fix: add path checks

Alvaro Muñoz · Alvaro Muñoz · commit 6eef51e41544 · 2024-09-06T17:22:44.000+02:00
diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql
@@ -35,6 +35,12 @@ where
       "v4.2.0", "694cdabd8bdb0f10b2cea11669e1bf5453eed0a6", //
       "v4.1.0", "1eb3cb2b3e0f29609092a73eb033bb759a334595", //
       "v4.0.0", "c7d193f32edcb7bfad88892161225aeda64e9392", //
-    ]
+    ] and
+  (
+    not exists(checkout.getArgument("path")) and
+    upload.getArgument("path") = [".", "*"]
+    or
+    checkout.getArgument("path") + ["", "/*"] = upload.getArgument("path")
+  )
 select upload, "A secret is exposed in a public artifact uploaded by $@", upload,
   "actions/upload-artifact"
diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml
@@ -2,22 +2,63 @@ name: secrets-in-artifacts
 on:
   pull_request:
 jobs:
-  test1:
+  test1: # VULNERABLE
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: "Upload artifact"
         uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
         with:
           name: file
-          path: results
-  test2:
+          path: .
+  test2: # NOT VULNERABLE
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: "Upload artifact"
         uses: actions/upload-artifact@v4
         with:
           name: file
-          path: results
-
+          path: .
+  test3: # VULNERABLE
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        with:
+          name: file
+          path: "*"
+  test4: # VULNERABLE
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: foo
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        with:
+          name: file
+          path: foo
+  test5: # VULNERABLE
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: foo
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        with:
+          name: file
+          path: foo/*
+  test6: # NOT VULNERABLE
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          path: pr 
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        with:
+          name: file
+          path: foo
diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected
@@ -1 +1,4 @@
 | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact |
+| .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:27:9:32:2 | Uses Step | actions/upload-artifact |
+| .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:38:9:43:2 | Uses Step | actions/upload-artifact |
+| .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:49:9:54:2 | Uses Step | actions/upload-artifact |
