Skip to content

Query Library

Jump to bottom
elad_pt edited this page Nov 6, 2023 · 3 revisions

Introduction

This wiki page provides documentation for the query library used in RAVEN. The query library contains research-based queries with information about the query structure, tags, severity levels, and more.

Query Structure

A query in our library is structured as follows:

id: RQ-1

info:
  name: Body Context Injection
  severity: critical
  description: Body Injection is caused by using body variables in inline scripts
  full-description: |
    Issues, comments, discussions, and PR bodies can contain any text and special characters.
    By using a body variable in an inline script, an attacker can inject arbitrary code into the build process.
  references:
    - [GitHub Actions Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)
    - [Cycode Blog](https://cycode.com/blog/github-actions-vulnerabilities/)
    - [Raven Documentation](https://github.com/CycodeLabs/raven/blob/main/docs/issue_injections/README.md)
  tags:
    - injection
    - unauthenticated

query: |
  NEO4J_QUERY

Tags and Severity Levels

We use tags and severity levels to categorize and prioritize vulnerabilities.

Tags

  • injection: Vulnerabilities related to code injection.
  • unauthenticated: Vulnerabilities that can be exploited without authentication.
  • fixed: Indicates vulnerabilities that have been fixed.
  • priv-esc: Privilege escalation vulnerabilities.
  • supply-chain: Vulnerabilities in the software supply chain.
  • best-practice: Queries related to best practices.
  • endoflife: Vulnerabilities related to components that have reached end-of-life or end-of-support.

Severity Levels

Severity levels help assess the impact of vulnerabilities on a scale from 0 (info) to 4 (critical).

  • info (Severity Level 0): Informational, not severe.
  • low (Severity Level 1): Low severity, minimal impact.
  • medium (Severity Level 2): Moderate impact.
  • high (Severity Level 3): High impact, requires attention.
  • critical (Severity Level 4): Critical, requires immediate action.

Breakdown

  • id: The unique identifier for the query (starting with the RQ prefix followed by an incremental numeric number).
  • name: The name of the query.
  • severity: The severity level of the query.
  • description: A brief description of the query.
  • full-description: A detailed description of the query.
  • references: Links to relevant documentation and resources.
  • tags: Tags associated with the vulnerability.
  • query: The actual Cypher query (Cypher is Neo4j's graph query language).

Usage

The query library is a critical component of RAVEN, helping us identify and mitigate vulnerabilities in GitHub actions. We encourage users to leverage these queries to enhance the security of their projects.

Update and Maintenance

We regularly update and maintain RAVEN's query library to ensure it effectively identifies vulnerabilities. Feel free to open issues and submit new queries to enrich the query library.

Raven

Clone this wiki locally