reviewdog: add fickling support

brave · Nov 7, 2024 · 7a02646 · 7a02646
1 parent 9a88980
commit 7a02646
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 3 deletions.
diff --git a/actions/main/action.cjs b/actions/main/action.cjs
@@ -91,7 +91,7 @@ module.exports = async ({ github, context, inputs, actionPath, core, debug = fal
 
   // Install semgrep & pip-audit
   await runCommand(`pip install --disable-pip-version-check -r ${actionPath}/requirements.txt`, { shell: true })
-  debugLog('Installed semgrep & pip-audit')
+  debugLog('Installed semgrep & pip-audit & fickling')
   // Install xmllint for safesvg
   await runCommand('sudo apt-get install -y libxml2-utils', { shell: true })
   debugLog('Installed xmllint')

diff --git a/assets/fickling-audit.py b/assets/fickling-audit.py
@@ -0,0 +1,19 @@
+import fickling
+from os import environ, path
+
+def is_pickle_unsafe(file_path):
+    try:
+        return not fickling.is_likely_safe(file_path)
+    except Exception:
+        return False
+
+def main():
+    with open(path.join(environ["SCRIPTPATH"], "all_changed_files.txt")) as all_changed_files:
+        all_changed_files = [f for f in all_changed_files.read().split("\x00")]
+
+        for f in all_changed_files:
+            if is_pickle_unsafe(f):
+                print("""H:%s:0 This pickle might contain unsafe contructs""" % (f))
+
+if __name__ == "__main__":
+    main()
diff --git a/assets/reviewdog.sh b/assets/reviewdog.sh
@@ -8,7 +8,7 @@ export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
 export SEC_ACTION_DEBUG=$SEC_ACTION_DEBUG
 export ASSIGNEES=$(echo "$ASSIGNEES" | sed 's|\([^ ]\)|@\1|' | tr -s '\n' ' ')
 
-RUNNERS="safesvg tfsec semgrep sveltegrep npm-audit pip-audit" # disabled: brakeman
+RUNNERS="safesvg tfsec semgrep sveltegrep npm-audit pip-audit fickling" # disabled: brakeman
 
 if [ -n "${GITHUB_BASE_REF+set}" ]; then
     for runner in $RUNNERS; do

diff --git a/assets/reviewdog/reviewdog.yml b/assets/reviewdog/reviewdog.yml
@@ -85,3 +85,11 @@ runner:
     cmd: "set -e\n(python3 $SCRIPTPATH/pip-audit.py \\\n| $SCRIPTPATH/cleaner.rb) 2> /dev/null # reviewdog.pip-audit.stderr.log \n"
     errorformat:
       - "%t:%f:%l %m"
+  fickling:
+    name: fickling
+    cmd: |
+      set -e
+      (python3 $SCRIPTPATH/fickling-audit.py \
+      | $SCRIPTPATH/cleaner.rb) 2> reviewdog.fickling.stderr.log
+    errorformat:
+      - "%t:%f:%l %m"
diff --git a/requirements.txt b/requirements.txt
@@ -1,3 +1,4 @@
 # Also alter semgrep self test yml
 semgrep~=1.95.0
-pip-audit~=2.7.0
+pip-audit~=2.7.0
+fickling~=0.1.3