🐛 detect dangerous patterns in toJSON() in dangerous workflows

Signed-off-by: Adam Korczynski <[email protected]>

Author: AdamKorcz

checks/raw/dangerous_workflow.go

@@ -52,7 +52,9 @@ func containsUntrustedContextPattern(variable string) bool {
 	if strings.Contains(variable, "github.head_ref") {
 		return true
 	}
-	return strings.Contains(variable, "github.event.") && untrustedContextPattern.MatchString(variable)
+	return strings.Contains(variable, "github.event.") &&
+		(untrustedContextPattern.MatchString(variable) ||
+			untrustedContextPattern.MatchString(fmt.Sprintf("toJSON(%s)", variable)))
 }
 
 type triggerName string

checks/raw/dangerous_workflow_test.go

@@ -17,6 +17,7 @@ package raw
 import (
 	"context"
 	"errors"
+	"fmt"
 	"io"
 	"os"
 	"testing"
@@ -83,6 +84,9 @@ func TestUntrustedContextVariables(t *testing.T) {
 			if r := containsUntrustedContextPattern(tt.variable); !r == tt.expected {
 				t.Fail()
 			}
+			if r := containsUntrustedContextPattern(fmt.Sprintf("toJSON(%s)", tt.variable)); !r == tt.expected {
+				t.Fail()
+			}
 		})
 	}
 }