Add pull_request-comment-branch head_ref as a source

Alvaro Muñoz · Alvaro Muñoz · commit 61797e918076 · 2024-06-25T13:27:08.000+02:00
diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -133,7 +133,11 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
       or
       // 3rd party actions returning the PR head sha/ref
       exists(UsesStep step |
-        step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
+        step.getCallee() =
+          [
+            "eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch",
+            "alessbell/pull-request-comment-branch", "gotson/pull-request-comment-branch"
+          ] and
         this.getArgument("ref").regexpMatch(".*head_sha.*") and
         DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref"))
       )
diff --git a/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/alessbell_pull-request-comment-branch.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      - ["alessbell/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"]
+
diff --git a/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml b/ql/lib/ext/manual/eficode_resolve-pr-refs.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      - ["eficode/resolve-pr-refs", "*", "output.head_ref", "branch", "manual"]
+
+
diff --git a/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/gotson_pull-request-comment-branch.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      - ["gotson/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"]
+
diff --git a/ql/lib/ext/manual/tj-actions_branch-names.model.yml b/ql/lib/ext/manual/tj-actions_branch-names.model.yml
@@ -6,5 +6,3 @@ extensions:
       # https://github.com/tj-actions/branch-names
       - ["tj-actions/branch-names", "*", "output.current_branch", "branch", "manual"]
       - ["tj-actions/branch-names", "*", "output.head_ref_branch", "branch", "manual"]
-      - ["tj-actions/branch-names", "*", "output.ref_branch", "branch", "manual"]
-
diff --git a/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml b/ql/lib/ext/manual/xt0rted_pull-request-comment-branch.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSourceModel
+    data:
+      - ["xt0rted/pull-request-comment-branch", "*", "output.head_ref", "branch", "manual"]
+
diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected
@@ -619,12 +619,15 @@ scopes
 sources
 | ahmadnassri/action-changed-files | * | output.files | filename | manual |
 | ahmadnassri/action-changed-files | * | output.json | json | manual |
+| alessbell/pull-request-comment-branch | * | output.head_ref | branch | manual |
 | amannn/action-semantic-pull-request | * | output.error_message | text | manual |
 | cypress-io/github-action | * | env.GH_BRANCH | branch | manual |
 | dawidd6/action-download-artifact | * | output.artifacts | artifact | manual |
+| eficode/resolve-pr-refs | * | output.head_ref | branch | manual |
 | franzdiebold/github-env-vars-action | * | output.CI_PR_DESCRIPTION | text | manual |
 | franzdiebold/github-env-vars-action | * | output.CI_PR_TITLE | title | manual |
 | googlecloudplatform/magic-modules | * | output.changed-files | filename | manual |
+| gotson/pull-request-comment-branch | * | output.head_ref | branch | manual |
 | jitterbit/get-changed-files | * | output.added | filename | manual |
 | jitterbit/get-changed-files | * | output.added_modified | filename | manual |
 | jitterbit/get-changed-files | * | output.all | filename | manual |
@@ -639,12 +642,12 @@ sources
 | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual |
 | tj-actions/branch-names | * | output.current_branch | branch | manual |
 | tj-actions/branch-names | * | output.head_ref_branch | branch | manual |
-| tj-actions/branch-names | * | output.ref_branch | branch | manual |
 | trilom/file-changes-action | * | output.files | filename | manual |
 | trilom/file-changes-action | * | output.files_added | filename | manual |
 | trilom/file-changes-action | * | output.files_modified | filename | manual |
 | trilom/file-changes-action | * | output.files_removed | filename | manual |
 | tzkhan/pr-update-action | * | output.headMatch | branch | manual |
+| xt0rted/pull-request-comment-branch | * | output.head_ref | branch | manual |
 | xt0rted/slash-command-action | * | output.command-arguments | text | manual |
 summaries
 | akhileshns/heroku-deploy | * | input.branch | output.status | taint | manual |
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test7.yml
@@ -0,0 +1,20 @@
+name: Test
+on: issue_comment
+permissions: write-all
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - id: comment-branch
+        uses: xt0rted/pull-request-comment-branch@v2
+        with:
+          repo_token: ${{ github.token }}
+      - id: refs
+        uses: eficode/resolve-pr-refs@main
+        with:
+          token: ${{ github.token }}
+      - run: |
+          echo "HEAD_REF1 from PR: ${{ steps.comment-branch.outputs.head_ref }}"
+      - run: |
+          echo "HEAD_REF2 from PR: ${{ steps.refs.outputs.head_ref }}"
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -65,6 +65,8 @@ edges
 | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance |  |
 | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance |  |
 | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance |  |
+| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance |  |
+| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance |  |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance |  |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance |  |
@@ -243,6 +245,10 @@ nodes
 | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) |
 | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) |
 | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo |
+| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | semmle.label | Uses Step: comment-branch |
+| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs |
+| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref |
+| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -340,6 +346,8 @@ subpaths
 | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} |
 | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | ${{ toJSON(github.event) }} |
 | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | ${{ toJSON(github.event.comment.body).foo }} |
+| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | ${{ steps.comment-branch.outputs.head_ref }} |
+| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | ${{ steps.refs.outputs.head_ref }} |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
 | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} |
 | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:11:19:11:75 | github.event.workflow_run.head_commit.author.email | ${{ github.event.workflow_run.head_commit.author.email }} |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -65,6 +65,8 @@ edges
 | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | provenance |  |
 | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | provenance |  |
 | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | provenance |  |
+| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | provenance |  |
+| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | provenance |  |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | provenance |  |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value | provenance |  |
@@ -243,6 +245,10 @@ nodes
 | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) |
 | .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) |
 | .github/workflows/test5.yml:12:21:12:64 | toJSON(github.event.comment.body).foo | semmle.label | toJSON(github.event.comment.body).foo |
+| .github/workflows/test7.yml:9:9:13:6 | Uses Step: comment-branch | semmle.label | Uses Step: comment-branch |
+| .github/workflows/test7.yml:13:9:17:6 | Uses Step: refs | semmle.label | Uses Step: refs |
+| .github/workflows/test7.yml:18:37:18:80 | steps.comment-branch.outputs.head_ref | semmle.label | steps.comment-branch.outputs.head_ref |
+| .github/workflows/test7.yml:20:37:20:70 | steps.refs.outputs.head_ref | semmle.label | steps.refs.outputs.head_ref |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
