More regexp improvements

Alvaro Muñoz · Alvaro Muñoz · commit 0e50204672f0 · 2024-03-13T22:19:55.000+01:00
diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -1,5 +1,6 @@
 private import codeql.actions.ast.internal.Yaml
 private import codeql.Locations
+private import codeql.actions.Ast::Utils as Utils
 
 /**
  * Gets the length of each line in the StringValue .
@@ -833,9 +834,9 @@ class StepsExpressionImpl extends ContextExpressionImpl {
   string fieldName;
 
   StepsExpressionImpl() {
-    expression.regexpMatch(stepsCtxRegex()) and
-    stepId = expression.regexpCapture(stepsCtxRegex(), 1) and
-    fieldName = expression.regexpCapture(stepsCtxRegex(), 2)
+    Utils::normalizeExpr(expression).regexpMatch(stepsCtxRegex()) and
+    stepId = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 1) and
+    fieldName = Utils::normalizeExpr(expression).regexpCapture(stepsCtxRegex(), 2)
   }
 
   override string getFieldName() { result = fieldName }
@@ -856,9 +857,9 @@ class NeedsExpressionImpl extends ContextExpressionImpl {
   string fieldName;
 
   NeedsExpressionImpl() {
-    expression.regexpMatch(needsCtxRegex()) and
-    fieldName = expression.regexpCapture(needsCtxRegex(), 2) and
-    neededJob.getId() = expression.regexpCapture(needsCtxRegex(), 1) and
+    Utils::normalizeExpr(expression).regexpMatch(needsCtxRegex()) and
+    fieldName = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 2) and
+    neededJob.getId() = Utils::normalizeExpr(expression).regexpCapture(needsCtxRegex(), 1) and
     neededJob.getLocation().getFile() = this.getLocation().getFile()
   }
 
@@ -886,9 +887,9 @@ class JobsExpressionImpl extends ContextExpressionImpl {
   string fieldName;
 
   JobsExpressionImpl() {
-    expression.regexpMatch(jobsCtxRegex()) and
-    jobId = expression.regexpCapture(jobsCtxRegex(), 1) and
-    fieldName = expression.regexpCapture(jobsCtxRegex(), 2)
+    Utils::normalizeExpr(expression).regexpMatch(jobsCtxRegex()) and
+    jobId = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 1) and
+    fieldName = Utils::normalizeExpr(expression).regexpCapture(jobsCtxRegex(), 2)
   }
 
   override string getFieldName() { result = fieldName }
@@ -911,8 +912,8 @@ class InputsExpressionImpl extends ContextExpressionImpl {
   string fieldName;
 
   InputsExpressionImpl() {
-    expression.regexpMatch(inputsCtxRegex()) and
-    fieldName = expression.regexpCapture(inputsCtxRegex(), 1)
+    Utils::normalizeExpr(expression).regexpMatch(inputsCtxRegex()) and
+    fieldName = Utils::normalizeExpr(expression).regexpCapture(inputsCtxRegex(), 1)
   }
 
   override string getFieldName() { result = fieldName }
@@ -936,8 +937,8 @@ class EnvExpressionImpl extends ContextExpressionImpl {
   string fieldName;
 
   EnvExpressionImpl() {
-    expression.regexpMatch(envCtxRegex()) and
-    fieldName = expression.regexpCapture(envCtxRegex(), 1)
+    Utils::normalizeExpr(expression).regexpMatch(envCtxRegex()) and
+    fieldName = Utils::normalizeExpr(expression).regexpCapture(envCtxRegex(), 1)
   }
 
   override string getFieldName() { result = fieldName }
@@ -959,8 +960,8 @@ class MatrixExpressionImpl extends ContextExpressionImpl {
   string fieldName;
 
   MatrixExpressionImpl() {
-    expression.regexpMatch(matrixCtxRegex()) and
-    fieldName = expression.regexpCapture(matrixCtxRegex(), 1)
+    Utils::normalizeExpr(expression).regexpMatch(matrixCtxRegex()) and
+    fieldName = Utils::normalizeExpr(expression).regexpCapture(matrixCtxRegex(), 1)
   }
 
   override string getFieldName() { result = fieldName }
diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
@@ -1,6 +1,6 @@
 private import internal.ExternalFlowExtensions as Extensions
-import codeql.actions.DataFlow
-import actions
+private import codeql.actions.DataFlow
+private import actions
 
 /**
  * MaD sources
diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -1,7 +1,7 @@
-import actions
-import codeql.actions.DataFlow
-import codeql.actions.dataflow.ExternalFlow
-import codeql.actions.Ast::Utils as Utils
+private import actions
+private import codeql.actions.DataFlow
+private import codeql.actions.dataflow.ExternalFlow
+private import codeql.actions.Ast::Utils as Utils
 
