Improve Untrusted checkout queries

Author: Alvaro Muñoz

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -748,7 +748,13 @@ class JobImpl extends AstNodeImpl, TJobNode {
 
   /** Holds if the job can be triggered by an external actor. */
   predicate isExternallyTriggerable() {
-    externallyTriggerableEventsDataModel(this.getATriggerEvent().getName())
+    // the job is triggered by an event that can be triggered externally
+    externallyTriggerableEventsDataModel(this.getATriggerEvent().getName()) or
+    // the job is triggered by a workflow_call event that can be triggered externally
+    this.getATriggerEvent().getName() = "workflow_call" and
+    (exists(ExpressionImpl e, string external_trigger | e.getEnclosingJob() = this and e.getExpression().matches("%github.event" + external_trigger + "%") and externallyTriggerableEventsDataModel(external_trigger))
+    or 
+    this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isExternallyTriggerable())
   }
 
   /** Holds if the job is privileged. */
@@ -775,7 +781,9 @@ class JobImpl extends AstNodeImpl, TJobNode {
   private predicate hasExplicitSecretAccess() {
     // the job accesses a secret other than GITHUB_TOKEN
     exists(SecretsExpressionImpl expr |
-      expr.getEnclosingJob() = this and not expr.getFieldName() = "GITHUB_TOKEN"
+      (expr.getEnclosingJob() = this  or not exists(expr.getEnclosingJob()))  and
+      expr.getEnclosingWorkflow() = this.getEnclosingWorkflow() and
+      not expr.getFieldName() = "GITHUB_TOKEN" 
     )
   }
 
@@ -803,16 +811,21 @@ class JobImpl extends AstNodeImpl, TJobNode {
   }
 
   private predicate hasPrivilegedTrigger() {
-    // For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork.
-    // The Job is triggered by an event other than `pull_request`
+    // the Job is triggered by an event other than `pull_request`
     count(this.getATriggerEvent()) = 1 and
-    not this.getATriggerEvent().getName() = ["pull_request", "workflow_call"]
+    not this.getATriggerEvent().getName() = "pull_request" and
+    not this.getATriggerEvent().getName() = "workflow_call" 
     or
-    // The Workflow is a Reusable Workflow only and there is
-    // a privileged caller workflow
-    this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged()
+    // the Workflow is a Reusable Workflow only and there is
+    // a privileged caller workflow or we cant find a caller
+    count(this.getATriggerEvent()) = 1 and
+    this.getATriggerEvent().getName() = "workflow_call" and
+    (
+      this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().isPrivileged() or
+      not exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller())
+    )
     or
-    // The Workflow has multiple triggers so at least one is not "pull_request"
+    // the Workflow has multiple triggers so at least one is not "pull_request"
     count(this.getATriggerEvent()) > 1
   }
 

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

@@ -108,8 +108,8 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
       exists(StepsExpression e |
         this.getArgumentExpr("ref") = e and
         (
-          e.getStepId().matches(["%head%", "%pull_request%", "%_pr_%"]) or
-          e.getFieldName().matches(["%head%", "%pull_request%", "%_pr_%"])
+          e.getStepId().matches("%" + ["head", "branch", "ref"] + "%") or
+          e.getFieldName().matches("%" + ["head", "branch", "ref"] + "%")
         )
       )
     )
@@ -138,8 +138,8 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
       exists(StepsExpression e |
         this.getArgumentExpr("ref") = e and
         (
-          e.getStepId().matches(["%sha%", "%commit%"]) or
-          e.getFieldName().matches(["%sha%", "%commit%"])
+          e.getStepId().matches("%" + ["head", "sha", "commit"] + "%") or
+          e.getFieldName().matches("%" + ["head", "sha", "commit"] + "%")
         )
       )
     )

ql/lib/qlpack.yml

@@ -2,7 +2,7 @@
 library: true
 warnOnImplicitThis: true
 name: githubsecuritylab/actions-all
-version: 0.0.28
+version: 0.0.29
 dependencies:
   codeql/util: ^0.2.0
   codeql/yaml: ^0.1.2

ql/src/qlpack.yml

@@ -1,7 +1,7 @@
 ---
 library: false
 name: githubsecuritylab/actions-queries
-version: 0.0.28
+version: 0.0.29
 groups:
   - actions
   - queries

ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -315,6 +315,8 @@ subpaths
 | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} |
 | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
 | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} |
+| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} |
+| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} |
 | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} |
 | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} |
 | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} |

ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -283,7 +283,5 @@ subpaths
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
-| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} |
-| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} |
 | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} |
 | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |

ql/test/query-tests/Security/CWE-349/CachePoisoning.expected

@@ -9,3 +9,4 @@
 | .github/workflows/test11.yml:14:9:19:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Uses Step |
 | .github/workflows/test15.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Uses Step |
 | .github/workflows/test16.yml:14:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Uses Step |
+| .github/workflows/test17.yml:15:9:20:6 | Uses Step | Potential cache poisoning in the context of the default branch on step $@. | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Uses Step |

ql/test/query-tests/Security/CWE-829/.github/workflows/mend.yml

@@ -0,0 +1,33 @@
+name: Test
+
+on:
+  workflow_call:
+
+env:
+  API_KEY: ${{ secrets.API_KEY != '' && secrets.API_KEY  }}
+
+jobs:
+  mend:
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: "Set the checkout ref"
+        id: set_ref
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request_target" ]]; then
+            echo "ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
+          else
+            echo "ref=${{ github.ref }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: "checkout"
+        if: success()
+        uses: "actions/checkout@v4"
+        with:
+          fetch-depth: 1
+          ref: ${{ steps.set_ref.outputs.ref }}
+
+      - name: "setup ruby"
+        if: success()
+        uses: "ruby/setup-ruby@v1"
+        with:
+          ruby-version: 2.7

ql/test/query-tests/Security/CWE-829/.github/workflows/priv_pull_request_checkout.yml

@@ -0,0 +1,23 @@
+name: Test
+
+on:
+  pull_request:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repo on head ref
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8
+        with:
+          ref: ${{ github.head_ref }}
+          token: ${{ secrets.DOCUBOT_REPO_PAT }}
+
+      - run: |
+          ./cmd
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected

@@ -14,4 +14,5 @@
 | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref '2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step |
 | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref '1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step |
 | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref '4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step |
+| .github/workflows/mend.yml:29:9:33:28 | Uses Step | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref '1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step |
 | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref '1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step |