ADO Pwn Request (#169)

Author: SUSTAPLE117

docs/content/en/rules/img.png

@@ -194,8 +194,25 @@ jobs:
           })
 ```
 
+### Azure DevOps
+
+#### Caveat
+False positives are likely given that static analysis of solely the pipeline file is not enough to confirm exploitability
+
+#### Recommended
+##### Azure DevOps Settings
+Organization Setting:
+![img.png](img.png)
+
+Avoid activating the following settings to prevent issues:
+![img_1.png](img_1.png)
+
+
+
 ## See Also
 - [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
 - [Erosion of Trust: Unmasking Supply Chain Vulnerabilities in the Terraform Registry](https://boostsecurity.io/blog/erosion-of-trust-unmasking-supply-chain-vulnerabilities-in-the-terraform-registry)
 - [The tale of a Supply Chain near-miss incident](https://boostsecurity.io/blog/the-tale-of-a-supply-chain-near-miss-incident)
 - [Living Off The Pipeline](https://boostsecurityio.github.io/lotp/)
+- https://learn.microsoft.com/en-us/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml#important-security-considerations
+- https://learn.microsoft.com/en-us/azure/devops/pipelines/security/misc?view=azure-devops#dont-provide-secrets-to-fork-builds

docs/content/en/rules/img_1.png

@@ -9,9 +9,9 @@ import (
 type AzurePipeline struct {
 	Path string `json:"path" yaml:"-"`
 
-	Stages    []AzureStage      `json:"stages"`
-	Pr        AzurePr           `json:"pr"`
-	Variables map[string]string `json:"variables"`
+	Stages    []AzureStage           `json:"stages"`
+	Pr        AzurePr                `json:"pr"`
+	Variables AzurePipelineVariables `json:"variables"`
 }
 
 func (o AzurePipeline) IsValid() bool {
@@ -128,3 +128,32 @@ func (o *AzureStep) UnmarshalYAML(node *yaml.Node) error {
 	*o = AzureStep(s)
 	return nil
 }
+
+type AzurePipelineVariable struct {
+	Name  string `yaml:"name"`
+	Value string `yaml:"value"`
+}
+
+type AzurePipelineVariables struct {
+	Map map[string]string `json:"map"`
+}
+
+func (v *AzurePipelineVariables) UnmarshalYAML(value *yaml.Node) error {
+	v.Map = make(map[string]string)
+
+	var mapFormat map[string]string
+	if err := value.Decode(&mapFormat); err == nil {
+		v.Map = mapFormat
+		return nil
+	}
+
+	var listFormat []AzurePipelineVariable
+	if err := value.Decode(&listFormat); err == nil {
+		for _, variable := range listFormat {
+			v.Map[variable.Name] = variable.Value
+		}
+		return nil
+	}
+
+	return fmt.Errorf("variables must be either a map or a list of objects")
+}

docs/content/en/rules/untrusted_checkout_exec.md

@@ -45,9 +45,9 @@ func TestAzurePipeline(t *testing.T) {
 						},
 					},
 				},
-				Variables: map[string]string{
+				Variables: AzurePipelineVariables{map[string]string{
 					"system.debug": "true",
-				},
+				}},
 			},
 		},
 		{

models/azure_pipelines.go

@@ -96,7 +96,7 @@ results contains poutine.finding(rule, pkg.purl, {
 }) if {
 	pkg := input.packages[_]
 	pipeline := pkg.azure_pipelines[_]
-	pipeline.variables[key]
+	pipeline.variables.map[key]
 	key == "system.debug"
-	pipeline.variables[key] == "true"
+	pipeline.variables.map[key] == "true"
 }

models/azure_pipelines_test.go

@@ -91,3 +91,46 @@ _workflows_runs_from_pr contains [pkg.purl, workflow] if {
 
 	utils.filter_workflow_events(parent, github.workflow_run.parent.events)
 }
+
+# Azure Devops
+
+results contains poutine.finding(rule, pkg_purl, {
+	"path": pipeline_path,
+	"job": job,
+	"step": s.step_idx,
+	"line": s.step.lines[attr],
+	"details": sprintf("Detected usage of `%s`", [cmd]),
+}) if {
+	[pkg_purl, pipeline_path, s, job] := _steps_after_untrusted_checkout_ado[_]
+	regex.match(
+		sprintf("([^a-z]|^)(%v)", [concat("|", build_commands[cmd])]),
+		s.step[attr],
+	)
+}
+
+_steps_after_untrusted_checkout_ado contains [pkg.purl, pipeline.path, s, job] if {
+	pkg := input.packages[_]
+	pipeline := pkg.azure_pipelines[_]
+	pipeline.pr.disabled == false
+	stage := pipeline.stages[_]
+
+	checkout := find_ado_checkout(stage)[_]
+	s := steps_after(checkout)[_]
+	job := stage.jobs[s.job_idx].job
+}
+
+steps_after(checkout) := steps if {
+	steps := {{"step": s, "job_idx": checkout.job_idx, "step_idx": k} |
+		s := checkout.stage.jobs[checkout.job_idx].steps[k]
+		k > checkout.step_idx
+	}
+}
+
+find_ado_checkout(stage) := xs if {
+	xs := {{"job_idx": j, "step_idx": i, "stage": stage} |
+		s := stage.jobs[j].steps[i]
+		s[step_attr]
+		step_attr == "checkout"
+		s[step_attr] == "self"
+	}
+}

opa/rego/rules/debug_enabled.rego

@@ -375,6 +375,28 @@ func TestFindings(t *testing.T) {
 				Details: "system.debug",
 			},
 		},
+		{
+			RuleId: "untrusted_checkout_exec",
+			Purl:   purl,
+			Meta: opa.FindingMeta{
+				Path:    "azure-pipelines-2.yml",
+				Line:    14,
+				Job:     "",
+				Step:    "2",
+				Details: "Detected usage of `npm`",
+			},
+		},
+		{
+			RuleId: "untrusted_checkout_exec",
+			Purl:   purl,
+			Meta: opa.FindingMeta{
+				Path:    "azure-pipelines-4.yml",
+				Line:    11,
+				Job:     "",
+				Step:    "2",
+				Details: "Detected usage of `npm`",
+			},
+		},
 	}
 
 	assert.Equal(t, len(findings), len(results.Findings))

opa/rego/rules/untrusted_checkout_exec.rego

@@ -7,3 +7,4 @@ steps:
     echo "Hello, pr!"
 - bash: |
     curl $(URL) | bash
+- script: npm install

scanner/inventory_test.go

@@ -0,0 +1,14 @@
+pr:
+  - main
+
+pool:
+  vmImage: ubuntu-latest
+
+variables:
+  - name: trustedSourceUrl
+    value: https://gist.githubusercontent.com/fproulx-boostsecurity/fef312cd7d54b9420b10fd50d0793191/raw/a5f417b88fa2184a9726b274daf18d29da6c79ad/id
+
+steps:
+  - checkout: self
+  - script: bash script.sh
+  - script: npm install