Merge pull request #5 from github/cache_poisoning

Add Cache Poisoning Query

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/CachePoisoningQuery.qll

@@ -0,0 +1,62 @@
+import actions
+
+abstract class CacheWritingStep extends Step { }
+
+class CacheActionUsesStep extends CacheWritingStep, UsesStep {
+  CacheActionUsesStep() { this.getCallee() = "actions/cache" }
+}
+
+class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep {
+  CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" }
+}
+
+class SetupJavaUsesStep extends CacheWritingStep, UsesStep {
+  SetupJavaUsesStep() {
+    this.getCallee() = "actions/setup-java" and
+    (
+      exists(this.getArgument("cache")) or
+      exists(this.getArgument("cache-dependency-path"))
+    )
+  }
+}
+
+class SetupGoUsesStep extends CacheWritingStep, UsesStep {
+  SetupGoUsesStep() {
+    this.getCallee() = "actions/setup-go" and
+    (
+      not exists(this.getArgument("cache"))
+      or
+      this.getArgument("cache") = "true"
+    )
+  }
+}
+
+class SetupNodeUsesStep extends CacheWritingStep, UsesStep {
+  SetupNodeUsesStep() {
+    this.getCallee() = "actions/setup-node" and
+    (
+      exists(this.getArgument("cache")) or
+      exists(this.getArgument("cache-dependency-path"))
+    )
+  }
+}
+
+class SetupPythonUsesStep extends CacheWritingStep, UsesStep {
+  SetupPythonUsesStep() {
+    this.getCallee() = "actions/setup-python" and
+    (
+      exists(this.getArgument("cache")) or
+      exists(this.getArgument("cache-dependency-path"))
+    )
+  }
+}
+
+class SetupDotnetUsesStep extends CacheWritingStep, UsesStep {
+  SetupDotnetUsesStep() {
+    this.getCallee() = "actions/setup-dotnet" and
+    (
+      this.getArgument("cache") = "true" or
+      exists(this.getArgument("cache-dependency-path"))
+    )
+  }
+}

ql/src/Security/CWE-349/CachePoisoning.ql

@@ -0,0 +1,43 @@
+/**
+ * @name Cache Poisoning
+ * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @security-severity 9.3
+ * @id actions/cache-poisoning
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-349
+ */
+
+import actions
+import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.CachePoisoningQuery
+import codeql.actions.security.PoisonableSteps
+
+from LocalJob j, PRHeadCheckoutStep checkout
+where
+  // The workflow runs in the context of the default branch
+  // TODO: (require to collect trigger types)
+  // - add push to default branch?
+  // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch
+  j.getEnclosingWorkflow()
+      .hasTriggerEvent([
+          "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork",
+          "gollum", "issue_comment", "issues", "label", "milestone", "project", "project_card",
+          "project_column", "public", "pull_request_comment", "pull_request_target",
+          "repository_dispatch", "schedule", "watch", "workflow_run"
+        ]) and
+  // The job checkouts untrusted code from a pull request
+  j.getAStep() = checkout and
+  (
+    // The job writes to the cache
+    // (No need to follow the checkout step as the cache writing is normally done after the job completes)
+    j.getAStep() instanceof CacheWritingStep
+    or
+    // The job executes checked-out code
+    // (The cache specific token can be leaked even for non-privileged workflows)
+    checkout.getAFollowingStep() instanceof PoisonableStep
+  )
+select j.getAStep().(CacheWritingStep), "Potential cache poisoning on privileged workflow."

ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml

@@ -0,0 +1,22 @@
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  pr-comment:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: xt0rted/pull-request-comment-branch@v2
+        id: comment-branch
+
+      - uses: actions/checkout@v3
+        if: success()
+        with:
+          ref: ${{ steps.comment-branch.outputs.head_sha }}
+
+      - uses: actions/cache@v2
+        with:
+          path: ./poison
+          key: poison_key
+      - run: |
+          cat poison

ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml

@@ -0,0 +1,17 @@
+name: Cache Poisoning
+
+on: pull_request_target
+
+jobs:
+  poison:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/cache@v2
+        with:
+          path: ./poison
+          key: poison_key
+      - run: |
+          cat poison

ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml

@@ -0,0 +1,21 @@
+name: Cache Poisoning
+
+on: pull_request_target
+
+jobs:
+  poison:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-java@v2
+        with:
+          distribution: 'zulu'
+          java-version: '21'
+          cache: 'gradle'
+          cache-dependency-path: |
+            sub-project/*.gradle*
+            sub-project/**/gradle-wrapper.properties
+      - run: |
+          java HelloWorldApp.java

ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml

@@ -0,0 +1,17 @@
+name: Cache Poisoning
+
+on: pull_request_target
+
+jobs:
+  poison:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-java@v2
+        with:
+          distribution: 'zulu'
+          java-version: '21'
+      - run: |
+          java HelloWorldApp.java

ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml

@@ -0,0 +1,17 @@
+name: Cache Poisoning
+
+on: pull_request_target
+
+jobs:
+  poison:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-go@v2
+        with:
+          go-version-file: 'go.mod'
+          cache: false
+      - run: do some go stuff
+          

ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml

@@ -0,0 +1,17 @@
+name: Cache Poisoning
+
+on: pull_request_target
+
+jobs:
+  poison:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-go@v2
+        with:
+          go-version-file: 'go.mod'
+          cache: true
+      - run: do some go stuff
+          

ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml

@@ -0,0 +1,16 @@
+name: Cache Poisoning
+
+on: pull_request_target
+
+jobs:
+  poison:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+      - uses: actions/setup-go@v2
+        with:
+          go-version-file: 'go.mod'
+      - run: do some go stuff
+          

ql/test/query-tests/Security/CWE-349/CachePoisoning.expected

@@ -0,0 +1,5 @@
+| .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test6.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test7.yml:12:9:15:6 | Uses Step | Potential cache poisoning on privileged workflow. |