Merge branch 'master' into immutable-actions

Author: KyFaSt

ql/lib/codeql/actions/Ast.qll

@@ -17,6 +17,8 @@ class AstNode instanceof AstNodeImpl {
 
   Job getEnclosingJob() { result = super.getEnclosingJob() }
 
+  Event getATriggerEvent() { result = super.getATriggerEvent() }
+
   Workflow getEnclosingWorkflow() { result = super.getEnclosingWorkflow() }
 
   CompositeAction getEnclosingCompositeAction() { result = super.getEnclosingCompositeAction() }
@@ -100,8 +102,6 @@ class Workflow extends AstNode instanceof WorkflowImpl {
 
   Job getJob(string jobId) { result = super.getJob(jobId) }
 
-  Event getATriggerEvent() { result = super.getATriggerEvent() }
-
   Permissions getPermissions() { result = super.getPermissions() }
 
   Strategy getStrategy() { result = super.getStrategy() }
@@ -200,8 +200,6 @@ abstract class Job extends AstNode instanceof JobImpl {
 
   Permissions getPermissions() { result = super.getPermissions() }
 
-  Event getATriggerEvent() { result = super.getATriggerEvent() }
-
   Strategy getStrategy() { result = super.getStrategy() }
 
   string getARunsOnLabel() { result = super.getARunsOnLabel() }

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -111,6 +111,11 @@ abstract class AstNodeImpl extends TAstNode {
     result = this.getEnclosingCompositeAction().getACallerJob()
   }
 
+  /**
+   * Gets and Event triggering this node.
+   */
+  EventImpl getATriggerEvent() { result = this.getEnclosingJob().getATriggerEvent() }
+
   /**
    * Gets the enclosing Step.
    */
@@ -447,7 +452,7 @@ class CompositeActionImpl extends AstNodeImpl, TCompositeAction {
     )
   }
 
-  EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() }
+  override EventImpl getATriggerEvent() { result = this.getACallerJob().getATriggerEvent() }
 }
 
 class WorkflowImpl extends AstNodeImpl, TWorkflowNode {
@@ -486,7 +491,7 @@ class WorkflowImpl extends AstNodeImpl, TWorkflowNode {
   PermissionsImpl getPermissions() { result.getNode() = n.lookup("permissions") }
 
   /** Gets the trigger event that starts this workflow. */
-  EventImpl getATriggerEvent() { this.getOn().getAnEvent() = result }
+  override EventImpl getATriggerEvent() { this.getOn().getAnEvent() = result }
 
   /** Gets the strategy for this workflow. */
   StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") }
@@ -918,7 +923,7 @@ class JobImpl extends AstNodeImpl, TJobNode {
   StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") }
 
   /** Gets the trigger event that starts this workflow. */
-  EventImpl getATriggerEvent() {
+  override EventImpl getATriggerEvent() {
     if this.getEnclosingWorkflow() instanceof ReusableWorkflowImpl
     then
       result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent()
@@ -1174,6 +1179,8 @@ class StepImpl extends AstNodeImpl, TStepNode {
     result = super.getEnclosingJob()
   }
 
+  override EventImpl getATriggerEvent() { result = this.getEnclosingJob().getATriggerEvent() }
+
   EnvImpl getEnv() { result.getNode() = n.lookup("env") }
 
   /** Gets the ID of this step, if any. */

ql/lib/codeql/actions/config/Config.qll

@@ -136,6 +136,16 @@ predicate immutableActionsDataModel(
  *    - cmd_regex: Regular expression for matching untrusted git commands
  *    - flag: Flag for the command
  */
-predicate untrustedGitCommandsDataModel(string cmd_regex, string flag) {
-  Extensions::untrustedGitCommandsDataModel(cmd_regex, flag)
+predicate untrustedGitCommandDataModel(string cmd_regex, string flag) {
+  Extensions::untrustedGitCommandDataModel(cmd_regex, flag)
+}
+
+/**
+ * MaD models for untrusted gh commands
+ * Fields:
+ *    - cmd_regex: Regular expression for matching untrusted gh commands
+ *    - flag: Flag for the command
+ */
+predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
+  Extensions::untrustedGhCommandDataModel(cmd_regex, flag)
 }

ql/lib/codeql/actions/config/ConfigExtensions.qll

@@ -68,4 +68,9 @@ extensible predicate immutableActionsDataModel(
 /**
  * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
  */
-extensible predicate untrustedGitCommandsDataModel(string cmd_regex, string flag);
+extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag);
+
+/**
+ * Holds for gh commands that may introduce untrusted data
+ */
+extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);

ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -40,9 +40,10 @@ class GitHubCtxSource extends RemoteFlowSource {
 
 class GitHubEventCtxSource extends RemoteFlowSource {
   string flag;
+  string context;
 
   GitHubEventCtxSource() {
-    exists(Expression e, string context, string regexp |
+    exists(Expression e, string regexp |
       this.asExpr() = e and
       context = e.getExpression() and
       (
@@ -62,6 +63,8 @@ class GitHubEventCtxSource extends RemoteFlowSource {
   }
 
   override string getSourceType() { result = flag }
+
+  string getContext() { result = context }
 }
 
 abstract class CommandSource extends RemoteFlowSource {
@@ -77,7 +80,7 @@ class GitCommandSource extends RemoteFlowSource, CommandSource {
 
   GitCommandSource() {
     exists(Step checkout, string cmd_regex |
-      // This shoould be:
+      // This should be:
       // source instanceof PRHeadCheckoutStep
       // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error
       // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround
@@ -87,7 +90,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource {
           checkout = uses and
           uses.getCallee() = "actions/checkout" and
           exists(uses.getArgument("ref")) and
-          not uses.getArgument("ref").matches("%base%")
+          not uses.getArgument("ref").matches("%base%") and
+          uses.getATriggerEvent().getName() = checkoutTriggers()
         )
         or
         checkout instanceof GitMutableRefCheckout
@@ -102,8 +106,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource {
       checkout.getAFollowingStep() = run and
       run.getScript().getAStmt() = cmd and
       cmd.indexOf("git") = 0 and
-      untrustedGitCommandsDataModel(cmd_regex, flag) and
-      cmd.regexpMatch(".*" + cmd_regex + ".*")
+      untrustedGitCommandDataModel(cmd_regex, flag) and
+      cmd.regexpMatch(cmd_regex + ".*")
     )
   }
 
@@ -114,6 +118,34 @@ class GitCommandSource extends RemoteFlowSource, CommandSource {
   override Run getEnclosingRun() { result = run }
 }
 
+class GhCLICommandSource extends RemoteFlowSource, CommandSource {
+  Run run;
+  string cmd;
+  string flag;
+
+  GhCLICommandSource() {
+    exists(string cmd_regex |
+      this.asExpr() = run.getScript() and
+      run.getScript().getAStmt() = cmd and
+      cmd.indexOf("gh ") = 0 and
+      untrustedGhCommandDataModel(cmd_regex, flag) and
+      cmd.regexpMatch(cmd_regex + ".*") and
+      (
+        cmd.regexpMatch(".*\\b(pr|pulls)\\b.*") and
+        run.getATriggerEvent().getName() = checkoutTriggers()
+        or
+        not cmd.regexpMatch(".*\\b(pr|pulls)\\b.*")
+      )
+    )
+  }
+
+  override string getSourceType() { result = flag }
+
+  override Run getEnclosingRun() { result = run }
+
+  override string getCommand() { result = cmd }
+}
+
 class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
   string cmd;
   string flag;
@@ -203,7 +235,7 @@ class ArtifactSource extends RemoteFlowSource, FileSource {
  */
 private class CheckoutSource extends RemoteFlowSource, FileSource {
   CheckoutSource() {
-    // This shoould be:
+    // This should be:
     // source instanceof PRHeadCheckoutStep
     // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error
     // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround
@@ -212,7 +244,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource {
       this.asExpr() = uses and
       uses.getCallee() = "actions/checkout" and
       exists(uses.getArgument("ref")) and
-      not uses.getArgument("ref").matches("%base%")
+      not uses.getArgument("ref").matches("%base%") and
+      uses.getATriggerEvent().getName() = checkoutTriggers()
     )
     or
     this.asExpr() instanceof GitMutableRefCheckout
@@ -295,3 +328,24 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource {
 
