Fix tj-actions/changed-files sources

Alvaro Muñoz · Alvaro Muñoz · commit 778c6ad923c5 · 2024-05-08T09:43:32.000+02:00
diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -263,7 +263,7 @@ private class ArtifactSource extends RemoteFlowSource {
 /**
  * A list of file names returned by dorny/paths-filter.
  */
-private class DornyPathsFilterSource extends RemoteFlowSource {
+class DornyPathsFilterSource extends RemoteFlowSource {
   DornyPathsFilterSource() {
     exists(UsesStep u |
       u.getCallee() = "dorny/paths-filter" and
@@ -274,3 +274,39 @@ private class DornyPathsFilterSource extends RemoteFlowSource {
 
   override string getSourceType() { result = "filename" }
 }
+
+/**
+ * A list of file names returned by tj-actions/changed-files.
+ */
+class TJActionsChangedFilesSource extends RemoteFlowSource {
+  TJActionsChangedFilesSource() {
+    exists(UsesStep u |
+      u.getCallee() = "tj-actions/changed-files" and
+      (
+        u.getArgument("safe_output") = "false" or
+        u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 41
+      ) and
+      this.asExpr() = u
+    )
+  }
+
+  override string getSourceType() { result = "filename" }
+}
+
+/**
+ * A list of file names returned by tj-actions/verify-changed-files.
+ */
+class TJActionsVerifyChangedFilesSource extends RemoteFlowSource {
+  TJActionsVerifyChangedFilesSource() {
+    exists(UsesStep u |
+      u.getCallee() = "tj-actions/verify-changed-files" and
+      (
+        u.getArgument("safe_output") = "false" or
+        u.getVersion().regexpReplaceAll("^v", "").regexpReplaceAll("\\..*", "").toInt() < 17
+      ) and
+      this.asExpr() = u
+    )
+  }
+
+  override string getSourceType() { result = "filename" }
+}
diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll
@@ -5,6 +5,7 @@
 private import actions
 private import codeql.util.Unit
 private import codeql.actions.DataFlow
+private import codeql.actions.dataflow.FlowSources
 private import codeql.actions.dataflow.ExternalFlow
 private import codeql.actions.security.ArtifactPoisoningQuery
 
@@ -43,10 +44,6 @@ predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) {
   )
 }
 
-class EnvToRunTaintStep extends AdditionalTaintStep {
-  override predicate step(DataFlow::Node node1, DataFlow::Node node2) { envToRunStep(node1, node2) }
-}
-
 /**
  * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script.
  * e.g.
@@ -119,28 +116,57 @@ predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) {
   )
 }
 
-class ArtifactDownloadToUseTaintStep extends AdditionalTaintStep {
-  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
-    artifactDownloadToUseStep(node1, node2)
-  }
-}
-
 /**
  * A read of the _files field of the dorny/paths-filter action.
  */
 predicate dornyPathsFilterTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
-  exists(UsesStep u, StepsExpression o |
-    u.getCallee() = "dorny/paths-filter" and
-    u.getArgument("list-files") = ["csv", "json"] and
-    u = pred.asExpr() and
-    o.getStepId() = u.getId() and
+  exists(StepsExpression o |
+    pred instanceof DornyPathsFilterSource and
+    o.getStepId() = pred.asExpr().(UsesStep).getId() and
     o.getFieldName().matches("%_files") and
     succ.asExpr() = o
   )
 }
 
-class DornyPathsFilterTaintStep extends AdditionalTaintStep {
+/**
+ * A read of user-controlled field of the tj-actions/changed-files action.
+ */
+predicate tjActionsChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(StepsExpression o |
+    pred instanceof TJActionsChangedFilesSource and
+    o.getTarget() = pred.asExpr() and
+    o.getStepId() = pred.asExpr().(UsesStep).getId() and
+    o.getFieldName() =
+      [
+        "added_files", "copied_files", "deleted_files", "modified_files", "renamed_files",
+        "all_old_new_renamed_files", "type_changed_files", "unmerged_files", "unknown_files",
+        "all_changed_and_modified_files", "all_changed_files", "other_changed_files",
+        "all_modified_files", "other_modified_files", "other_deleted_files", "modified_keys",
+        "changed_keys"
+      ] and
+    succ.asExpr() = o
+  )
+}
+
+/**
+ * A read of user-controlled field of the tj-actions/verify-changed-files action.
+ */
+predicate tjActionsVerifyChangedFilesTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(StepsExpression o |
+    pred instanceof TJActionsChangedFilesSource and
+    o.getTarget() = pred.asExpr() and
+    o.getStepId() = pred.asExpr().(UsesStep).getId() and
+    o.getFieldName() = "changed_files" and
+    succ.asExpr() = o
+  )
+}
+
+class TaintSteps extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
-    dornyPathsFilterTaintStep(node1, node2)
+    envToRunStep(node1, node2) or
+    artifactDownloadToUseStep(node1, node2) or
+    dornyPathsFilterTaintStep(node1, node2) or
+    tjActionsChangedFilesTaintStep(node1, node2) or
+    tjActionsVerifyChangedFilesTaintStep(node1, node2)
   }
 }
diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml
diff --git a/ql/lib/ext/tj-actions_verify-changed-files.model.yml b/ql/lib/ext/tj-actions_verify-changed-files.model.yml
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/changed-files.yml
@@ -2,8 +2,6 @@ name: CI
 
 on:
   pull_request:
-    branches:
-      - main
 
 jobs:
   changed_files:
@@ -13,13 +11,32 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Get changed files
-        id: changed-files
+
+      - name: Get changed files 1
+        id: changed-files1
         uses: tj-actions/changed-files@v40
+      - name: List all changed files 1
+        run: |
+          for file in ${{ steps.changed-files1.outputs.all_changed_files }}; do
+            echo "$file was changed"
+          done
 
-      - name: List all changed files
+      - name: Get changed files 2
+        id: changed-files2
+        uses: tj-actions/changed-files@v41
+      - name: List all changed files 2
         run: |
-          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
+          for file in ${{ steps.changed-files2.outputs.all_changed_files }}; do
             echo "$file was changed"
           done
 
+      - name: Get changed files 3
+        id: changed-files3
+        uses: tj-actions/changed-files@v41
+        with:
+          safe_output: false
+      - name: List all changed files 3
+        run: |
+          for file in ${{ steps.changed-files3.outputs.all_changed_files }}; do
+            echo "$file was changed"
+          done
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
@@ -6,7 +6,8 @@ edges
 | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id |
-| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files |
 | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log |
 | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced |
@@ -82,8 +83,10 @@ nodes
 | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
-| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
-| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | semmle.label | Uses Step: changed-files1 |
+| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 |
+| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files |
 | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log |
 | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
@@ -242,7 +245,8 @@ nodes
 | action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body |
 subpaths
 #select
-| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} |
+| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} |
+| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | ${{ steps.changed-files3.outputs.all_changed_files }} |
 | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} |
 | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} |
 | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} |
diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected
@@ -6,7 +6,8 @@ edges
 | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning1.yml:22:14:22:55 | echo "::set-output name=id::$(<pr-id.txt)" | .github/workflows/artifactpoisoning1.yml:20:9:24:6 | Run Step: pr [id] |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id |
-| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files |
 | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log |
 | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced |
@@ -82,8 +83,10 @@ nodes
 | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
 | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | semmle.label | Uses Step: pr |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | semmle.label | steps.pr.outputs.id |
-| .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
-| .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | semmle.label | Uses Step: changed-files1 |
+| .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | semmle.label | steps.changed-files1.outputs.all_changed_files |
+| .github/workflows/changed-files.yml:33:9:38:6 | Uses Step: changed-files3 | semmle.label | Uses Step: changed-files3 |
+| .github/workflows/changed-files.yml:40:24:40:76 | steps.changed-files3.outputs.all_changed_files | semmle.label | steps.changed-files3.outputs.all_changed_files |
 | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log |
 | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
