Add externally triggereable data model and predicates

Author: Alvaro Muñoz

ql/lib/codeql/actions/Ast.qll

@@ -348,6 +348,8 @@ abstract class Job extends AstNode instanceof JobImpl {
 
   predicate isPrivileged() { super.isPrivileged() }
 
+  predicate isExternallyTriggerable() { super.isExternallyTriggerable() }
+
   string getARunsOnLabel() { result = super.getARunsOnLabel() }
 }
 

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -703,6 +703,11 @@ class JobImpl extends AstNodeImpl, TJobNode {
   /** Gets the strategy for this job. */
   StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") }
 
+  /** Holds if the job can be triggered by an external actor. */
+  predicate isExternallyTriggerable() {
+    externallyTriggerableEventsDataModel(this.getATriggerEvent().getName())
+  }
+
   /** Holds if the job is privileged. */
   predicate isPrivileged() {
     // the job has privileged runtime permissions

ql/lib/codeql/actions/dataflow/ExternalFlow.qll

@@ -38,6 +38,15 @@ predicate contextTriggerDataModel(string trigger, string context_prefix) {
   Extensions::contextTriggerDataModel(trigger, context_prefix)
 }
 
+/**
+ * MaD models for externally triggerable events
+ * Fields:
+ *    - event: Event name
+ */
+predicate externallyTriggerableEventsDataModel(string event) {
+  Extensions::externallyTriggerableEventsDataModel(event)
+}
+
 /**
  * MaD sources
  * Fields:

ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll

@@ -36,6 +36,11 @@ extensible predicate workflowDataModel(
 extensible predicate repositoryDataModel(string visibility, string default_branch_name);
 
 /**
- * Holds if context/trigger mapping exists for the given parameters.
+ * Holds if a context expression starting with context_prefix is available for a given trigger.
  */
 extensible predicate contextTriggerDataModel(string trigger, string context_prefix);
+
+/**
+ * Holds if a given trigger event can be fired by an external actor.
+ */
+extensible predicate externallyTriggerableEventsDataModel(string event);

ql/lib/ext/workflow-models/workflow-models.yml

@@ -11,7 +11,6 @@ extensions:
       pack: githubsecuritylab/actions-all
       extensible: contextTriggerDataModel 
     data:
-      # This predicate maps triggering events with the github event context available for that event
       - ["commit_comment", "github.event.comment"] 
       - ["discussion", "github.event.discussion"]
       - ["discussion_comment", "github.event.comment"] 
@@ -55,3 +54,19 @@ extensions:
       - ["workflow_call", "github.event.review"] 
       - ["workflow_call", "github.event.workflow"]
       - ["workflow_call", "github.event.workflow_run"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: externallyTriggerableEventsDataModel
+    data:
+      - ["discussion"]
+      - ["discussion_comment"]
+      - ["fork"]
+      - ["issue_comment"]
+      - ["issues"]
+      - ["pull_request"]
+      - ["pull_request_comment"]
+      - ["pull_request_review"]
+      - ["pull_request_review_comment"]
+      - ["pull_request_target"]
+      - ["workflow_run"] # depending on trigger workflow
+      - ["workflow_call"] # depending on caller