 /**
  * A data flow source.
diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll
@@ -2,10 +2,10 @@
  * Provides classes representing various flow steps for taint tracking.
  */
 
-import actions
+private import actions
 private import codeql.util.Unit
 private import codeql.actions.DataFlow
-import codeql.actions.dataflow.ExternalFlow
+private import codeql.actions.dataflow.ExternalFlow
 
 /**
  * A unit class for adding additional taint steps.
diff --git a/ql/src/Security/CWE-020/CompositeActionsSinks.ql b/ql/src/Security/CWE-020/CompositeActionsSinks.ql
@@ -12,6 +12,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
diff --git a/ql/src/Security/CWE-020/CompositeActionsSources.ql b/ql/src/Security/CWE-020/CompositeActionsSources.ql
@@ -12,6 +12,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
diff --git a/ql/src/Security/CWE-020/CompositeActionsSummaries.ql b/ql/src/Security/CWE-020/CompositeActionsSummaries.ql
@@ -12,6 +12,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql
@@ -12,6 +12,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSources.ql
@@ -12,6 +12,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
diff --git a/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql b/ql/src/Security/CWE-020/ReusableWorkflowsSummaries.ql
@@ -12,6 +12,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
diff --git a/ql/src/Security/CWE-094/CriticalExpressionInjection.ql b/ql/src/Security/CWE-094/CriticalExpressionInjection.ql
@@ -13,6 +13,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
diff --git a/ql/src/Security/CWE-094/ExpressionInjection.ql b/ql/src/Security/CWE-094/ExpressionInjection.ql
@@ -13,6 +13,7 @@
  */
 
 import actions
+import codeql.actions.DataFlow
 import codeql.actions.TaintTracking
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql
@@ -18,32 +18,37 @@ import actions
 /** An If node that contains an actor, user or label check */
 class ControlCheck extends If {
   ControlCheck() {
-    Utils::normalizeExpr(this.getCondition())
-        .regexpMatch([
-            ".*github\\.actor.*", ".*github\\.triggering_actor.*",
-            ".*github\\.event\\.pull_request\\.user\\.login.*",
-            ".*github\\.event\\.pull_request\\.labels.*", ".*github\\.event\\.label\\.name.*"
-          ])
+    exists(
+      Utils::normalizeExpr(this.getCondition())
+          .regexpFind([
+              "\\bgithub\\.actor\\b", // actor
+              "\\bgithub\\.triggering_actor\\b", // actor
+              "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user
+              "\\bgithub\\.event\\.pull_request\\.labels\\b", // label
+              "\\bgithub\\.event\\.label\\.name\\b" // label
+            ], _, _)
+    )
   }
 }
 
 bindingset[s]
 predicate containsHeadRef(string s) {
-  Utils::normalizeExpr(s)
-      .matches("%" +
-          [
-            "github.event.number", // The pull request number.
-            "github.event.pull_request.head.ref", // The ref name of head.
-            "github.event.pull_request.head.sha", //  The commit SHA of head.
-            "github.event.pull_request.id", // The pull request ID.
-            "github.event.pull_request.number", // The pull request number.
-            "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit.
-            "github.head_ref", // The head_ref or source branch of the pull request in a workflow run.
-            "github.event.workflow_run.head_branch", // The branch of the head commit.
-            "github.event.workflow_run.head_commit.id", // The SHA of the head commit.
-            "github.event.workflow_run.head_sha", // The SHA of the head commit.
-            "env.GITHUB_HEAD_REF",
-          ] + "%")
+  exists(
+    Utils::normalizeExpr(s)
+        .regexpFind([
+            "\\bgithub\\.event\\.number\\b", // The pull request number.
+            "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", // The ref name of head.
+            "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b", //  The commit SHA of head.
+            "\\bgithub\\.event\\.pull_request\\.id\\b", // The pull request ID.
+            "\\bgithub\\.event\\.pull_request\\.number\\b", // The pull request number.
+            "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b", // The SHA of the merge commit.
+            "\\bgithub\\.head_ref\\b", // The head_ref or source branch of the pull request in a workflow run.
+            "\\bgithub\\.event\\.workflow_run\\.head_branch\\b", // The branch of the head commit.
+            "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b", // The SHA of the head commit.
+            "\\bgithub\\.event\\.workflow_run\\.head_sha\\b", // The SHA of the head commit.
+            "\\benv\\.GITHUB_HEAD_REF\\b",
+          ], _, _)
+  )
 }
 
 /** Checkout of a Pull Request HEAD ref */
@@ -68,7 +73,7 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run {
         or
         exists(string varname |
           containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and
-          line.matches("%" + varname + "%")
+          exists(line.regexpFind(varname, _, _))
         )
       )
     )
