-not-regex: "@[0-9a-f]{40}$" + - pattern-not-regex: ^docker://.*@sha256:[0-9a-f]{64}$ + - pattern-not-regex: ^docker://docker$ + message: + An action sourced from a third-party repository on GitHub is not pinned + to a full length commit SHA. Pinning an action to a full length commit SHA + is currently the only way to use an action as an immutable release. + Pinning to a particular SHA helps mitigate the risk of a bad actor adding + a backdoor to the action's repository, as they would need to generate a + SHA-1 collision for a valid Git object payload. + languages: + - yaml severity: WARNING - languages: [yaml] - paths: - include: - - '**/workflows/*.yml' - - '**/workflows/*.yaml' metadata: + cwe: + - "CWE-1357: Reliance on Insufficiently Trustworthy Component" + - "CWE-353: Missing Support for Integrity Check" + owasp: A06:2021 - Vulnerable and Outdated Components + references: + - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components + - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions category: security technology: - github-actions - references: - - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions + subcategory: + - vuln + likelihood: LOW + impact: LOW + confidence: HIGH + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Cryptographic Issues + - Other - id: insecure-file-permissions - pattern: os.chmod(..., $PERMS) - message: > - Detected a call to os.chmod() with potentially insecure permissions. - Ensure that file permissions are set correctly to prevent unauthorized access. - severity: WARNING - languages: [python] + languages: + - python + severity: ERROR + message: These permissions `$BITS` are widely permissive and grant access to + more people than may be necessary. A good default is `0o644` which gives + read and write access to yourself and read access to everyone else. + patterns: + - pattern-inside: os.$METHOD(...) + - pattern-either: + - patterns: + - pattern: os.$METHOD($FILE, $BITS, ...) + - metavariable-comparison: + comparison: $BITS >= 0o650 and $BITS < 0o100000 + - patterns: + - pattern: os.$METHOD($FILE, $BITS) + - metavariable-comparison: + comparison: $BITS >= 0o100650 + - patterns: + - pattern: os.$METHOD($FILE, $BITS, ...) + - metavariable-pattern: + metavariable: $BITS + patterns: + - pattern-either: + - pattern: <... stat.S_IWGRP ...> + - pattern: <... stat.S_IXGRP ...> + - pattern: <... stat.S_IWOTH ...> + - pattern: <... stat.S_IXOTH ...> + - pattern: <... stat.S_IRWXO ...> + - pattern: <... stat.S_IRWXG ...> + - patterns: + - pattern: os.$METHOD($FILE, $EXPR | $MOD, ...) + - metavariable-comparison: + comparison: $MOD == 0o111 + - metavariable-pattern: + metavariable: $METHOD + patterns: + - pattern-either: + - pattern: chmod + - pattern: lchmod + - pattern: fchmod metadata: category: security + owasp: + - A01:2021 - Broken Access Control + cwe: + - "CWE-276: Incorrect Default Permissions" technology: - python references: - - https://docs.python.org/3/library/os.html#os.chmod - - https://owasp.org/www-community/vulnerabilities/Insecure_Temporary_File - fix-regex: - regex: os\.chmod\((.*?),\s*(.*?)\) - replacement: os.chmod($1, 0o600) - + - https://owasp.org/Top10/A01_2021-Broken_Access_Control + cwe2022-top25: true + cwe2021-top25: true + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Improper Authorization diff --git a/.github/workflows/website-deploy.yml b/.github/workflows/website-deploy.yml index 534ac21cff..8125becc5b 100644 --- a/.github/workflows/website-deploy.yml +++ b/.github/workflows/website-deploy.yml @@ -67,7 +67,7 @@ jobs: - name: Deploy Preview Website to Cloudflare Pages if: needs.changes.outputs.pr_number != 'false' id: cloudflare-preview - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@93fff4f65695eb901ed8bbdaa2e6a3ead4f6b345 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} @@ -77,7 +77,7 @@ jobs: - name: Deploy Production Website to Cloudflare Pages if: needs.changes.outputs.source_repo == 'gradio-app/gradio' && needs.changes.outputs.source_branch == 'refs/heads/main' id: cloudflare-production - uses: cloudflare/wrangler-action@v3 + uses: cloudflare/wrangler-action@93fff4f65695eb901ed8bbdaa2e6a3ead4f6b345 with: apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}