From 4fe9597a97493a897f174b7aa98a00e7641f69b2 Mon Sep 17 00:00:00 2001 From: Jill Klang Date: Thu, 7 Nov 2024 16:38:04 -0500 Subject: [PATCH] First pass at bearer --- .github/workflows/reviewdog.yml | 28 ++++++++++++++++++++++++++++ bearer.ignore | 8 ++++++++ reviewdog.json | 1 + 3 files changed, 37 insertions(+) create mode 100644 .github/workflows/reviewdog.yml create mode 100644 bearer.ignore create mode 100644 reviewdog.json diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml new file mode 100644 index 00000000..97934ea3 --- /dev/null +++ b/.github/workflows/reviewdog.yml @@ -0,0 +1,28 @@ +name: Automated Code Reviews +on: [pull_request] + +permissions: + contents: read + pull-requests: write + +jobs: + bearer: + name: Bearer Security Analysis + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: reviewdog/action-setup@v1 + with: + reviewdog_version: latest + - name: Bearer + uses: bearer/bearer-action@v2 + with: + diff: true + format: rdjson + output: bearer_todo.json + - name: Run reviewdog + if: always() + env: + REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + cat reviewdog.json | reviewdog -f=rdjson -reporter=github-pr-check diff --git a/bearer.ignore b/bearer.ignore new file mode 100644 index 00000000..44fed826 --- /dev/null +++ b/bearer.ignore @@ -0,0 +1,8 @@ +{ + "2314bd71cca49a48fe84485b966be0b6_0": { + "author": "Jill Klang", + "comment": "Ignoring this finding for now", + "false_positive": false, + "ignored_at": "2024-11-07T21:37:47Z" + } +} \ No newline at end of file diff --git a/reviewdog.json b/reviewdog.json new file mode 100644 index 00000000..6a88e74e --- /dev/null +++ b/reviewdog.json @@ -0,0 +1 @@ +{"source":{"name":"Bearer","url":"https://docs.bearer.com/"},"diagnostics":[{"message":"\n# Usage of dangerous 'eval' function\n## Description\n\nThe use of the `eval` function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.\n\n## Remediations\n\n- **Do not** use the `eval` function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.\n ```ruby\n eval(\"def hello_world; puts 'Hello world!'; end\")\n ```\n- **Do** explore safer alternatives to `eval`. Use language features or libraries specifically designed for the task you're trying to accomplish with `eval`.\n- **Do** validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.\n- **Do** use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.\n\n## References\n\n- [OWASP: Eval Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection)\n- [MDN Web Docs: Never use eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)","location":{"path":"packages/consent/lib/consent/dsl.rb","range":{"start":{"line":20,"column":9},"end":{"line":20,"column":36}}},"severity":"ERROR","suggestions":[],"code":{"value":"ruby_lang_eval_linter","url":"https://docs.bearer.com/reference/rules/ruby_lang_eval_linter"}}]}