Merge pull request github#5350 from JarLob/actions

github actions queries

Author: erik-krogh

javascript/ql/src/experimental/Security/CWE-094/ExpressionInjection.qhelp

@@ -0,0 +1,54 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+
+			Using user-controlled input in GitHub Actions may lead to
+			code injection in contexts like <i>run:</i> or <i>script:</i>.
+
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+
+			The best practice to avoid code injection vulnerabilities
+			in GitHub workflows is to set the untrusted input value of the expression
+			to an intermediate environment variable.
+
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+
+			The following example lets a user inject an arbitrary shell command:
+
+		</p>
+
+		<sample src="examples/comment_issue_bad.yml" />
+
+		<p>
+
+			The following example uses shell syntax to read
+			the environment variable and will prevent the attack:
+
+		</p>
+
+		<sample src="examples/comment_issue_good.yml" />
+
+	</example>
+
+	<references>
+		<li>GitHub Security Lab Research: <a href="https://securitylab.github.com/research/github-actions-untrusted-input">Keeping your GitHub Actions and workflows secure: Untrusted input</a>.</li>
+	</references>
+
+</qhelp>

javascript/ql/src/experimental/Security/CWE-094/ExpressionInjection.ql

@@ -0,0 +1,93 @@
+/**
+ * @name Expression injection in Actions
+ * @description Using user-controlled GitHub Actions contexts like `run:` or `script:` may allow a malicious
+ *              user to inject code into the GitHub action.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @id js/actions/injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-094
+ */
+
+import javascript
+import experimental.semmle.javascript.Actions
+
+bindingset[context]
+private predicate isExternalUserControlledIssue(string context) {
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*title\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*issue\\s*\\.\\s*body\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledPullRequest(string context) {
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*title\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*body\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*label\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*default_branch\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*ref\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledReview(string context) {
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review\\s*\\.\\s*body\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review_comment\\s*\\.\\s*body\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledComment(string context) {
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*comment\\s*\\.\\s*body\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledGollum(string context) {
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*page_name\\b")
+}
+
+bindingset[context]
+private predicate isExternalUserControlledCommit(string context) {
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*message\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*message\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*email\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*name\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*author\\s*\\.\\s*email\\b") or
+  context
+      .regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*author\\s*\\.\\s*name\\b") or
+  context.regexpMatch("\\bgithub\\s*\\.\\s*head_ref\\b")
+}
+
+from Actions::Run run, string context, Actions::On on
+where
+  run.getAReferencedExpression() = context and
+  run.getStep().getJob().getWorkflow().getOn() = on and
+  (
+    exists(on.getNode("issues")) and
+    isExternalUserControlledIssue(context)
+    or
+    exists(on.getNode("pull_request_target")) and
+    isExternalUserControlledPullRequest(context)
+    or
+    (exists(on.getNode("pull_request_review_comment")) or exists(on.getNode("pull_request_review"))) and
+    isExternalUserControlledReview(context)
+    or
+    (exists(on.getNode("issue_comment")) or exists(on.getNode("pull_request_target"))) and
+    isExternalUserControlledComment(context)
+    or
+    exists(on.getNode("gollum")) and
+    isExternalUserControlledGollum(context)
+    or
+    exists(on.getNode("pull_request_target")) and
+    isExternalUserControlledCommit(context)
+  )
+select run,
+  "Potential injection from the " + context +
+    " context, which may be controlled by an external user."

javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.qhelp

@@ -0,0 +1,64 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+
+	<overview>
+
+		<p>
+
+			Combining <i>pull_request_target</i> workflow trigger with an explicit checkout
+			of an untrusted pull request is a dangerous practice
+			that may lead to repository compromise.
+
+		</p>
+
+	</overview>
+
+	<recommendation>
+
+		<p>
+
+			The best practice is to handle the potentially untrusted pull request
+			via the <i>pull_request</i> trigger so that it is isolated in
+			an unprivileged environment. The workflow processing the pull request
+			should then store any results like code coverage or failed/passed tests
+			in artifacts and exit. The following workflow then starts on <i>workflow_run</i>
+			where it is granted write permission to the target repository and access to
+			repository secrets, so that it can download the artifacts and make
+			any necessary modifications to the repository or interact with third party services
+			that require repository secrets (e.g. API tokens).
+
+		</p>
+
+	</recommendation>
+
+	<example>
+
+		<p>
+
+			The following example allows unauthorized repository modification
+			and secrets exfiltration:
+
+		</p>
+
+		<sample src="examples/pull_request_target_bad.yml" />
+
+		<p>
+
+			The following example uses two workflows  to handle potentially untrusted
+			pull request in a secure manner. The receive_pr.yml is triggered first:
+
+		</p>
+
+		<sample src="examples/receive_pr.yml" />
+		<p>The comment_pr.yml is triggered after receive_pr.yml completes:</p>
+		<sample src="examples/comment_pr.yml" />
+
+	</example>
+
+	<references>
+		<li>GitHub Security Lab Research: <a href="https://securitylab.github.com/research/github-actions-preventing-pwn-requests">Keeping your GitHub Actions and workflows secure: Preventing pwn requests</a>.</li>
+	</references>
+
+</qhelp>

