This repository has been archived by the owner on May 30, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
scan.py
261 lines (213 loc) · 7.58 KB
/
scan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
import argparse
import collections
import hashlib
import os.path
import shutil
import subprocess
import tempfile
import time
import urllib.parse
import urllib.request
from typing import Any
from typing import Dict
from typing import Generator
from typing import List
from typing import NamedTuple
from typing import Optional
from typing import Set
from typing import Tuple
import ruamel.yaml
from util import db_connect
from util import get_token
from util import req
yaml_load = ruamel.yaml.YAML(typ='safe').load
QUERY = (
'pull_request_target actions/checkout github.event.pull_request '
'extension:yml path:.github/workflows'
)
def _repos(token: str) -> Generator[str, None, None]:
headers = {'Authorization': f'token {token}'}
query = urllib.parse.urlencode({'q': QUERY})
url = f'https://api.github.com/search/code?q={query}'
resp = req(url, headers=headers)
for result in resp.json['items']:
if not result['repository']['fork']:
yield result['repository']['full_name']
while 'next' in resp.links:
time.sleep(10) # search api limit
resp = req(resp.links['next'], headers=headers)
for result in resp.json['items']:
if not result['repository']['fork']:
yield result['repository']['full_name']
class File(NamedTuple):
name: str
checksum: str
def css_class(self, vulnerable: Dict[str, Optional[bool]]) -> str:
return {
None: 'file-unknown',
True: 'file-bad',
False: 'file-ok',
}[vulnerable[self.checksum]]
class Repo(NamedTuple):
repo: str
rev: str
account_type: str
star_count: int
files: Tuple[File, ...]
@property
def repo1(self) -> str:
repo1, _, _ = self.repo.partition('/')
return repo1
@property
def repo2(self) -> str:
_, _, repo2 = self.repo.partition('/')
return repo2
def css_class(
self,
vulnerable: Dict[str, Optional[bool]],
done: Set[str],
) -> str:
if self.repo in done:
return 'repo-done'
elif all(vulnerable[file.checksum] is False for file in self.files):
return 'repo-ok'
elif any(vulnerable[file.checksum] is True for file in self.files):
return 'repo-bad'
else:
return 'repo-unknown'
@property
def url(self) -> str:
return f'https://github.com/{self.repo}'
def file_url(self, filename: str) -> str:
return f'https://github.com/{self.repo}/blob/{self.rev}/{filename}'
def _vulnerable_on(contents: Any) -> bool:
if not isinstance(contents, dict) or 'on' not in contents:
return False
on = contents['on']
if isinstance(on, list) and 'pull_request_target' in on:
return True
elif on == 'pull_request_target':
return True
elif not isinstance(on, dict) or 'pull_request_target' not in on:
return False
cfg = on['pull_request_target']
if cfg is None:
return True
elif 'types' not in cfg:
return True
elif isinstance(cfg['types'], str):
return cfg['types'] in {'opened', 'synchronize', 'reopened'}
return bool(set(cfg['types']) & {'opened', 'synchronize', 'reopened'})
def _vulnerable_jobs(contents: Dict[str, Any]) -> bool:
if not isinstance(contents, dict):
return False
elif 'jobs' not in contents or not isinstance(contents['jobs'], dict):
return False
for _, job in contents['jobs'].items():
if not isinstance(job, dict):
continue
elif 'steps' not in job or not isinstance(job['steps'], list):
continue
for step in job['steps']:
if not isinstance(step, dict):
continue
elif 'with' not in step or 'uses' not in step:
continue
elif not step['uses'].startswith('actions/checkout'):
continue
elif not isinstance(step['with'], dict):
continue
elif 'ref' not in step['with']:
continue
elif not isinstance(step['with']['ref'], str):
continue
else:
return 'event.pull_request.base' not in step['with']['ref']
else:
return False
def _get_repo_info(repo: str, token: str) -> Repo:
resp = req(
f'https://api.github.com/repos/{repo}',
headers={'Authorization': f'token {token}'},
)
account_type = resp.json['owner']['type']
star_count = resp.json['stargazers_count']
with tempfile.TemporaryDirectory() as tmpdir:
git = ('git', '-c', 'protocol.version=2', '-C', tmpdir)
subprocess.check_call((
*git, 'clone', '--no-checkout', '--quiet', '--depth=1',
f'https://github.com/{repo}', '.',
))
subprocess.check_call((*git, 'reset', '-q', '--', '.github/workflows'))
subprocess.check_call((*git, 'checkout', '--', '.github/workflows'))
rev = subprocess.check_output((*git, 'rev-parse', 'HEAD')).strip()
files = []
for filename in os.listdir(os.path.join(tmpdir, '.github/workflows')):
filename = os.path.join('.github/workflows', filename)
if not filename.endswith('.yml'):
continue
tmp_filename = os.path.join(tmpdir, filename)
with open(tmp_filename) as f:
try:
contents = yaml_load(f)
except Exception: # ideally it'd be YamlError
continue
if _vulnerable_on(contents) and _vulnerable_jobs(contents):
with open(tmp_filename, 'rb') as f_b:
checksum = hashlib.sha256(f_b.read()).hexdigest()
files.append(File(filename, checksum))
dest = os.path.join('files', repo, rev.decode(), filename)
os.makedirs(os.path.dirname(dest), exist_ok=True)
shutil.copy(tmp_filename, dest)
return Repo(
repo=repo,
rev=rev.decode(),
account_type=account_type,
star_count=star_count,
files=tuple(sorted(files)),
)
def main() -> int:
parser = argparse.ArgumentParser()
parser.add_argument('--full-refresh', action='store_true')
args = parser.parse_args()
token = get_token()
if not args.full_refresh:
with db_connect() as db:
res = db.execute('SELECT repo FROM seen').fetchall()
seen = {repo for repo, in res}
else:
seen = set()
by_org: Dict[str, List[Repo]] = collections.defaultdict(list)
for repo_s in _repos(token):
if repo_s in seen:
continue
else:
seen.add(repo_s)
org, _ = repo_s.split('/')
by_org[org].append(_get_repo_info(repo_s, token))
by_org = {k: [r for r in v if r.files] for k, v in by_org.items()}
by_org = {k: v for k, v in sorted(by_org.items()) if v}
for org, repos in by_org.items():
for repo in repos:
print(f'- http://localhost:8000/repo/{repo.repo}')
rows = [
(
repo.repo,
filename,
repo.rev,
repo.account_type,
repo.star_count,
checksum,
)
for repos in by_org.values()
for repo in repos
for filename, checksum in repo.files
]
seen_rows = [(repo,) for repo in seen]
with db_connect() as db:
query = 'INSERT OR REPLACE INTO data VALUES (?, ?, ?, ?, ?, ?)'
db.executemany(query, rows)
db.executemany('INSERT OR REPLACE INTO seen VALUES (?)', seen_rows)
return 0
if __name__ == '__main__':
exit(main())