mirror/gradio
2
0
Fork 0
mirror of https://github.com/gradio-app/gradio.git synced 2025-03-07 11:46:51 +08:00
Code Issues Packages Projects Releases Wiki Activity
458941c508
gradio/.github/configs/semgrep_rules.yaml
Abubakar Abid 136c12f785
test semgrep (#9551) 
* semgrep fix

* test semgrep

* add changeset

* change

* revert interface

* semgrep test

* add changeset

* revert

* delete changeset

* test

* changes

* fixes

---------

Co-authored-by: gradio-pr-bot <gradio-pr-bot@users.noreply.github.com>
2024-10-05 17:24:20 -07:00

111 lines
4.1 KiB
YAML
Raw Blame History

rules:
- id: third-party-action-not-pinned-to-commit-sha
patterns:
- pattern-inside: "{steps: ...}"
- pattern: |
uses: "$USES"
- metavariable-pattern:
metavariable: $USES
language: generic
patterns:
- pattern-not-regex: ^[.]/
- pattern-not-regex: ^actions/
- pattern-not-regex: ^github/
- pattern-not-regex: ^gradio-app/gradio
- pattern-not-regex: ^gradio-app/github
- pattern-not-regex: "@[0-9a-f]{40}$"
- pattern-not-regex: ^docker://.*@sha256:[0-9a-f]{64}$
- pattern-not-regex: ^docker://docker$
message:
An action sourced from a third-party repository on GitHub is not pinned
to a full length commit SHA. Pinning an action to a full length commit SHA
is currently the only way to use an action as an immutable release.
Pinning to a particular SHA helps mitigate the risk of a bad actor adding
a backdoor to the action's repository, as they would need to generate a
SHA-1 collision for a valid Git object payload.
languages:
- yaml
severity: WARNING
metadata:
cwe:
- "CWE-1357: Reliance on Insufficiently Trustworthy Component"
- "CWE-353: Missing Support for Integrity Check"
owasp: A06:2021 - Vulnerable and Outdated Components
references:
- https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components
- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
category: security
technology:
- github-actions
subcategory:
- vuln
likelihood: LOW
impact: LOW
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
- Other
- id: insecure-file-permissions
languages:
- python
severity: ERROR
message: These permissions `$BITS` are widely permissive and grant access to
more people than may be necessary. A good default is `0o644` which gives
read and write access to yourself and read access to everyone else.
patterns:
- pattern-inside: os.$METHOD(...)
- pattern-either:
- patterns:
- pattern: os.$METHOD($FILE, $BITS, ...)
- metavariable-comparison:
comparison: $BITS >= 0o650 and $BITS < 0o100000
- patterns:
- pattern: os.$METHOD($FILE, $BITS)
- metavariable-comparison:
comparison: $BITS >= 0o100650
- patterns:
- pattern: os.$METHOD($FILE, $BITS, ...)
- metavariable-pattern:
metavariable: $BITS
patterns:
- pattern-either:
- pattern: <... stat.S_IWGRP ...>
- pattern: <... stat.S_IXGRP ...>
- pattern: <... stat.S_IWOTH ...>
- pattern: <... stat.S_IXOTH ...>
- pattern: <... stat.S_IRWXO ...>
- pattern: <... stat.S_IRWXG ...>
- patterns:
- pattern: os.$METHOD($FILE, $EXPR | $MOD, ...)
- metavariable-comparison:
comparison: $MOD == 0o111
- metavariable-pattern:
metavariable: $METHOD
patterns:
- pattern-either:
- pattern: chmod
- pattern: lchmod
- pattern: fchmod
metadata:
category: security
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-276: Incorrect Default Permissions"
technology:
- python
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Improper Authorization
Reference in New Issue View Git Blame Copy Permalink