Treat If's values as expression no matter the delimiters

Alvaro Muñoz · Alvaro Muñoz · commit 839d16cde563 · 2024-03-13T18:41:17.000+01:00
diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll
@@ -1,6 +1,16 @@
 private import codeql.actions.ast.internal.Ast
 private import codeql.Locations
 
+module Utils {
+  bindingset[expr]
+  string normalizeExpr(string expr) {
+    result =
+      expr.regexpReplaceAll("[\\.\\'\\[\\]\"]+", ".")
+          .regexpReplaceAll("\\.$", "")
+          .regexpReplaceAll("\\.\\s", " ")
+  }
+}
+
 class AstNode instanceof AstNodeImpl {
   AstNode getAChildNode() { result = super.getAChildNode() }
 
@@ -188,6 +198,8 @@ class Step extends AstNode instanceof StepImpl {
  */
 class If extends AstNode instanceof IfImpl {
   string getCondition() { result = super.getCondition() }
+
+  Expression getConditionExpr() { result = super.getConditionExpr() }
 }
 
 abstract class Uses extends AstNode instanceof UsesImpl {
diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -45,6 +45,14 @@ private newtype TAstNode =
         )
       )
     )
+    or
+    // if's conditions do not need to be delimted with ${{}}
+    exists(YamlMapping m |
+      m.maps(key, value) and
+      key.(YamlScalar).getValue() = ["if"] and
+      value.getValue() = raw and
+      exprOffset = 1
+    )
   } or
   TCompositeAction(YamlMapping n) {
     n instanceof YamlDocument and
@@ -123,7 +131,7 @@ class ScalarValueImpl extends AstNodeImpl, TScalarValueNode {
 
   override Location getLocation() { result = value.getLocation() }
 
-  override YamlNode getNode() { result = value }
+  override YamlScalar getNode() { result = value }
 }
 
 class ExpressionImpl extends AstNodeImpl, TExpressionNode {
@@ -135,15 +143,16 @@ class ExpressionImpl extends AstNodeImpl, TExpressionNode {
 
   ExpressionImpl() {
     this = TExpressionNode(key, value, rawExpression, exprOffset - 1) and
-    expression =
-      rawExpression.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1)
+    if rawExpression.trim().regexpMatch("\\$\\{\\{.*\\}\\}")
+    then expression = rawExpression.trim().regexpCapture("\\$\\{\\{\\s*(.*)\\s*\\}\\}", 1).trim()
+    else expression = rawExpression.trim()
   }
 
   override string toString() { result = expression }
 
   override AstNodeImpl getAChildNode() { none() }
 
-  override AstNodeImpl getParentNode() { result.getNode() = value }
+  override ScalarValueImpl getParentNode() { result.getNode() = value }
 
   override string getAPrimaryQlClass() { result = "ExpressionNode" }
 
@@ -638,6 +647,9 @@ class IfImpl extends AstNodeImpl, TIfNode {
 
   /** Gets the condition that must be satisfied for this job to run. */
   string getCondition() { result = n.(YamlScalar).getValue() }
+
+  /** Gets the condition that must be satisfied for this job to run. */
+  ExpressionImpl getConditionExpr() { result.getParentNode().getNode() = n }
 }
 
 class EnvImpl extends AstNodeImpl, TEnvNode {
diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql
@@ -18,29 +18,32 @@ import actions
 /** An If node that contains an actor, user or label check */
 class ControlCheck extends If {
   ControlCheck() {
-    this.getCondition().regexpMatch(".*github\\.(triggering_)?actor.*") or
-    this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.user\\.login.*") or
-    this.getCondition().regexpMatch(".*github\\.event\\.pull_request\\.labels.*") or
-    this.getCondition().regexpMatch(".*github\\.event\\.label\\.name.*")
+    Utils::normalizeExpr(this.getCondition())
+        .regexpMatch([
+            ".*github\\.actor.*", ".*github\\.triggering_actor.*",
+            ".*github\\.event\\.pull_request\\.user\\.login.*",
+            ".*github\\.event\\.pull_request\\.labels.*", ".*github\\.event\\.label\\.name.*"
+          ])
   }
 }
 
 bindingset[s]
 predicate containsHeadRef(string s) {
-  s.matches("%" +
-      [
-        "github.event.number", // The pull request number.
-        "github.event.pull_request.head.ref", // The ref name of head.
-        "github.event.pull_request.head.sha", //  The commit SHA of head.
-        "github.event.pull_request.id", // The pull request ID.
-        "github.event.pull_request.number", // The pull request number.
-        "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit.
-        "github.head_ref", // The head_ref or source branch of the pull request in a workflow run.
-        "github.event.workflow_run.head_branch", // The branch of the head commit.
-        "github.event.workflow_run.head_commit.id", // The SHA of the head commit.
-        "github.event.workflow_run.head_sha", // The SHA of the head commit.
-        "env.GITHUB_HEAD_REF",
-      ] + "%")
+  Utils::normalizeExpr(s)
+      .matches("%" +
+          [
+            "github.event.number", // The pull request number.
+            "github.event.pull_request.head.ref", // The ref name of head.
+            "github.event.pull_request.head.sha", //  The commit SHA of head.
+            "github.event.pull_request.id", // The pull request ID.
+            "github.event.pull_request.number", // The pull request number.
+            "github.event.pull_request.merge_commit_sha", // The SHA of the merge commit.
+            "github.head_ref", // The head_ref or source branch of the pull request in a workflow run.
+            "github.event.workflow_run.head_branch", // The branch of the head commit.
+            "github.event.workflow_run.head_commit.id", // The SHA of the head commit.
+            "github.event.workflow_run.head_sha", // The SHA of the head commit.
+            "env.GITHUB_HEAD_REF",
+          ] + "%")
 }
 
 /** Checkout of a Pull Request HEAD ref */
diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected
@@ -190,7 +190,7 @@ parentNodes
 | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
 | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
 | .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
-| .github/workflows/test.yml:34:10:34:24 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
+| .github/workflows/test.yml:34:11:34:25 | always() | .github/workflows/test.yml:34:9:34:23 | ${{ always() }} |
 | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:1:1:40:53 | on: push |
 | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
 | .github/workflows/test.yml:36:12:36:15 | job1 | .github/workflows/test.yml:32:5:40:53 | Job: job2 |
@@ -415,3 +415,8 @@ calls
 | .github/workflows/test.yml:19:9:26:6 | Uses Step: step | mad9000/actions-find-and-replace-string |
 needs
 | .github/workflows/test.yml:40:20:40:53 | needs.job1.outputs.job_output |
+testNormalizeExpr
+| foo['bar'] == baz | foo.bar == baz |
+| github.event.pull_request.user["login"] | github.event.pull_request.user.login |
+| github.event.pull_request.user['login'] | github.event.pull_request.user.login |
+| github.event.pull_request['user']['login'] | github.event.pull_request.user.login |
diff --git a/ql/test/library-tests/test.ql b/ql/test/library-tests/test.ql
@@ -1,4 +1,5 @@
 import codeql.actions.Ast
+import codeql.actions.Ast::Utils as Utils
 import codeql.actions.Cfg as Cfg
 import codeql.actions.DataFlow
 import codeql.Locations
@@ -59,3 +60,12 @@ query predicate summaries(string action, string version, string input, string ou
 query predicate calls(DataFlow::CallNode call, string callee) { callee = call.getCallee() }
 
 query predicate needs(DataFlow::Node e) { e.asExpr() instanceof NeedsExpression }
+
+query string testNormalizeExpr(string s) {
+  s =
+    [
+      "github.event.pull_request.user['login']", "github.event.pull_request.user[\"login\"]",
+      "github.event.pull_request['user']['login']", "foo['bar'] == baz"
+    ] and
+  result = Utils::normalizeExpr(s)
+}
diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected
@@ -3,6 +3,7 @@ edges
 | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE |
 | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] |
 | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced |
 | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] |
@@ -58,6 +59,8 @@ nodes
 | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
 | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
 | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log |
 | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body |
@@ -187,6 +190,7 @@ nodes
 subpaths
 #select
 | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | steps.remove_quotations.outputs.replaced |
+| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | env.log |
 | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | github.event.comment.body |
 | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | github.event.comment.body |
 | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | github.event.issue.body |
diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected
@@ -3,6 +3,7 @@ edges
 | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE |
 | .github/workflows/argus_case_study.yml:22:20:22:39 | env.ISSUE_TITLE | .github/workflows/argus_case_study.yml:15:9:24:6 | Uses Step: remove_quotations [replaced] |
 | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:39:31:39:75 | steps.remove_quotations.outputs.replaced |
 | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] | .github/workflows/cross3.yml:57:29:57:73 | steps.remove_quotations.outputs.replaced |
 | .github/workflows/cross3.yml:32:18:32:53 | github.event.commits[0].message | .github/workflows/cross3.yml:27:7:37:4 | Uses Step: remove_quotations [replaced] |
@@ -58,6 +59,8 @@ nodes
 | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | semmle.label | steps.remove_quotations.outputs.replaced |
 | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | semmle.label | Uses Step: changed-files |
 | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | semmle.label | steps.changed-files.outputs.all_changed_files |
+| .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/changelog.yml:58:26:58:39 | env.log | semmle.label | env.log |
 | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | semmle.label | github.event.issue.body |
@@ -188,6 +191,7 @@ subpaths
 #select
 | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} |
 | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} |
+| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} |
 | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} |
 | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} |
 | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential expression injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} |
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/auto_ci.yml
diff --git a/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected b/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected
