CycodeLabs/raven

Check for Environment / Label Gating

AdnaneKhan opened this issue · 3 comments

AdnaneKhan commented

Many workflows that would be vulnerable to pwn requests or injection use label or environment-based gating to prevent unauthorized parties from running code in workflows with access to secrets or a write token.

Is there a way to query against the if: check for jobs that contain vulnerable sections? This could help rule out false positives.

Similarly, I think it would be good to check if the environment key is present within the job config and to use the API to query environment information (the response will return if there is a required approvers list).

elad-pticha commented

Thank you for submitting this issue!

I think it should be two different issues.

  1. Adding another property of condition for each job.
  2. Query additional details about the environment of the job.

Can you please open those two issues with screenshots and a more detailed explanation? (We also added issue templates to better track and document our issues.)?

When Opening the two issues, I will close this one. What do you think?

AdnaneKhan commented

Thank you for submitting this issue!

I think it should be two different issues.

  1. Adding another property of condition for each job.
  2. Query additional details about the environment of the job.

Can you please open those two issues with screenshots and a more detailed explanation? (We also added issue templates to better track and document our issues.)?

When Opening the two issues, I will close this one. What do you think?

Yes, I can do that! I'm currently very busy, but I'll get around to capturing more information over the weekend. Might even take a crack at implementing some of these features.

Love this project overall! Super excited to see where it goes - I'm sure you'll find some downright wild vulnerabilities once you build out the taint analysis engine.

  • ❤️1
elad-pticha commented

Thank you!!!

I am glad you are enjoying it. We created it for people like you to learn and find vulnerabilities.
We are waiting for those issues and even a PR from you. In the meantime you can read about vulnerabilities we found using RAVEN at: https://github.com/CycodeLabs/raven/tree/main/docs