From 27bd0030fc0c7882359832df106bf63114d39de5 Mon Sep 17 00:00:00 2001 From: Vivek Khimani Date: Sat, 27 Jul 2024 12:19:12 -0700 Subject: [PATCH 1/6] expand gitlab allowlist --- README.md | 7 ++++++- pkg/config.go | 30 ++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 644ea89..5615067 100644 --- a/README.md +++ b/README.md @@ -113,7 +113,7 @@ inbound: gitlab: baseUrl: https://gitlab.example.com/api/v4 token: ... - allowCodeAccess: false # default is false, set to true to allow Semgrep to read file contents + allowCodeAccess: false # default is false, set to true to allow Semgrep to read file contents ``` Under the hood, this config adds these allowlist items: @@ -123,7 +123,12 @@ Under the hood, this config adds these allowlist items: - GET `https://gitlab.example.com/api/v4/projects/:project/merge_requests` - GET `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/versions` - GET `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions` +- GET `https://gitlab.example.com/api/v4/projects/:project/repository/commits` +- GET `https://gitlab.example.com/api/v4/projects/:project/repository/branches` +- GET `https://gitlab.example.com/api/v4/projects/:project/repository/files/:path` +- GET `https://gitlab.example.com/api/v4/:entity_type/:namespace/projects` - POST `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions` +- POST `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion/notes` - PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion/notes/:note` - PUT `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion` diff --git a/pkg/config.go b/pkg/config.go index f4b3a7e..91c27e9 100644 --- a/pkg/config.go +++ b/pkg/config.go @@ -437,12 +437,42 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) { Methods: ParseHttpMethods([]string{"GET"}), SetRequestHeaders: headers, }, + // Projects + AllowlistItem{ + URL: gitLabBaseUrl.JoinPath("/:entity_type/:namespace/projects").String(), + Methods: ParseHttpMethods([]string{"GET"}), + SetRequestHeaders: headers, + }, + // Commits + AllowlistItem{ + URL: gitLabBaseUrl.JoinPath("/projects/:project/repository/commits").String(), + Methods: ParseHttpMethods([]string{"GET"}), + SetRequestHeaders: headers, + }, + // Branches + AllowlistItem{ + URL: gitLabBaseUrl.JoinPath("/projects/:project/repository/branches").String(), + Methods: ParseHttpMethods([]string{"GET"}), + SetRequestHeaders: headers, + }, + // File content + AllowlistItem{ + URL: gitLabBaseUrl.JoinPath("/projects/:project/repository/files/:filepath").String(), + Methods: ParseHttpMethods([]string{"GET"}), + SetRequestHeaders: headers, + }, // post MR comment AllowlistItem{ URL: gitLabBaseUrl.JoinPath("/projects/:project/merge_requests/:number/discussions").String(), Methods: ParseHttpMethods([]string{"GET", "POST"}), SetRequestHeaders: headers, }, + // post MR comment reply + AllowlistItem{ + URL: gitLabBaseUrl.JoinPath("/projects/:project/merge_requests/:number/discussions/:discussion/notes").String(), + Methods: ParseHttpMethods([]string{"POST"}), + SetRequestHeaders: headers, + }, // update MR comment AllowlistItem{ URL: gitLabBaseUrl.JoinPath("/projects/:project/merge_requests/:number/discussions/:discussion/notes/:note").String(), From 0a8d9c0e2647d07c21432fe9f2b6d475f033d301 Mon Sep 17 00:00:00 2001 From: Vivek Khimani Date: Sat, 27 Jul 2024 12:25:03 -0700 Subject: [PATCH 2/6] tests eh --- pkg/allowlist_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/allowlist_test.go b/pkg/allowlist_test.go index fec47dd..b736e75 100644 --- a/pkg/allowlist_test.go +++ b/pkg/allowlist_test.go @@ -108,6 +108,8 @@ func TestAllowlistPathMatch(t *testing.T) { // test path matching