github actions queries

Author: JarLob

javascript/ql/src/experimental/Security/CWE-829/examples/comment_issue_bad.yml

@@ -0,0 +1,8 @@
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+    - run: |
+        echo '${{ github.event.comment.body }}'

javascript/ql/src/experimental/Security/CWE-829/examples/comment_issue_good.yml

@@ -0,0 +1,10 @@
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+    - env:
+        BODY: ${{ github.event.issue.body }}
+      run: |
+        echo '$BODY'

javascript/ql/src/experimental/Security/CWE-829/examples/comment_pr.yml

@@ -0,0 +1,53 @@
+# comment_pr.yml
+name: Comment on the pull request
+
+# read-write repo token
+# access to secrets
+on:
+  workflow_run:
+    workflows: ["Receive PR"]
+    types:
+      - completed
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: 'Download artifact'
+        uses: actions/[email protected]
+        with:
+          script: |
+            var artifacts = await github.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{github.event.workflow_run.id }},
+            });
+            var matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr"
+            })[0];
+            var download = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
+      - run: unzip pr.zip
+
+      - name: 'Comment on PR'
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            var fs = require('fs');
+            var issue_number = Number(fs.readFileSync('./NR'));
+            await github.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: issue_number,
+              body: 'Everything is OK. Thank you for the PR!'
+            });

javascript/ql/src/experimental/Security/CWE-829/examples/pull_request_target_bad.yml

@@ -0,0 +1,25 @@
+on:
+  pull_request_target
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+
+    - uses: actions/setup-node@v1
+    - run: |
+        npm install
+        npm build
+
+    - uses: completely/fakeaction@v2
+      with:
+        arg1: ${{ secrets.supersecret }}
+
+    - uses: fakerepo/comment-on-pr@v1
+      with:
+        message: |
+          Thank you!

javascript/ql/src/experimental/Security/CWE-829/examples/receive_pr.yml

@@ -0,0 +1,27 @@
+# receive_pr.yml
+name: Receive PR
+
+# read-only repo token
+# no access to secrets
+on:
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:        
+      - uses: actions/checkout@v2
+
+      # imitation of a build process
+      - name: Build
+        run: /bin/bash ./build.sh
+
+      - name: Save PR number
+        run: |
+          mkdir -p ./pr
+          echo ${{ github.event.number }} > ./pr/NR
+      - uses: actions/upload-artifact@v2
+        with:
+          name: pr
+          path: pr/

javascript/ql/src/experimental/Security/CWE-829/expression_injection.qhelp

@@ -0,0 +1,54 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+
+			Using user-controlled input in GitHub Actions may lead to
+			code injection in contexts like <i>run:</i> or <i>script:</i>.
+
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+
+			The best practice to avoid code injection vulnerabilities
+			in GitHub workflows is to set the untrusted input value of the expression
+			to an intermediate environment variable.
+
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+
+			The following example lets a user inject an arbitrary shell command:
+
+		</p>
+
+		<sample src="examples/comment_issue_bad.yml" />
+
+		<p>
+
+			The following example uses shell syntax to read
+			the environment variable and will prevent the attack:
+
+		</p>
+
+		<sample src="examples/comment_issue_good.yml" />
+
+	</example>
+
+	<references>
+		<li>GitHub Security Lab Research: <a href="https://securitylab.github.com/research/github-actions-untrusted-input">Keeping your GitHub Actions and workflows secure: Untrusted input</a>.</li>
+	</references>
+
+</qhelp>

javascript/ql/src/experimental/Security/CWE-829/expression_injection.ql

@@ -0,0 +1,93 @@
+/**
+ * @name Injection from user-controlled Actions context
+ * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious
+ *              user to inject code into the GitHub action.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id js/actions/injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-829
+ */
+
+import javascript
+import experimental.semmle.javascript.Actions
+
+bindingset[context]
+private predicate isExternalUserControlledIssue(string context) {
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*title\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*body\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledPullRequest(string context) {
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*title\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*body\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*label\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*default_branch\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*ref\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledReview(string context) {
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review\\s*\\.\\s*body\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review_comment\\s*\\.\\s*body\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledComment(string context) {
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*comment\\s*\\.\\s*body\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledGollum(string context) {
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*page_name\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledCommit(string context) {
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*message\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*message\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*email\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*name\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*author\\s*\\.\\s*email\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*author\\s*\\.\\s*name\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*head_ref\\b")
+}
+
+from Actions::Run run, string context, Actions::On on
+where
+  run.getAReferencedExpression() = context and
+  run.getStep().getJob().getWorkflow().getOn() = on and
+  (
+    exists(on.getNode("issues")) and
+    isExternalUserControlledIssue(context)
+    or
+    exists(on.getNode("pull_request_target")) and
+    isExternalUserControlledPullRequest(context)
+    or
+    (exists(on.getNode("pull_request_review_comment")) or exists(on.getNode("pull_request_review"))) and
+    isExternalUserControlledReview(context)
+    or
+    (exists(on.getNode("issue_comment")) or exists(on.getNode("pull_request_target"))) and
+    isExternalUserControlledComment(context)
+    or
+    exists(on.getNode("gollum")) and
+    isExternalUserControlledGollum(context)
+    or
+    exists(on.getNode("pull_request_target")) and
+    isExternalUserControlledCommit(context)
+  )
+select run,
+  "Potential injection from the " + context +
+    " context, which may be controlled by an external user."

javascript/ql/src/experimental/Security/CWE-829/pull_request_target.qhelp

@@ -0,0 +1,63 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+
+			Combining <i>pull_request_target</i> workflow trigger with an explicit checkout
+			of an untrusted pull request is a dangerous practice
+			that may lead to repository compromise.
+
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+
+			The best practice is to handle the potentially untrusted pull request
+			via the <i>pull_request</i> trigger so that it is isolated in
+			an unprivileged environment. The workflow processing the pull request
+			should then store any results like code coverage or failed/passed tests
+			in artifacts and exit. The following workflow then starts on <i>workflow_run</i>
+			where it is granted write permission to the target repository and access to
+			repository secrets, so that it can download the artifacts and make
+			any necessary modifications to the repository or interact with third party services
+			that require repository secrets (e.g. API tokens).
+
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+
+			The following example allows unauthorized repository modification
+			and secrets exfiltration:
+
+		</p>
+
+		<sample src="examples/pull_request_target_bad.yml" />
+
+		<p>
+
+			The following examples use two triggers to handle potentially untrusted
+			pull request in a secure manner:
+
+		</p>
+
+		<sample src="examples/receive_pr.yml" />
+		<sample src="examples/comment_pr.yml" />
+
+	</example>
+
+	<references>
+		<li>GitHub Security Lab Research: <a href="https://securitylab.github.com/research/github-actions-preventing-pwn-requests">Keeping your GitHub Actions and workflows secure: Preventing pwn requests</a>.</li>
+	</references>
+
+</qhelp>