Merge pull request #41 from GitHubSecurityLab/env_injection

New Artifact Poisoning and EnvVar Injection queries

Author: Alvaro Muñoz

ql/lib/codeql/actions/Ast.qll

@@ -38,7 +38,9 @@ class AstNode instanceof AstNodeImpl {
   Expression getInScopeEnvVarExpr(string name) { result = super.getInScopeEnvVarExpr(name) }
 }
 
-class ScalarValue extends AstNode instanceof ScalarValueImpl { }
+class ScalarValue extends AstNode instanceof ScalarValueImpl {
+  string getValue() { result = super.getValue() }
+}
 
 class Expression extends AstNode instanceof ExpressionImpl {
   string expression;
@@ -218,6 +220,8 @@ abstract class Uses extends AstNode instanceof UsesImpl {
 
   string getVersion() { result = super.getVersion() }
 
+  string getArgument(string argName) { result = super.getArgument(argName) }
+
   Expression getArgumentExpr(string argName) { result = super.getArgumentExpr(argName) }
 }
 

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -128,6 +128,8 @@ class ScalarValueImpl extends AstNodeImpl, TScalarValueNode {
   override Location getLocation() { result = value.getLocation() }
 
   override YamlScalar getNode() { result = value }
+
+  string getValue() { result = value.getValue() }
 }
 
 class ExpressionImpl extends AstNodeImpl, TExpressionNode {
@@ -687,7 +689,19 @@ abstract class UsesImpl extends AstNodeImpl {
 
   abstract string getVersion();
 
-  abstract ExpressionImpl getArgumentExpr(string key);
+  /** Gets the argument expression for the given key. */
+  string getArgument(string key) {
+    exists(ScalarValueImpl scalar |
+      scalar.getNode() = this.getNode().(YamlMapping).lookup("with").(YamlMapping).lookup(key) and
+      result = scalar.getValue()
+    )
+  }
+
+  /** Gets the argument expression for the given key (if it exists). */
+  ExpressionImpl getArgumentExpr(string key) {
+    result.getParentNode().getNode() =
+      this.getNode().(YamlMapping).lookup("with").(YamlMapping).lookup(key)
+  }
 }
 
 /**
@@ -719,11 +733,6 @@ class UsesStepImpl extends StepImpl, UsesImpl {
   /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */
   override string getVersion() { result = u.getValue().regexpCapture(usesParser(), 3) }
 
-  /** Gets the argument expression for the given key. */
-  override ExpressionImpl getArgumentExpr(string key) {
-    result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key)
-  }
-
   override string toString() {
     if exists(this.getId()) then result = "Uses Step: " + this.getId() else result = "Uses Step"
   }
@@ -763,11 +772,6 @@ class ExternalJobImpl extends JobImpl, UsesImpl {
       else none()
     )
   }
-
-  /** Gets the argument expression for the given key. */
-  override ExpressionImpl getArgumentExpr(string key) {
-    result.getParentNode().getNode() = n.lookup("with").(YamlMapping).lookup(key)
-  }
 }
 
 class RunImpl extends StepImpl {

ql/lib/codeql/actions/dataflow/FlowSteps.qll

@@ -33,19 +33,19 @@ class AdditionalTaintStep extends Unit {
  *      echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT
  *      echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT"
  */
-predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) {
-  exists(Run r, string varName, string output |
+predicate envToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) {
+  exists(Run run, string varName, string output |
     c = any(DataFlow::FieldContent ct | ct.getName() = output.replaceAll("output\\.", "")) and
-    r.getInScopeEnvVarExpr(varName) = pred.asExpr() and
+    run.getInScopeEnvVarExpr(varName) = pred.asExpr() and
     exists(string script, string line |
-      script = r.getScript() and
+      script = run.getScript() and
       line = script.splitAt("\n") and
       (
         output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or
         output = line.regexpCapture(".*echo\\s*\"(.*)=.*\\s*>>\\s*(\")?\\$GITHUB_OUTPUT.*", 1)
       ) and
       line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0
     ) and
-    succ.asExpr() = r
+    succ.asExpr() = run
   )
 }

ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll

@@ -232,8 +232,24 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) {
     astFrom = nodeFrom.asExpr() and
     astTo = nodeTo.asExpr() and
     (
-      externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or
+      externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName())
+      or
       astTo.getTarget() = astFrom
+      or
+      // e.g:
+      // - run: echo ISSUE_KEY=$(echo "${{ github.event.pull_request.title }}") >> $GITHUB_ENV
+      // - run: echo ${{ env.ISSUE_KEY }}
+      exists(Run run, string script, Expression expr, string line, string key, string value |
+        run.getScript() = script and
+        run.getAnScriptExpr() = expr and
+        line = script.splitAt("\n") and
+        key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and
+        value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and
+        value.indexOf(expr.getRawExpression()) > 0 and
+        key = astTo.getFieldName() and
+        expr = astFrom and
+        expr.getEnclosingWorkflow() = run.getEnclosingWorkflow()
+      )
     )
   )
 }
@@ -312,7 +328,7 @@ predicate fieldStoreStep(Node node1, Node node2, ContentSet c) {
 predicate storeStep(Node node1, ContentSet c, Node node2) {
   fieldStoreStep(node1, node2, c) or
   externallyDefinedStoreStep(node1, node2, c) or
-  runEnvToScriptStoreStep(node1, node2, c)
+  envToOutputStoreStep(node1, node2, c)
 }
 
 /**

ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -0,0 +1,50 @@
+import actions
+
+class ArtifactDownloadStep extends Step {
+  ArtifactDownloadStep() {
+    // eg: - uses: dawidd6/action-download-artifact@v2
+    this.(UsesStep).getCallee() = "dawidd6/action-download-artifact" and
+    // exclude downloads outside the current directory
+    // TODO: add more checks to make sure the artifacts can be controlled
+    not exists(this.(UsesStep).getArgumentExpr("path"))
+    or
+    // eg:
+    // - uses: actions/github-script@v6
+    //   with:
+    //     script: |
+    //       let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+    //           owner: context.repo.owner,
+    //           repo: context.repo.repo,
+    //           run_id: context.payload.workflow_run.id,
+    //       });
+    //       let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+    //           return artifact.name == "<ARTEFACT_NAME>"
+    //       })[0];
+    //       let download = await github.rest.actions.downloadArtifact({
+    //           owner: context.repo.owner,
+    //           repo: context.repo.repo,
+    //           artifact_id: matchArtifact.id,
+    //           archive_format: 'zip',
+    //       });
+    this.(UsesStep).getCallee() = "actions/github-script" and
+    exists(string script |
+      this.(UsesStep).getArgument("script") = script and
+      script.matches("%listWorkflowRunArtifacts(%") and
+      script.matches("%downloadArtifact(%")
+    )
+    or
+    // eg: - run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
+    this.(Run).getScript().splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*")
+    or
+    // eg:
+    // run: |
+    //   artifacts_url=${{ github.event.workflow_run.artifacts_url }}
+    //   gh api "$artifacts_url" -q '.artifacts[] | [.name, .archive_download_url] | @tsv' | while read artifact
+    //   do
+    //     IFS=$'\t' read name url <<< "$artifact"
+    //     gh api $url > "$name.zip"
+    //     unzip -d "$name" "$name.zip"
+    //   done
+    this.(Run).getScript().splitAt("\n").matches("%github.event.workflow_run.artifacts_url%")
+  }
+}

ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -0,0 +1,37 @@
+private import actions
+private import codeql.actions.TaintTracking
+private import codeql.actions.dataflow.ExternalFlow
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.DataFlow
+
+predicate writeToGithubEnvSink(DataFlow::Node exprNode, string key, string value) {
+  exists(Expression expr, Run run, string script, string line |
+    script = run.getScript() and
+    line = script.splitAt("\n") and
+    key = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 1) and
+    value = line.regexpCapture("echo\\s+([^=]+)\\s*=(.*)>>\\s*\\$GITHUB_ENV", 2) and
+    expr = exprNode.asExpr() and
+    run.getAnScriptExpr() = expr and
+    value.indexOf(expr.getRawExpression()) > 0
+  )
+}
+
+private class EnvVarInjectionSink extends DataFlow::Node {
+  EnvVarInjectionSink() {
+    writeToGithubEnvSink(this, _, _) or
+    externallyDefinedSink(this, "envvar-injection")
+  }
+}
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to construct and evaluate an environment variable.
+ */
+private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof EnvVarInjectionSink }
+}
+
+/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
+module EnvVarInjectionFlow = TaintTracking::Global<EnvVarInjectionConfig>;

ql/src/Security/CWE-077/EnvVarInjection.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Enviroment Variable built from user-controlled sources
+ * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision high
+ * @id actions/envvar-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-077
+ *       external/cwe/cwe-020
+ */
+
+import actions
+import codeql.actions.security.EnvVarInjectionQuery
+import EnvVarInjectionFlow::PathGraph
+
+from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink
+where EnvVarInjectionFlow::flowPath(source, sink)
+select sink.getNode(), source, sink,
+  "Potential environment variable injection in $@, which may be controlled by an external user.",
+  sink, sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-077/PrivilegedEnvVarInjection.ql

@@ -0,0 +1,31 @@
+/**
+ * @name Enviroment Variable built from user-controlled sources
+ * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision high
+ * @id actions/privileged-envvar-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-077
+ *       external/cwe/cwe-020
+ */
+
+import actions
+import codeql.actions.security.EnvVarInjectionQuery
+import EnvVarInjectionFlow::PathGraph
+
+predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
+  w.getATriggerEvent() = trigger and
+  count(string t | w.getATriggerEvent() = t | t) = 1
+}
+
+from EnvVarInjectionFlow::PathNode source, EnvVarInjectionFlow::PathNode sink, Workflow w
+where
+  EnvVarInjectionFlow::flowPath(source, sink) and
+  w = source.getNode().asExpr().getEnclosingWorkflow() and
+  not isSingleTriggerWorkflow(w, "pull_request")
+select sink.getNode(), source, sink,
+  "Potential privileged environment variable injection in $@, which may be controlled by an external user.",
+  sink, sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-829/ArtifactPoisoning.ql

@@ -0,0 +1,44 @@
+/**
+ * @name Artifact poisoning
+ * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @security-severity 9.3
+ * @id actions/artifact-poisoning
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-829
+ */
+
+import actions
+import codeql.actions.security.ArtifactPoisoningQuery
+
+predicate isSingleTriggerWorkflow(Workflow w, string trigger) {
+  w.getATriggerEvent() = trigger and
+  count(string t | w.getATriggerEvent() = t | t) = 1
+}
+
+from Workflow w, LocalJob job, ArtifactDownloadStep download, Step run
+where
+  w = job.getWorkflow() and
+  (
+    // The Workflow is triggered by an event other than `pull_request`
+    not isSingleTriggerWorkflow(w, "pull_request")
+    or
+    // The Workflow is only triggered by `workflow_call` and there is
+    // a caller workflow triggered by an event other than `pull_request`
+    isSingleTriggerWorkflow(w, "workflow_call") and
+    exists(ExternalJob call, Workflow caller |
+      call.getCallee() = w.getLocation().getFile().getRelativePath() and
+      caller = call.getWorkflow() and
+      not isSingleTriggerWorkflow(caller, "pull_request")
+    )
+  ) and
+  (run instanceof Run or run instanceof UsesStep) and
+  exists(int i, int j |
+    job.getStep(i) = download and
+    job.getStep(j) = run and
+    i < j
+  )
+select download, "Potential artifact poisoning."

ql/src/Security/CWE-829/UntrustedCheckout.ql

@@ -5,7 +5,7 @@
  *              that is able to push to the base repository and to access secrets.
  * @kind problem
  * @problem.severity warning
- * @precision low
+ * @precision medium
  * @security-severity 9.3
  * @id actions/untrusted-checkout
  * @tags actions