Yaml Other Write Execute
Description
Detects YAML configurations that set insecure file permissions giving write or execute access to "others" (world). Such permissive file permissions can allow unauthorized users to modify or execute sensitive files, potentially leading to security breaches.
Detection Strategy
• Search for YAML configuration files that specify file permissions
• Check if permissions are being set with values that grant write (2) or execute (1) access to 'others'
• Flag configurations where permissions are too permissive (e.g. 0777, 0666)
• Report vulnerable configurations that could expose files to unauthorized access
Vulnerable code example
trigger:
- main
pool:
vmImage: "ubuntu-latest"
steps:
- script: mkdir -p ./sensitive_app && chmod 773 ./sensitive_app # Vulnerable: grants write+execute (wx) to others...✅ Secure code example
trigger:
- main
pool:
vmImage: "ubuntu-latest"
steps:
- script: mkdir -p ./sensitive_app && chmod 750 ./sensitive_app # Safe: only owner/group access, others can't write/execute...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.