Open
Description
We need to pass some environment variables into the analysis container in order for tools like Snyk to use, or for the GitHub API to be queried.
We also install packages into the container, so we should expect environment variable to walk away.
Some options:
- Trivially encode, or encrypt with a static password. An attacker would have to learn that the payload came from the Omega Analyzer in order to decode it, which is probably more trouble than it's worth.
- Squirrel away the password inside the image -- maybe the first thing the image does when starting is pull those variables out of env and put them somewhere on disk. An attacker would have to have a malware payload specifically look for it.
- Have the parts of analysis that involve running untrusted code happen at the very end, and clear environment variables right before it, so there's nothing left to lose.
I'm leaning toward the last one, which should be pretty straightforward. Places we run code:
- For npm only -- CodeQL post-install - We install a module and then run CodeQL across the entire directory, to capture all transitive dependencies. As part of the analysis, CodeQL will attempt to build, running configure/make/etc.
- For npm, pypi, and nuget -- The strace logic does an "install" (
npm i,pip install, ordotnet add). - For npm only -- npm audit does an install first.
These already exist near the end of the script, we might just need to move Snyk Code and manalyze up a bit.