Improve accuracy of actions/download-artifact as a source

Alvaro Muñoz · Alvaro Muñoz · commit 4f57aade35d1 · 2024-09-06T10:49:27.000+02:00
If upload is on the same workflow, it needs to be triggered by a priv
workflow
diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -26,8 +26,10 @@ class GitHubDownloadArtifactActionStep extends UntrustedArtifactDownloadStep, Us
       exists(this.getArgument("github-token"))
       or
       // There is an artifact upload step in the same workflow which can be influenced by an attacker on a checkout step
-      exists(UsesStep checkout, UsesStep upload |
-        this.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and
+      exists(LocalJob job, UsesStep checkout, UsesStep upload |
+        this.getEnclosingWorkflow().getAJob() = job and
+        job.getAStep() = checkout and
+        job.getATriggerEvent().getName() = "pull_request_target" and
         checkout.getCallee() = "actions/checkout" and
         checkout.getAFollowingStep() = upload and
         upload.getCallee() = "actions/upload-artifact"
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml
@@ -23,7 +23,7 @@ jobs:
           key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }}
           restore-keys: ${{ runner.os }}-pip-
       - name: Download artifact
-        uses: actions/download-artifact@v4
+        uses: dawidd6/action-download-artifact@v2
         with:
           name: results
           path: results/
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout4.yml
@@ -0,0 +1,100 @@
+name: Auto Bump Versions
+
+on:
+  issue_comment:                                     
+    types: [created, edited]
+
+jobs:
+  add-same-version-label-to-pr:
+    runs-on: ubuntu-latest
+    if: github.event.issue.pull_request && contains(github.event.comment.body, '/add-same-version-label')
+    steps:
+    - uses: actions/checkout@v3
+    - name: Add same version label
+      uses: actions/github-script@v6
+      if: success()
+      with:
+        github-token: ${{secrets.GITHUB_TOKEN}}
+        script: |
+          github.rest.issues.addLabels({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            labels: ['same version']
+          })
+          github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: '👋 Added [same version] label :)!'
+          })
+
+  build:
+    if: ${{ github.event.issue.pull_request }} && contains(github.event.comment.body, '/version')
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Get PR details
+      uses: actions/github-script@v6
+      id: get-pr
+      with:
+        script: |
+          const request = {
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            pull_number: context.issue.number
+          }
+          core.info(`Getting PR #${request.pull_number} from ${request.owner}/${request.repo}`)
+          try {
+            const result = await github.rest.pulls.get(request)
+            return result.data
+          } catch (err) {
+            core.setFailed(`Request failed with error ${err}`)
+          }
+
+    - name: Checkout PR
+      uses: actions/checkout@v3
+      with:
+        repository: ${{ fromJSON(steps.get-pr.outputs.result).head.repo.full_name }}
+        ref: ${{ fromJSON(steps.get-pr.outputs.result).head.ref }}
+    
+    - name: Update version minor
+      if: contains(github.event.comment.body, '/version minor')
+      run: |
+        ./version.sh -u -n
+        echo "BUMP_TYPE=minor" >> $GITHUB_ENV
+
+    - name: Update version major
+      if: contains(github.event.comment.body, '/version major')
+      run: |
+        ./version.sh -u -m
+        echo "BUMP_TYPE=major" >> $GITHUB_ENV
+
+    - name: Update version patch
+      if: contains(github.event.comment.body, '/version patch')
+      run: |
+        ./version.sh -u -p
+        echo "BUMP_TYPE=patch" >> $GITHUB_ENV
+    
+    - name: Add labels
+      uses: actions/github-script@v6
+      if: ${{ env.BUMP_TYPE }}
+      with:
+        script: |
+          github.rest.issues.addLabels({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            labels: ['version/${{ env.BUMP_TYPE }}']
+          })
+
+    - name: Push Changes
+      if: ${{ env.BUMP_TYPE }}
+      run: |
+        git config user.name 'github-actions[bot]'
+        git config user.email 'github-actions[bot]@users.noreply.github.com'
+        git pull
+        git add .
+        git commit -m "Update ${{ env.BUMP_TYPE }} version" --signoff
+        git push
+        
diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
@@ -14,7 +14,6 @@ edges
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
 | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance |  |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance |  |
-| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance |  |
 nodes
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
@@ -46,8 +45,6 @@ nodes
 | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
-| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
 subpaths
 #select
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
@@ -14,7 +14,6 @@ edges
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
 | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance |  |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance |  |
-| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | provenance |  |
 nodes
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
@@ -46,8 +45,5 @@ nodes
 | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
-| .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step |
-| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
 subpaths
 #select
-| .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning82.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning82.yml:31:14:31:27 | python test.py | python test.py |
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -147,6 +147,13 @@ edges
 | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step |
 | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step |
 | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:12:7:13:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:13:7:32:2 | Uses Step |
+| .github/workflows/untrusted_checkout4.yml:37:7:55:4 | Uses Step: get-pr | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step |
+| .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step |
+| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step |
+| .github/workflows/untrusted_checkout4.yml:79:7:91:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:91:7:100:9 | Run Step |
 | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step |
 | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step |
 | .github/workflows/untrusted_checkout.yml:16:9:20:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step |
@@ -171,5 +178,8 @@ edges
 | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr | Execution of untrusted code on a privileged workflow. |
 | .github/workflows/test9.yml:16:9:17:48 | Run Step | .github/workflows/test9.yml:11:9:16:6 | Uses Step | .github/workflows/test9.yml:16:9:17:48 | Run Step | Execution of untrusted code on a privileged workflow. |
 | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Execution of untrusted code on a privileged workflow. |
+| .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:61:7:67:4 | Run Step | Execution of untrusted code on a privileged workflow. |
+| .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:67:7:73:4 | Run Step | Execution of untrusted code on a privileged workflow. |
+| .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | .github/workflows/untrusted_checkout4.yml:55:7:61:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:73:7:79:4 | Run Step | Execution of untrusted code on a privileged workflow. |
 | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. |
 | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Execution of untrusted code on a privileged workflow. |