assertAllowlistMatch(t, allowlist, "GET", "https://foo.com/wildcard-path/a", true) assertAllowlistMatch(t, allowlist, "GET", "https://foo.com/wildcard-path/a/b", true) + assertAllowlistMatch(t, allowlist, "GET", "https://foo.com/wildcard-path/a/b?foo=bar", true) + assertAllowlistMatch(t, allowlist, "GET", "https://foo.com/wildcard-path/a/b?foo=bar#baz", true) assertAllowlistMatch(t, allowlist, "GET", "https://foo.com/variable-path/a", true) assertAllowlistMatch(t, allowlist, "GET", "https://foo.com/variable-path/a/b", false) assertAllowlistMatch(t, allowlist, "GET", "https://foo.com/hardcoded-path", true) From 87c6ae080a4108def44092bae64831d0a5663cdf Mon Sep 17 00:00:00 2001 From: Vivek Khimani Date: Sat, 27 Jul 2024 12:30:10 -0700 Subject: [PATCH 3/6] respect code access --- README.md | 3 +-- pkg/config.go | 18 ++++++------------ 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 5615067..e3f890c 100644 --- a/README.md +++ b/README.md @@ -123,9 +123,7 @@ Under the hood, this config adds these allowlist items: - GET `https://gitlab.example.com/api/v4/projects/:project/merge_requests` - GET `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/versions` - GET `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions` -- GET `https://gitlab.example.com/api/v4/projects/:project/repository/commits` - GET `https://gitlab.example.com/api/v4/projects/:project/repository/branches` -- GET `https://gitlab.example.com/api/v4/projects/:project/repository/files/:path` - GET `https://gitlab.example.com/api/v4/:entity_type/:namespace/projects` - POST `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions` - POST `https://gitlab.example.com/api/v4/projects/:project/merge_requests/:number/discussions/:discussion/notes` @@ -135,6 +133,7 @@ Under the hood, this config adds these allowlist items: And if `allowCodeAccess` is set, additionally: - GET `https://gitlab.example.com/api/v4/projects/:project/repository/files/:filepath` +- GET `https://gitlab.example.com/api/v4/projects/:project/repository/commits` ### Bitbucket diff --git a/pkg/config.go b/pkg/config.go index 91c27e9..6e399c3 100644 --- a/pkg/config.go +++ b/pkg/config.go @@ -443,24 +443,12 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) { Methods: ParseHttpMethods([]string{"GET"}), SetRequestHeaders: headers, }, - // Commits - AllowlistItem{ - URL: gitLabBaseUrl.JoinPath("/projects/:project/repository/commits").String(), - Methods: ParseHttpMethods([]string{"GET"}), - SetRequestHeaders: headers, - }, // Branches AllowlistItem{ URL: gitLabBaseUrl.JoinPath("/projects/:project/repository/branches").String(), Methods: ParseHttpMethods([]string{"GET"}), SetRequestHeaders: headers, }, - // File content - AllowlistItem{ - URL: gitLabBaseUrl.JoinPath("/projects/:project/repository/files/:filepath").String(), - Methods: ParseHttpMethods([]string{"GET"}), - SetRequestHeaders: headers, - }, // post MR comment AllowlistItem{ URL: gitLabBaseUrl.JoinPath("/projects/:project/merge_requests/:number/discussions").String(), @@ -495,6 +483,12 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) { Methods: ParseHttpMethods([]string{"GET"}), SetRequestHeaders: headers, }, + // Commits + AllowlistItem{ + URL: gitLabBaseUrl.JoinPath("/projects/:project/repository/commits").String(), + Methods: ParseHttpMethods([]string{"GET"}), + SetRequestHeaders: headers, + }, ) } } From 49e649f6861432ac8002b26a394201707026f936 Mon Sep 17 00:00:00 2001 From: Vivek Khimani Date: Sat, 27 Jul 2024 12:35:02 -0700 Subject: [PATCH 4/6] code access urls for github --- README.md | 5 +++++ pkg/config.go | 27 +++++++++++++++++++++++---- 2 files changed, 28 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index e3f890c..47ce1b9 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,11 @@ Under the hood, this config adds these allowlist items: - POST `https://github.example.com/api/v3/repos/:owner/:repo/pulls/:number/comments` - POST `https://github.example.com/api/v3/repos/:owner/:repo/issues/:number/comments` +And if `allowCodeAccess` is set, additionally: + +- GET `https://github.example.com/api/v3/repos/:repo/contents/:filepath` +- GET `https://github.example.com/api/v3/repos/:repo/commits` + ### GitLab