javascript/ql/src/experimental/Security/CWE-094/UntrustedCheckout.ql

@@ -0,0 +1,122 @@
+/**
+ * @name Checkout of untrusted code in trusted context
+ * @description Workflows triggered on `pull_request_target` have read/write access to the base repository and access to secrets.
+ *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
+ *              that is able to push to the base repository and to access secrets.
+ * @kind problem
+ * @problem.severity warning
+ * @precision low
+ * @id js/actions/pull_request_target
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-094
+ */
+
+import javascript
+import experimental.semmle.javascript.Actions
+
+/**
+ * Action step that doesn't contain `actor` or `label` check in `if:` or
+ * the check requires manual analysis.
+ */
+class ProbableStep extends Actions::Step {
+  // some simplistic checks to eleminate likely false positives:
+  ProbableStep() {
+    // no if at all
+    not exists(this.getIf().getValue())
+    or
+    // needs manual analysis if there is OR
+    this.getIf().getValue().matches("%||%")
+    or
+    // labels can be assigned by owners only
+    not exists(
+      this.getIf()
+          .getValue()
+          .regexpFind("\\bcontains\\s*\\(\\s*github\\s*\\.\\s*event\\s*\\.\\s*(?:issue|pull_request)\\s*\\.\\s*labels\\b",
+            _, _)
+    ) and
+    not exists(
+      this.getIf()
+          .getValue()
+          .regexpFind("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*label\\s*\\.\\s*name\\s*==", _, _)
+    ) and
+    // actor check means only the user is able to run it
+    not exists(this.getIf().getValue().regexpFind("\\bgithub\\s*\\.\\s*actor\\s*==", _, _))
+  }
+}
+
+/**
+ * Action job that doesn't contain `actor` or `label` check in `if:` or
+ * the check requires manual analysis.
+ */
+class ProbableJob extends Actions::Job {
+  // some simplistic checks to eleminate likely false positives:
+  ProbableJob() {
+    // no if at all
+    not exists(this.getIf().getValue())
+    or
+    // needs manual analysis if there is OR
+    this.getIf().getValue().matches("%||%")
+    or
+    // labels can be assigned by owners only
+    not exists(
+      this.getIf()
+          .getValue()
+          .regexpFind("\\bcontains\\s*\\(\\s*github\\s*\\.\\s*event\\s*\\.\\s*(?:issue|pull_request)\\s*\\.\\s*labels\\b",
+            _, _)
+    ) and
+    not exists(
+      this.getIf()
+          .getValue()
+          .regexpFind("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*label\\s*\\.\\s*name\\s*==", _, _)
+    ) and
+    // actor check means only the user is able to run it
+    not exists(this.getIf().getValue().regexpFind("\\bgithub\\s*\\.\\s*actor\\s*==", _, _))
+  }
+}
+
+/**
+ * Action step that doesn't contain `actor` or `label` check in `if:` or
+ */
+class ProbablePullRequestTarget extends Actions::On, Actions::MappingOrSequenceOrScalar {
+  ProbablePullRequestTarget() {
+    exists(YAMLNode prtNode |
+      // The `on:` is triggered on `pull_request_target`
+      this.getNode("pull_request_target") = prtNode and
+      (
+        // and either doesn't contain `types` filter
+        not exists(prtNode.getAChild())
+        or
+        // or has the filter, that is something else than just [labeled]
+        exists(Actions::MappingOrSequenceOrScalar prt, Actions::MappingOrSequenceOrScalar types |
+          types = prt.getNode("types") and
+          prtNode = prt and
+          (
+            not types.getElementCount() = 1 or
+            not exists(types.getNode("labeled"))
+          )
+        )
+      )
+    )
+  }
+}
+
+from
+  Actions::Ref ref, Actions::Uses uses, Actions::Step step, Actions::Job job,
+  ProbablePullRequestTarget pullRequestTarget
+where
+  pullRequestTarget.getWorkflow() = job.getWorkflow() and
+  uses.getStep() = step and
+  ref.getWith().getStep() = step and
+  step.getJob() = job and
+  uses.getGitHubRepository() = "actions/checkout" and
+  (
+    ref.getValue().matches("%github.event.pull_request.head.ref%") or
+    ref.getValue().matches("%github.event.pull_request.head.sha%") or
+    ref.getValue().matches("%github.event.pull_request.number%") or
+    ref.getValue().matches("%github.event.number%") or
+    ref.getValue().matches("%github.head_ref%")
+  ) and
+  step instanceof ProbableStep and
+  job instanceof ProbableJob
+select step, "Potential unsafe checkout of untrusted pull request on `pull_request_target`"

javascript/ql/src/experimental/Security/CWE-094/examples/comment_issue_bad.yml

@@ -0,0 +1,8 @@
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+    - run: |
+        echo '${{ github.event.comment.body }}'

javascript/ql/src/experimental/Security/CWE-094/examples/comment_issue_good.yml

@@ -0,0 +1,10 @@
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+    - env:
+        BODY: ${{ github.event.issue.body }}
+      run: |
+        echo '$BODY'