Make Untrusted Checkout and CachePoisoning rules path-problems

Alvaro Muñoz · Alvaro Muñoz · commit 5cd292e23e03 · 2024-06-26T19:17:37.000+02:00
diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql
@@ -1,7 +1,7 @@
 /**
  * @name Cache Poisoning
  * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision high
  * @security-severity 7.5
@@ -16,6 +16,8 @@ import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.CachePoisoningQuery
 import codeql.actions.security.PoisonableSteps
 
+query predicate edges(Step a, Step b) { a.getAFollowingStep() = b }
+
 from LocalJob j, Event e, PRHeadCheckoutStep checkout, Step s
 where
   j.getATriggerEvent() = e and
@@ -48,5 +50,4 @@ where
     // excluding privileged workflows since they can be exploited in easier circumstances
     not j.isPrivileged()
   )
-select checkout, "Potential cache poisoning in the context of the default branch on step $@.", s,
-  s.toString()
+select s, checkout, s, "Potential cache poisoning in the context of the default branch" 
diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
@@ -3,7 +3,7 @@
  * @description Priveleged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.
- * @kind problem
+ * @kind path-problem
  * @problem.severity error
  * @precision very-high
  * @security-severity 9.3
@@ -17,12 +17,14 @@ import actions
 import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.PoisonableSteps
 
-from LocalJob j, PRHeadCheckoutStep checkout
+query predicate edges(Step a, Step b) { a.getAFollowingStep() = b }
+
+from LocalJob j, PRHeadCheckoutStep checkout, PoisonableStep s
 where
   j = checkout.getEnclosingJob() and
   j.getAStep() = checkout and
   // the checkout is followed by a known poisonable step
-  checkout.getAFollowingStep() instanceof PoisonableStep and
+  checkout.getAFollowingStep() = s and
   // the checkout is not controlled by an access check
   not exists(ControlCheck check | check.dominates(checkout)) and
   // the checkout occurs in a privileged context
@@ -31,4 +33,4 @@ where
     or
     inPrivilegedExternallyTriggerableJob(checkout)
   )
-select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow."
+select s, checkout, s, "Potential unsafe checkout of untrusted code on a privileged workflow."
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test8.yml
@@ -0,0 +1,48 @@
+run-name: Cleanup ${{ github.head_ref }}
+on:
+  pull_request_target:
+    types: labeled
+    paths:
+      - 'images/**'
+
+jobs:
+  clean_ci:
+    name: Clean CI runs
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+    steps:
+      - env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: pwsh
+        run: |
+          $startDate = Get-Date -UFormat %s
+          $workflows = @("macos11", "macos12", "ubuntu2004", "ubuntu2204", "windows2019", "windows2022")
+          while ($true) {
+            $continue = $false
+            foreach ($wf in $workflows) {
+              $skippedCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status skipped --json databaseId"
+              $skippedIds = Invoke-Expression -Command $skippedCommand | ConvertFrom-Json | ForEach-Object { $_.databaseId }
+              $skippedIds | ForEach-Object {
+                $deleteCommand = "gh run delete --repo ${{ github.repository }} $_"
+                Invoke-Expression -Command $deleteCommand
+              }
+              $pendingCommand = "gh run list --workflow ${wf}.yml --branch ${{ github.event.pull_request.head.ref }} --repo ${{ github.repository }} --status requested --json databaseId --template '{{ . | len }}'"
+              $pending = Invoke-Expression -Command $pendingCommand
+              if ($pending -gt 0) {
+                Write-Host "Pending for ${wf}.yml: $pending run(s)"
+                $continue = $true
+              }
+            }
+            if ($continue -eq $false) {
+              Write-Host "All done, exiting"
+              break
+            }
+            $curDate = Get-Date -UFormat %s
+            if (($curDate - $startDate) -gt 60) {
+              Write-Host "Reached timeout, exiting"
+              break
+            }
+            Write-Host "Waiting 5 seconds..."
+            Start-Sleep -Seconds 5
+          }
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -249,6 +249,8 @@ nodes
 | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs |
 | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref |
 | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref |
+| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -348,6 +350,8 @@ subpaths
 | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} |
 | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} |
 | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} |
+| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
+| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
 | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} |
 | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -249,6 +249,8 @@ nodes
 | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs |
 | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref |
 | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref |
+| .github/workflows/test8.yml:24:76:24:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
+| .github/workflows/test8.yml:30:76:30:116 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
