Remove caching actions that cache files outside of the CWD

Alvaro Muñoz · Alvaro Muñoz · commit fbc2e1e7e807 · 2024-08-06T10:47:12.000+02:00
diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll
@@ -51,87 +51,13 @@ abstract class CacheWritingStep extends Step {
 class CacheActionUsesStep extends CacheWritingStep, UsesStep {
   CacheActionUsesStep() { this.getCallee() = "actions/cache" }
 
-  override string getPath() {
-    if exists(this.(UsesStep).getArgument("path"))
-    then result = this.(UsesStep).getArgument("path").splitAt("\n")
-    else result = "?"
-  }
+  override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") }
 }
 
 class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep {
   CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" }
 
-  override string getPath() {
-    if exists(this.(UsesStep).getArgument("path"))
-    then result = this.(UsesStep).getArgument("path").splitAt("\n")
-    else result = "?"
-  }
-}
-
-class SetupJavaUsesStep extends CacheWritingStep, UsesStep {
-  SetupJavaUsesStep() {
-    this.getCallee() = "actions/setup-java" and
-    (
-      exists(this.getArgument("cache")) or
-      exists(this.getArgument("cache-dependency-path"))
-    )
-  }
-
-  // TODO: Try to get the actual path being cached
-  override string getPath() { result = "?" }
-}
-
-class SetupGoUsesStep extends CacheWritingStep, UsesStep {
-  SetupGoUsesStep() {
-    this.getCallee() = "actions/setup-go" and
-    (
-      not exists(this.getArgument("cache"))
-      or
-      this.getArgument("cache") = "true"
-    )
-  }
-
-  // TODO: Try to get the actual path being cached
-  override string getPath() { result = "?" }
-}
-
-class SetupNodeUsesStep extends CacheWritingStep, UsesStep {
-  SetupNodeUsesStep() {
-    this.getCallee() = "actions/setup-node" and
-    (
-      exists(this.getArgument("cache")) or
-      exists(this.getArgument("cache-dependency-path"))
-    )
-  }
-
-  // TODO: Try to get the actual path being cached
-  override string getPath() { result = "?" }
-}
-
-class SetupPythonUsesStep extends CacheWritingStep, UsesStep {
-  SetupPythonUsesStep() {
-    this.getCallee() = "actions/setup-python" and
-    (
-      exists(this.getArgument("cache")) or
-      exists(this.getArgument("cache-dependency-path"))
-    )
-  }
-
-  // TODO: Try to get the actual path being cached
-  override string getPath() { result = "?" }
-}
-
-class SetupDotnetUsesStep extends CacheWritingStep, UsesStep {
-  SetupDotnetUsesStep() {
-    this.getCallee() = "actions/setup-dotnet" and
-    (
-      this.getArgument("cache") = "true" or
-      exists(this.getArgument("cache-dependency-path"))
-    )
-  }
-
-  // TODO: Try to get the actual path being cached
-  override string getPath() { result = "?" }
+  override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") }
 }
 
 class SetupRubyUsesStep extends CacheWritingStep, UsesStep {
@@ -140,6 +66,5 @@ class SetupRubyUsesStep extends CacheWritingStep, UsesStep {
     this.getArgument("bundler-cache") = "true"
   }
 
-  // TODO: Try to get the actual path being cached
-  override string getPath() { result = "?" }
+  override string getPath() { result = "vendor/bundle" }
 }
