From b9e5dd9585310bf6a69fef0b31e21c88b55bd407 Mon Sep 17 00:00:00 2001 From: V0ldek Date: Tue, 31 Oct 2023 01:02:20 +0000 Subject: [PATCH] ci: set restrictive egress rules on runners - Following up on StepSecurity upgrades, runners now block egress traffic by default and allow only specific trusted endpoints. --- .clusterfuzzlite/Dockerfile | 2 +- .github/dependabot.yml | 12 ++++++++---- .github/workflows/book.yml | 10 +++++++++- .github/workflows/closed-issue.yml | 5 ++++- .github/workflows/clusterfuzzlite-batch.yml | 13 ++++++++++++- .github/workflows/clusterfuzzlite-cron.yml | 13 ++++++++++++- .github/workflows/clusterfuzzlite-pr.yml | 13 ++++++++++++- .github/workflows/dependency-review.yml | 6 +++++- .github/workflows/nix-shell.yml | 13 ++++++++++++- .github/workflows/release.yml | 9 ++++++++- .github/workflows/rust.yml | 14 +++++++++++++- .github/workflows/test-codegen.yml | 6 +++++- crates/rsonpath-benchmarks | 2 +- 13 files changed, 102 insertions(+), 16 deletions(-) diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile index 61adaa10..bfb14ea0 100644 --- a/.clusterfuzzlite/Dockerfile +++ b/.clusterfuzzlite/Dockerfile @@ -1,4 +1,4 @@ -FROM gcr.io/oss-fuzz-base/base-builder-rust:v1@sha256:52508f7d366f93c0523297783183ae24307567debdc779ea142517e0132601b9 +FROM gcr.io/oss-fuzz-base/base-builder-rust:v1@sha256:ac9054c9c1b969aeb40d26b9bd2a792c2d1dc23f54954d271ddb62c4cc1c8e29 RUN apt-get update && apt-get install -y make autoconf automake libtool COPY . $SRC/rsonpath WORKDIR $SRC/rsonpath diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ad04c027..9cf8bfe5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -29,7 +29,8 @@ updates: - package-ecosystem: cargo directory: /crates/rsonpath-test-codegen schedule: - interval: daily + interval: weekly + day: Monday time: "20:01" assignees: - V0ldek @@ -44,7 +45,8 @@ updates: - package-ecosystem: cargo directory: /crates/rsonpath-test schedule: - interval: daily + interval: weekly + day: Monday time: "20:01" assignees: - V0ldek @@ -59,7 +61,8 @@ updates: - package-ecosystem: cargo directory: /fuzz schedule: - interval: daily + interval: weekly + day: Monday time: "20:01" assignees: - V0ldek @@ -74,7 +77,8 @@ updates: - package-ecosystem: docker directory: /.clusterfuzzlite schedule: - interval: daily + interval: weekly + day: Monday time: "20:02" assignees: - V0ldek diff --git a/.github/workflows/book.yml b/.github/workflows/book.yml index 07351820..395a3cfe 100644 --- a/.github/workflows/book.yml +++ b/.github/workflows/book.yml @@ -32,7 +32,15 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + api.github.com:443 + crates.io:443 + index.crates.io:443 + static.crates.io:443 + static.rust-lang.org:443 - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/closed-issue.yml b/.github/workflows/closed-issue.yml index 8d872f54..9db89cd1 100644 --- a/.github/workflows/closed-issue.yml +++ b/.github/workflows/closed-issue.yml @@ -15,7 +15,10 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 - uses: V0ldek/modify-label@65905feb4c09417e7caed08928595a0b4f9b3d42 # v1.0.0 with: diff --git a/.github/workflows/clusterfuzzlite-batch.yml b/.github/workflows/clusterfuzzlite-batch.yml index a3369e3a..2cd00575 100644 --- a/.github/workflows/clusterfuzzlite-batch.yml +++ b/.github/workflows/clusterfuzzlite-batch.yml @@ -25,7 +25,18 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + crates.io:443 + index.crates.io:443 + static.crates.io:443 + archive.ubuntu.com:80 + security.ubuntu.com:80 + static.rust-lang.org:443 + gcr.io:443 + storage.googleapis.com:443 - name: Build Fuzzers (${{ matrix.sanitizer }}) id: build diff --git a/.github/workflows/clusterfuzzlite-cron.yml b/.github/workflows/clusterfuzzlite-cron.yml index 84431b18..febfac49 100644 --- a/.github/workflows/clusterfuzzlite-cron.yml +++ b/.github/workflows/clusterfuzzlite-cron.yml @@ -15,7 +15,18 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + crates.io:443 + index.crates.io:443 + static.crates.io:443 + archive.ubuntu.com:80 + security.ubuntu.com:80 + static.rust-lang.org:443 + gcr.io:443 + storage.googleapis.com:443 - name: Build Fuzzers id: build diff --git a/.github/workflows/clusterfuzzlite-pr.yml b/.github/workflows/clusterfuzzlite-pr.yml index d43a907f..b0ee9a34 100644 --- a/.github/workflows/clusterfuzzlite-pr.yml +++ b/.github/workflows/clusterfuzzlite-pr.yml @@ -25,7 +25,18 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + crates.io:443 + index.crates.io:443 + static.crates.io:443 + archive.ubuntu.com:80 + security.ubuntu.com:80 + static.rust-lang.org:443 + gcr.io:443 + storage.googleapis.com:443 - name: Build Fuzzers (${{ matrix.sanitizer }}) id: build diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3186a425..dbd422fb 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -19,7 +19,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + api.github.com:443 - name: "Checkout Repository" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/nix-shell.yml b/.github/workflows/nix-shell.yml index defef0d0..7b8828c3 100644 --- a/.github/workflows/nix-shell.yml +++ b/.github/workflows/nix-shell.yml @@ -15,7 +15,18 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + crates.io:443 + index.crates.io:443 + static.crates.io:443 + static.rust-lang.org:443 + nixos.org:443 + cache.nixos.org:443 + channels.nixos.org:443 + releases.nixos.org:443 + tarballs.nixos.org:443 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 60da9b32..a44e54e6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -91,7 +91,14 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + crates.io:443 + index.crates.io:443 + static.crates.io:443 + static.rust-lang.org:443 - name: Run prologue script if: matrix.prologue-script != '' diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 0f3dc598..2532e9a2 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -91,7 +91,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + api.github.com:443 + azure.archive.ubuntu.com:80 + esm.ubuntu.com:443 + motd.ubuntu.com:443 + crates.io:443 + index.crates.io:443 + static.crates.io:443 + static.rust-lang.org:443 + packages.microsoft.com:443 + ppa.launchpadcontent.net:443 - name: Cache restore (MinGW) id: cache-restore-mingw diff --git a/.github/workflows/test-codegen.yml b/.github/workflows/test-codegen.yml index 0fb3b0de..90405ed1 100644 --- a/.github/workflows/test-codegen.yml +++ b/.github/workflows/test-codegen.yml @@ -29,7 +29,11 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 with: - egress-policy: audit + egress-policy: block + allowed-endpoints: > + github.com:443 + azure.archive.ubuntu.com:80 + static.rust-lang.org:443 - name: Install lld run: sudo apt install lld diff --git a/crates/rsonpath-benchmarks b/crates/rsonpath-benchmarks index ec1d4054..dde97ffc 160000 --- a/crates/rsonpath-benchmarks +++ b/crates/rsonpath-benchmarks @@ -1 +1 @@ -Subproject commit ec1d40542ed6f7e74d550969764f135c5c848d59 +Subproject commit dde97ffc4d184485c30156ec7a67c8118250c8e4