fix(queries): Fix Missing Permissions query

Alvaro Muñoz · Alvaro Muñoz · commit ab8dd599b75f · 2024-07-31T11:45:30.000+02:00
If a job is only triggered by `workflow_call`, we dont report any issues
since they should be reported on the calling workflows
diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -13,11 +13,13 @@
 
 import actions
 
-from Workflow workflow, Job job
+from Job job
 where
-  job = workflow.getAJob() and
-  (
-    not exists(workflow.getPermissions()) and
-    not exists(job.getPermissions())
+  not exists(job.getPermissions()) and
+  not exists(job.getEnclosingWorkflow().getPermissions()) and
+  // exists a trigger event that is not a workflow_call
+  exists(Event e |
+    e = job.getATriggerEvent() and
+    not e.getName() = "workflow_call"
   )
 select job, "Actions Job or Workflow does not set permissions"
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml
@@ -0,0 +1,16 @@
+on:
+  pull_request
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+  test:
+    name: Build and test
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+    - uses: actions/checkout@v2
+
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml
@@ -0,0 +1,11 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml
@@ -0,0 +1,12 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+
diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
@@ -1 +1,3 @@
-| .github/workflows/missing_perms.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions |
