env var injection query

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -0,0 +1,36 @@
+private import actions
+private import codeql.actions.TaintTracking
+private import codeql.actions.dataflow.ExternalFlow
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.DataFlow
+
+predicate writeToGithubEnvSink(DataFlow::Node sink) {
+  exists(Expression expr, Run run, string script, string line, string value |
+    script = run.getScript() and
+    line = script.splitAt("\n") and
+    value = line.regexpCapture("echo\\s+.*\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and
+    expr = sink.asExpr() and
+    run.getAnScriptExpr() = expr and
+    value.indexOf(expr.getRawExpression()) > 0
+  )
+}
+
+private class EnvVarInjectionSink extends DataFlow::Node {
+  EnvVarInjectionSink() {
+    writeToGithubEnvSink(this) or
+    externallyDefinedSink(this, "envvar-injection")
+  }
+}
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to construct and evaluate an environment variable.
+ */
+private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink }
+}
+
+/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
+module EnvVarInjectionFlow = TaintTracking::Global<EnvVarInjectionConfig>;

ql/src/Security/CWE-077/EnvVarInjection.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Enviroment Variable built from user-controlled sources
+ * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id actions/envvar-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-077
+ *       external/cwe/cwe-020
+ */
+
+import actions
+import codeql.actions.security.EnvVarInjectionQuery
+import EnvVarInjectionFlow::PathGraph
+
+from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink
+where EnvVarInjectionFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Potential environment variable injection in $@, which may be controlled by an external user.",
+  sink, sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Enviroment Variable built from user-controlled sources
+ * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision high
+ * @id actions/privileged-envvar-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-077
+ *       external/cwe/cwe-020
+ */
+
+import actions
+import codeql.actions.security.EnvVarInjectionQuery
+import EnvVarInjectionFlow::PathGraph
+
+from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Workflow w
+where
+  EnvVarInjectionFlow::flowPath(source, sink) and
+  w = source.getNode().asExpr().getEnclosingWorkflow() and
+  w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
+select sink.getNode(), source, sink,
+  "Potential privileged environment variable injection in $@, which may be controlled by an external user.",
+  sink, sink.getNode().asExpr().(Expression).getRawExpression()

ql/test/query-tests/Security/CWE-077/.github/workflows/test1.yml

@@ -0,0 +1,25 @@
+name: Pull Request Open
+
+on:
+  pull_request_target:
+    branches:
+      - main
+      - 14.0.x
+
+    types:
+      - opened
+      - reopened
+
+jobs:
+  updateJira:
+    if: github.actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Extract Jira Key
+        run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV
+
+
+

ql/test/query-tests/Security/CWE-077/.github/workflows/test2.yml

@@ -0,0 +1,73 @@
+# https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability-0
+# https://github.com/firebase/friendlyeats-web/commit/df65aefd24cf6f092a27a5576067ff9f29aa2ef1
+name: Deploy Preview
+on: 
+  workflow_run:
+    workflows: ["Generate Preview"]
+    types:
+      - completed
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    if: >
+      ${{ github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - name: 'Download artifact'
+        uses: actions/[email protected]
+        with:
+          script: |
+            var artifacts = await github.actions.listWorkflowRunArtifacts({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               run_id: ${{ github.event.workflow_run.id }},
+            });
+            var matchPrArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "pr"
+            })[0];
+            var matchPreviewArtifact = artifacts.data.artifacts.filter((artifact) => {
+              return artifact.name == "preview"
+            })[0];
+            var downloadPr = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchPrArtifact.id,
+               archive_format: 'zip',
+            });
+            var downloadPreview = await github.actions.downloadArtifact({
+               owner: context.repo.owner,
+               repo: context.repo.repo,
+               artifact_id: matchPreviewArtifact.id,
+               archive_format: 'zip',
+            });
+            var fs = require('fs');
+            fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(downloadPr.data));
+            fs.writeFileSync('${{github.workspace}}/firestore-web.zip', Buffer.from(downloadPreview.data));
+      - run: |
+          unzip pr.zip
+          echo "pr_number=$(cat NR)" >> $GITHUB_ENV
+          mkdir firestore-web
+          unzip firestore-web.zip -d firestore-web
+      - name: Deploy preview
+        id: deploy_preview
+        uses: FirebaseExtended/action-hosting-deploy@v0
+        with:
+          repoToken: '${{ secrets.GITHUB_TOKEN }}'
+          firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_FIR_CODELABS_89252 }}'
+          projectId: fir-codelabs-89252
+          entryPoint: firestore-web
+          channelId: firestore-web-${{ env.pr_number }}
+        env:
+          FIREBASE_CLI_PREVIEWS: hostingchannels
+      - name: Write Comment
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            await github.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: ${{ env.pr_number }},
+              body: 'View preview ${{ steps.deploy_preview.outputs.details_url }}'
+            });

ql/test/query-tests/Security/CWE-077/.github/workflows/test3.yml

@@ -0,0 +1,64 @@
+# https://www.legitsecurity.com/blog/-how-we-found-another-github-action-environment-injection-vulnerability-in-a-google-project
+# https://github.com/google/orbit/commit/6cd71a3f1eec098d0de61bf9bb742737cb3aa5fa
+name: report-checks
+on:
+  workflow_run:
+    workflows: ['checks']
+    types:
+      - completed
+permissions: read-all
+jobs:
+
+  report-clang-tidy-diff:
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Download PR metadata
+      uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
+      with:
+        workflow: ${{ github.event.workflow_run.workflow_id }}
+        workflow_conclusion: ''
+        name: pr_metadata
+        if_no_artifact_found: 'ignore'
+    - name: Download clang_tidy_fixes
+      uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
+      with:
+        workflow: ${{ github.event.workflow_run.workflow_id }}
+        workflow_conclusion: ''
+        name: clang_tidy_fixes
+        if_no_artifact_found: 'ignore'
+    - name: Set found_files
+      id: set_found_files
+      run: |
+        if [ -f clang-tidy-fixes.yml ] && [ -f pr_number.txt ] && [ -f pr_head_repo.txt ] && [ -f pr_head_ref.txt ]; then
+          echo "found_files=true" >> $GITHUB_OUTPUT
+        else
+          echo "found_files=false" >> $GITHUB_OUTPUT
+        fi
+    - run: |
+         echo "PR_NUMBER=$(cat pr_number.txt | jq -r .)" >> $GITHUB_ENV
+         echo "PR_HEAD_REPO=$(cat pr_head_repo.txt | jq -Rr .)" >> $GITHUB_ENV
+         echo "PR_HEAD_REF=$(cat pr_head_ref.txt | jq -Rr .)" >> $GITHUB_ENV
+      if: steps.set_found_files.outputs.found_files == 'true'
+    - uses: actions/checkout@v3
+      if: steps.set_found_files.outputs.found_files == 'true'
+      with:
+        repository: ${{ env.PR_HEAD_REPO }}
+        ref: ${{ env.PR_HEAD_REF }}
+        persist-credentials: false
+    - name: Redownload clang_tidy_fixes
+      if: steps.set_found_files.outputs.found_files == 'true'
+      uses: dawidd6/action-download-artifact@e6e25ac3a2b93187502a8be1ef9e9603afc34925 # v2.24.2
+      with:
+        workflow: ${{ github.event.workflow_run.workflow_id }}
+        workflow_conclusion: ''
+        name: clang_tidy_fixes
+        if_no_artifact_found: 'ignore'
+    - uses: platisd/clang-tidy-pr-comments@89ea1b828cdac1a6ec993d225972adea3b8841b6
+      if: steps.set_found_files.outputs.found_files == 'true'
+      with:
+        github_token: ${{ secrets.ORBITPROFILER_BOT_PAT }}
+        clang_tidy_fixes: clang-tidy-fixes.yml
+        pull_request_id: ${{ env.PR_NUMBER }}
+

ql/test/query-tests/Security/CWE-077/EnvVarInjection.qlref

@@ -0,0 +1 @@
+Security/CWE-077/EnvVarInjection.ql

ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.qlref

@@ -0,0 +1 @@
+Security/CWE-077/PrivilegedEnvVarInjection.ql

ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml

@@ -1,4 +1,4 @@
-jn: push
+on: push
 
 jobs:
   job0:
@@ -36,7 +36,7 @@ jobs:
 
     if: ${{ always() }}
 
-    needs: job1
+    needs: job
 
     steps:
       - id: sink