Similarly, the `gitlab` configuration section grants Semgrep access to leave MR comments. diff --git a/pkg/config.go b/pkg/config.go index 6e399c3..1ef4884 100644 --- a/pkg/config.go +++ b/pkg/config.go @@ -203,8 +203,9 @@ type HeartbeatConfig struct { } type GitHub struct { - BaseURL string `mapstructure:"baseUrl" json:"baseUrl"` - Token string `mapstructure:"token" json:"token"` + BaseURL string `mapstructure:"baseUrl" json:"baseUrl"` + Token string `mapstructure:"token" json:"token"` + AllowCodeAccess bool `mapstructure:"allowCodeAccess" json:"allowCodeAccess"` } type GitLab struct { @@ -214,8 +215,9 @@ type GitLab struct { } type BitBucket struct { - BaseURL string `mapstructure:"baseUrl" json:"baseUrl"` - Token string `mapstructure:"token" json:"token"` + BaseURL string `mapstructure:"baseUrl" json:"baseUrl"` + Token string `mapstructure:"token" json:"token"` + AllowCodeAccess bool `mapstructure:"allowCodeAccess" json:"allowCodeAccess"` } type HttpClientConfig struct { @@ -393,6 +395,23 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) { Methods: ParseHttpMethods([]string{"GET"}), SetRequestHeaders: headers, }) + + if config.Inbound.GitHub.AllowCodeAccess { + config.Inbound.Allowlist = append(config.Inbound.Allowlist, + // get contents of file + AllowlistItem{ + URL: gitHubBaseUrl.JoinPath("/repos/:repo/contents/:filepath").String(), + Methods: ParseHttpMethods([]string{"GET"}), + SetRequestHeaders: headers, + }, + // Commits + AllowlistItem{ + URL: gitHubBaseUrl.JoinPath("/repos/:repo/commits").String(), + Methods: ParseHttpMethods([]string{"GET"}), + SetRequestHeaders: headers, + }, + ) + } } if config.Inbound.GitLab != nil { From dbe45eaaed967b3057621efd1f4e4ca8946a2203 Mon Sep 17 00:00:00 2001 From: Vivek Khimani Date: Sat, 27 Jul 2024 12:43:14 -0700 Subject: [PATCH 5/6] bbdc --- README.md | 1 + pkg/config.go | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 47ce1b9..f185313 100644 --- a/README.md +++ b/README.md @@ -159,6 +159,7 @@ Under the hood, this config adds these allowlist items: - GET `https://bitbucket.example.com/rest/api/latest/projects/:project/repos/:repo/default-branch` - GET `https://bitbucket.example.com/rest/api/latest/projects/:project/:repo/pull-requests` - POST `https://bitbucket.example.com/rest/api/latest/projects/:project/repos/:repo/pull-requests/:number/comments` +- POST `https://bitbucket.example.com/rest/api/latest/projects/:project/repos/:repo/pull-requests/:number/blocker-comments` ### Allowlist diff --git a/pkg/config.go b/pkg/config.go index 1ef4884..71eb826 100644 --- a/pkg/config.go +++ b/pkg/config.go @@ -215,9 +215,8 @@ type GitLab struct { } type BitBucket struct { - BaseURL string `mapstructure:"baseUrl" json:"baseUrl"` - Token string `mapstructure:"token" json:"token"` - AllowCodeAccess bool `mapstructure:"allowCodeAccess" json:"allowCodeAccess"` + BaseURL string `mapstructure:"baseUrl" json:"baseUrl"` + Token string `mapstructure:"token" json:"token"` } type HttpClientConfig struct { @@ -567,6 +566,12 @@ func LoadConfig(configFiles []string, deploymentId int) (*Config, error) { Methods: ParseHttpMethods([]string{"POST"}), SetRequestHeaders: headers, }, + // post blockerPR comment + AllowlistItem{ + URL: bitBucketBaseUrl.JoinPath("/projects/:project/repos/:repo/pull-requests/:number/blocker-comments").String(), + Methods: ParseHttpMethods([]string{"POST"}), + SetRequestHeaders: headers, + }, ) } From 83da12a5ac3dfa721f62efec4af1962179201e50 Mon Sep 17 00:00:00 2001 From: Vivek Khimani Date: Sat, 27 Jul 2024 15:19:30 -0700 Subject: [PATCH 6/6] done --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f185313..9e19bbd 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,7 @@ inbound: github: baseUrl: https://github.example.com/api/v3 token: ... + allowCodeAccess: false # default is false, set to true to allow Semgrep to read file contents ``` Under the hood, this config adds these allowlist items: