-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
37 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| name: Automated Code Reviews | ||
| on: [pull_request] | ||
|
|
||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
|
|
||
| jobs: | ||
| bearer: | ||
| name: Bearer Security Analysis | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: reviewdog/action-setup@v1 | ||
| with: | ||
| reviewdog_version: latest | ||
| - name: Bearer | ||
| uses: bearer/bearer-action@v2 | ||
| with: | ||
| diff: true | ||
| format: rdjson | ||
| output: bearer_todo.json | ||
| - name: Run reviewdog | ||
| if: always() | ||
| env: | ||
| REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| run: | | ||
| cat reviewdog.json | reviewdog -f=rdjson -reporter=github-pr-check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| { | ||
| "2314bd71cca49a48fe84485b966be0b6_0": { | ||
| "author": "Jill Klang", | ||
| "comment": "Ignoring this finding for now", | ||
| "false_positive": false, | ||
| "ignored_at": "2024-11-07T21:37:47Z" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| {"source":{"name":"Bearer","url":"https://docs.bearer.com/"},"diagnostics":[{"message":"\n# Usage of dangerous 'eval' function\n## Description\n\nThe use of the `eval` function, which dynamically executes code represented as strings, poses a high security risk in any programming environment. This is primarily because it can be exploited to run arbitrary and potentially harmful code, making the application vulnerable to code injection attacks.\n\n## Remediations\n\n- **Do not** use the `eval` function. Its ability to execute code that can be manipulated by an attacker introduces various injection vulnerabilities.\n ```ruby\n eval(\"def hello_world; puts 'Hello world!'; end\")\n ```\n- **Do** explore safer alternatives to `eval`. Use language features or libraries specifically designed for the task you're trying to accomplish with `eval`.\n- **Do** validate and sanitize all inputs if you must use dynamic code execution. This reduces the risk of executing malicious code.\n- **Do** use restricted execution environments for running code dynamically if absolutely necessary. This minimizes the potential impact of malicious code execution by isolating it from the main application environment.\n\n## References\n\n- [OWASP: Eval Injection](https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection)\n- [MDN Web Docs: Never use eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)","location":{"path":"packages/consent/lib/consent/dsl.rb","range":{"start":{"line":20,"column":9},"end":{"line":20,"column":36}}},"severity":"ERROR","suggestions":[],"code":{"value":"ruby_lang_eval_linter","url":"https://docs.bearer.com/reference/rules/ruby_lang_eval_linter"}}]} |