Skip to content

Commit bbda290

Browse files
d10cd10c
committed
[DIFF-INFORMED] Actions: ArtifactPoisoning
Queries: - https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql#L23 - https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql#L26
1 parent 896819f commit bbda290

File tree

2 files changed

+22
-4
lines changed

2 files changed

+22
-4
lines changed

actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ import codeql.actions.DataFlow
44
import codeql.actions.dataflow.FlowSources
55
import codeql.actions.security.PoisonableSteps
66
import codeql.actions.security.UntrustedCheckoutQuery
7+
import codeql.actions.security.ControlChecks
78

89
string unzipRegexp() { result = "(unzip|tar)\\s+.*" }
910

@@ -292,6 +293,16 @@ class ArtifactPoisoningSink extends DataFlow::Node {
292293
string getPath() { result = download.getPath() }
293294
}
294295

296+
/**
297+
* Gets the event that is relevant for the given node in the context of artifact poisoning.
298+
*
299+
* This is used to highlight the event in the query results when an alert is raised.
300+
*/
301+
Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
302+
inPrivilegedContext(node.asExpr(), result) and
303+
not exists(ControlCheck check | check.protects(node.asExpr(), result, "artifact-poisoning"))
304+
}
305+
295306
/**
296307
* A taint-tracking configuration for unsafe artifacts
297308
* that is used may lead to artifact poisoning
@@ -318,6 +329,16 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
318329
exists(run.getScript().getAFileReadCommand())
319330
)
320331
}
332+
333+
predicate observeDiffInformedIncrementalMode() { any() }
334+
335+
Location getASelectedSourceLocation(DataFlow::Node source) { none() }
336+
337+
Location getASelectedSinkLocation(DataFlow::Node sink) {
338+
result = sink.getLocation()
339+
or
340+
result = getRelevantEventInPrivilegedContext(sink).getLocation()
341+
}
321342
}
322343

323344
/** Tracks flow of unsafe artifacts that is used in an insecure way. */

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,7 @@ import codeql.actions.security.ControlChecks
1919
from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sink, Event event
2020
where
2121
ArtifactPoisoningFlow::flowPath(source, sink) and
22-
inPrivilegedContext(sink.getNode().asExpr(), event) and
23-
not exists(ControlCheck check |
24-
check.protects(sink.getNode().asExpr(), event, "artifact-poisoning")
25-
)
22+
event = getRelevantEventInPrivilegedContext(sink.getNode())
2623
select sink.getNode(), source, sink,
2724
"Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
2825
sink.getNode().toString(), event, event.getName()

0 commit comments

Comments
 (0)