   override string getSourceType() { result = "text" }
 }
+
+class OctokitRequestActionSource extends RemoteFlowSource {
+  OctokitRequestActionSource() {
+    exists(UsesStep u, string route |
+      u.getCallee() = "octokit/request-action" and
+      route = u.getArgument("route").trim() and
+      route.indexOf("GET") = 0 and
+      (
+        route.matches("%/commits%") or
+        route.matches("%/comments%") or
+        route.matches("%/pulls%") or
+        route.matches("%/issues%") or
+        route.matches("%/users%") or
+        route.matches("%github.event.issue.pull_request.url%")
+      ) and
+      this.asExpr() = u
+    )
+  }
+
+  override string getSourceType() { result = "text" }
+}

ql/lib/codeql/actions/dataflow/TaintSteps.qll

@@ -91,11 +91,45 @@ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node
   )
 }
 
+/**
+ * A read of user-controlled field of the octokit/request-action action.
+ */
+predicate octokitRequestActionTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(StepsExpression o |
+    pred instanceof OctokitRequestActionSource and
+    o.getTarget() = pred.asExpr() and
+    o.getStepId() = pred.asExpr().(UsesStep).getId() and
+    succ.asExpr() = o and
+    (
+      not o instanceof JsonReferenceExpression and
+      o.getFieldName() = "data"
+      or
+      o instanceof JsonReferenceExpression and
+      o.(JsonReferenceExpression).getInnerExpression().matches("%.data") and
+      o.(JsonReferenceExpression)
+          .getAccessPath()
+          .matches([
+              "%.title",
+              "%.user.login",
+              "%.body",
+              "%.head.ref",
+              "%.head.repo.full_name",
+              "%.commit.author.email",
+              "%.commit.commiter.email",
+              "%.commit.message",
+              "%.email",
+              "%.name",
+            ])
+    )
+  )
+}
+
 class TaintSteps extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
     dornyPathsFilterTaintStep(node1, node2) or
     tjActionsChangedFilesTaintStep(node1, node2) or
     tjActionsVerifyChangedFilesTaintStep(node1, node2) or
-    xt0rtedSlashCommandActionTaintStep(node1, node2)
+    xt0rtedSlashCommandActionTaintStep(node1, node2) or
+    octokitRequestActionTaintStep(node1, node2)
   }
 }

ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -4,9 +4,9 @@ import codeql.actions.DataFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 
-string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" }
+string unzipRegexp() { result = "(unzip|tar)\\s+.*" }
 
-string unzipDirArgRegexp() { result = "-d\\s+([^ ]+).*" }
+string unzipDirArgRegexp() { result = "(-d|-C)\\s+([^ ]+).*" }
 
 abstract class UntrustedArtifactDownloadStep extends Step {
   abstract string getPath();
@@ -166,7 +166,7 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
                 .(Run)
                 .getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
     else
       if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp())
       then result = "GITHUB_WORKSPACE/"
@@ -197,13 +197,13 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
       result =
         normalizePath(trimQuotes(this.getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
                 .getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
     else
       if
         this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or
@@ -243,13 +243,13 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
       result =
         normalizePath(trimQuotes(this.getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
                 .getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
     else result = "GITHUB_WORKSPACE/"
   }
 }
@@ -276,7 +276,12 @@ class ArtifactPoisoningSink extends DataFlow::Node {
       )
       or
       poisonable.(UsesStep) = this.asExpr() and
-      download.getPath() = "GITHUB_WORKSPACE/"
+      (
+        not poisonable instanceof LocalActionUsesStep and
+        download.getPath() = "GITHUB_WORKSPACE/"
+        or
+        isSubpath(poisonable.(LocalActionUsesStep).getPath(), download.getPath())
+      )
     )
   }