Consider a Reusable Workflow privileged if a caller is

Author: Alvaro Muñoz

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -2,6 +2,7 @@ private import codeql.actions.ast.internal.Yaml
 private import codeql.Locations
 private import codeql.actions.Helper
 private import codeql.actions.config.Config
+private import codeql.actions.DataFlow
 
 /**
  * Gets the length of each line in the StringValue .
@@ -433,7 +434,10 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl {
   }
 
   ExternalJobImpl getACaller() {
-    result.getCallee() = this.getLocation().getFile().getRelativePath()
+    exists(DataFlow::CallNode call |
+      call.getCalleeNode() = this and
+      result = call.getCfgNode().getAstNode()
+    )
   }
 }
 

ql/lib/codeql/actions/dataflow/internal/DataFlowPublic.qll

@@ -72,7 +72,7 @@ class CallNode extends ExprNode {
 
   CallNode() { this.getCfgNode() instanceof DataFlowCall }
 
-  string getCallee() { result = this.getCfgNode().(DataFlowCall).getName() }
+  DataFlowCallable getCalleeNode() { result = viableCallable(this.getCfgNode()) }
 }
 
 /**

ql/test/library-tests/test.expected

@@ -414,6 +414,10 @@ subpaths
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
+| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
+| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} |
+| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
+| .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} |
 | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} |
 | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:57:34:57:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:147:34:147:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |

ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -0,0 +1,70 @@
+name: Test Formalities
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Test Formalities
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Determine branch name
+        run: |
+          BRANCH="${GITHUB_BASE_REF#refs/heads/}"
+          echo "Building for $BRANCH"
+          echo "BRANCH=$BRANCH" >> $GITHUB_ENV
+
+      - name: Test formalities
+        run: |
+          source .github/workflows/scripts/ci_helpers.sh
+
+          RET=0
+          for commit in $(git rev-list HEAD ^origin/$BRANCH); do
+            info "=== Checking commit '$commit'"
+            if git show --format='%P' -s $commit | grep -qF ' '; then
+              err "Pull request should not include merge commits"
+              RET=1
+            fi
+
+            author="$(git show -s --format=%aN $commit)"
+            if echo $author | grep -q '\S\+\s\+\S\+'; then
+              success "Author name ($author) seems ok"
+            else
+              err "Author name ($author) need to be your real name 'firstname lastname'"
+              RET=1
+            fi
+
+            subject="$(git show -s --format=%s $commit)"
+            if echo "$subject" | grep -q -e '^[0-9A-Za-z,+/_\.-]\+: ' -e '^Revert '; then
+              success "Commit subject line seems ok ($subject)"
+            else
+              err "Commit subject line MUST start with '<area>: ' ($subject)"
+              RET=1
+            fi
+
+            body="$(git show -s --format=%b $commit)"
+            sob="$(git show -s --format='Signed-off-by: %aN <%aE>' $commit)"
+            if echo "$body" | grep -qF "$sob"; then
+              success "Signed-off-by match author"
+            else
+              err "Signed-off-by is missing or doesn't match author (should be '$sob')"
+              RET=1
+            fi
+
+            if echo "$body" | grep -v "Signed-off-by:"; then
+              success "A commit message exists"
+            else
+              err "Missing commit message. Please describe your changes"
+              RET=1
+            fi
+          done
+
+          exit $RET

ql/test/query-tests/Security/CWE-829/.github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml

@@ -0,0 +1,12 @@
+name: Test Formalities
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    name: Test Formalities
+    uses: TestOrg/TestRepo/.github/workflows/formal.yml@main

ql/test/query-tests/Security/CWE-829/.github/workflows/formal.yml

@@ -1,6 +1,8 @@
 edges
 | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step |
 | .github/actions/dangerous-git-checkout/action.yml:11:7:12:18 | Run Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
 | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step |

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -1,3 +1,4 @@
+| .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/artifactpoisoning82.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |