Create rule for GHSA-4xqx-pqpj-9fqw

Signed-off-by: Eric Cornelissen <ericornelissen@gmail.com>
ericcornelissen · Dec 14, 2024 · 0d923c1 · 0d923c1
1 parent 3e647e8
commit 0d923c1
Show file tree

Hide file tree

Showing 5 changed files with 193 additions and 85 deletions.
diff --git a/RULES.md b/RULES.md
@@ -160,3 +160,11 @@ mitigate this, upgrade the action to a non-vulnerable version.
 When an expression is used in the sha input for `kceb/git-message-action` in v1.1.0 or earlier it
 may be used to execute arbitrary shell commands (no vulnerability identifier available). To mitigate
 this, upgrade the action to a non-vulnerable version.
+
+## <a id="ADES202"></a> ADES202 - Expression in `atlassian/gajira-create` summary input
+
+When an expression is used in the summary input for `atlassian/gajira-create` in v2.0.0 or earlier
+it may be used to execute arbitrary JavaScript code, see [GHSA-4xqx-pqpj-9fqw]. To mitigate this,
+upgrade the action to a non-vulnerable version.
+
+[GHSA-4xqx-pqpj-9fqw]: https://github.com/advisories/GHSA-4xqx-pqpj-9fqw
diff --git a/matchers_test.go b/matchers_test.go
@@ -296,8 +296,8 @@ func TestConservativeMatcher(t *testing.T) {
 		},
 	}
 
-	for _, tt := range testCases {
-		t.Run(tt.value, func(t *testing.T) {
+	for name, tt := range testCases {
+		t.Run(name, func(t *testing.T) {
 			t.Parallel()
 
 			s := fmt.Sprintf("echo '%s'", tt.value)

diff --git a/rules.go b/rules.go
@@ -87,6 +87,26 @@ it can be made safer by converting it into:
 	},
 }
 
+var actionRuleAtlassianGajiraCreate = actionRule{
+	appliesTo: func(uses *StepUses) bool {
+		return isBeforeVersion(uses, "v2.0.1")
+	},
+	rule: rule{
+		id:    "ADES202",
+		title: "Expression in 'atlassian/gajira-create' summary input",
+		description: `
+When an expression is used in the summary input for 'atlassian/gajira-create' in v2.0.0 or earlier
+it may be used to execute arbitrary JavaScript code, see GHSA-4xqx-pqpj-9fqw. To mitigate this,
+upgrade the action to a non-vulnerable version.`,
+		extractFrom: func(step *JobStep) string {
+			return step.With["summary"]
+		},
+		suggestion: func(_ *Violation) string {
+			return "    1. Upgrade to a non-vulnerable version, see GHSA-4xqx-pqpj-9fqw"
+		},
+	},
+}
+
 var actionRuleEriccornelissenGitTagAnnotationAction = actionRule{
 	appliesTo: func(uses *StepUses) bool {
 		return isBeforeVersion(uses, "v1.0.1")
@@ -264,6 +284,9 @@ var actionRules = map[string][]actionRule{
 	"actions/github-script": {
 		actionRuleActionsGitHubScript,
 	},
+	"atlassian/gajira-create": {
+		actionRuleAtlassianGajiraCreate,
+	},
 	"ericcornelissen/git-tag-annotation-action": {
 		actionRuleEriccornelissenGitTagAnnotationAction,
 	},