checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

feat(azure): add CKV_AZUREPIPELINES_4 preventing malicious setting of system variables via user defined input

Open metahertz opened this issue 2 years ago • 2 comments

"Ensure a task enforces settableVariables to prevent malicious user input overriding system vars."

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

From: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/misc?view=azure-devops (Search settableVariables)

"" Because pipeline variables are exported as environment variables to subsequent tasks, tasks that output user-provided data (for example, the contents of open issues retrieved from a REST API) can be vulnerable to injection attacks. Such user content can set environment variables that can in turn be used to exploit the agent host. To disallow this, pipeline authors can explicitly declare which variables are settable via the settableVariable command. Specifying an empty list disallows setting all variables. ""

Example (Azure Docs)

# this task will fail because the task is only allowed to set the 'expectedVar' variable, or a variable prefixed with "ok"
- task: PowerShell@2
  target:
    commands: restricted
    settableVariables:
    - expectedVar
    - ok*
  inputs:
    targetType: 'inline'
    script: |
      Write-Host "##vso[task.setvariable variable=BadVar]myValue"

This check ensures that any job/stage with a Bash or Powershell component has also defined a settableVariables list.

Checklist:

  • [X] My code follows the style guidelines of this project
  • [X] I have performed a self-review of my own code
  • [X] I have commented my code, particularly in hard-to-understand areas
  • [X] I have made corresponding changes to the documentation
  • [X] I have added tests that prove my feature, policy, or fix is effective and works
  • [X] New and existing tests pass locally with my changes
  • [X] Any dependent changes have been merged and published in downstream modules

metahertz avatar Jan 23 '23 00:01 metahertz

Hey @metahertz , is it still needed?

Saarett avatar Nov 13 '23 09:11 Saarett

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

stale[bot] avatar May 16 '24 03:05 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!

stale[bot] avatar Jun 12 '24 07:06 stale[bot]