d /Users/pwntester/src/github.com/github/codeql-actions/ql

Alvaro Muñoz · Alvaro Muñoz · commit fe06c9e5fa18 · 2024-09-24T12:12:09.000+02:00
diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -417,8 +417,10 @@ class ReusableWorkflowImpl extends AstNodeImpl, WorkflowImpl {
   override AstNodeImpl getAChildNode() { result.getNode() = n.getAChildNode*() }
 
   override EventImpl getATriggerEvent() {
+    // The trigger event for a reusable workflow is the trigger event of the caller workflow
     this.getACaller().getEnclosingWorkflow().getOn().getAnEvent() = result
     or
+    // or the trigger event of the workflow if it has any other than workflow_call
     this.getOn().getAnEvent() = result and not result.getName() = "workflow_call"
   }
 
@@ -803,8 +805,13 @@ class JobImpl extends AstNodeImpl, TJobNode {
 
   /** Gets the trigger event that starts this workflow. */
   EventImpl getATriggerEvent() {
-    result = this.getEnclosingWorkflow().getATriggerEvent() or
-    result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent()
+    if this.getEnclosingWorkflow() instanceof ReusableWorkflowImpl
+    then
+      result = this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getATriggerEvent()
+      or
+      result = this.getEnclosingWorkflow().getATriggerEvent() and
+      not result.getName() = "workflow_call"
+    else result = this.getEnclosingWorkflow().getATriggerEvent()
   }
 
   /** Gets the runs-on field of the job. */
@@ -844,9 +851,8 @@ class JobImpl extends AstNodeImpl, TJobNode {
     )
   }
 
-  private predicate hasExplicitWritePermission() {
-    // the job has an explicit write permission
-    this.getPermissions().getAPermission().matches("%write")
+  private predicate hasExplicitNonePermission() {
+    exists(this.getPermissions()) and not exists(this.getPermissions().getAPermission())
   }
 
   private predicate hasExplicitReadPermission() {
@@ -855,15 +861,57 @@ class JobImpl extends AstNodeImpl, TJobNode {
     not this.getPermissions().getAPermission().matches("%write")
   }
 
-  private predicate hasImplicitWritePermission() {
+  private predicate hasExplicitWritePermission() {
     // the job has an explicit write permission
-    this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write")
+    this.getPermissions().getAPermission().matches("%write")
+  }
+
+  private predicate hasImplicitNonePermission() {
+    not exists(this.getPermissions()) and
+    exists(this.getEnclosingWorkflow().getPermissions()) and
+    not exists(this.getEnclosingWorkflow().getPermissions().getAPermission())
+    or
+    not exists(this.getPermissions()) and
+    not exists(this.getEnclosingWorkflow().getPermissions()) and
+    exists(this.getEnclosingWorkflow().(ReusableWorkflowImpl).getACaller().getPermissions()) and
+    not exists(
+      this.getEnclosingWorkflow()
+          .(ReusableWorkflowImpl)
+          .getACaller()
+          .getPermissions()
+          .getAPermission()
+    )
   }
 
   private predicate hasImplicitReadPermission() {
     // the job has not an explicit write permission
+    not exists(this.getPermissions()) and
     exists(this.getEnclosingWorkflow().getPermissions().getAPermission()) and
     not this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write")
+    or
+    not exists(this.getPermissions()) and
+    not exists(this.getEnclosingWorkflow().getPermissions()) and
+    this.getEnclosingWorkflow()
+        .(ReusableWorkflowImpl)
+        .getACaller()
+        .getPermissions()
+        .getAPermission()
+        .matches("%read")
+  }
+
+  private predicate hasImplicitWritePermission() {
+    // the job has an explicit write permission
+    not exists(this.getPermissions()) and
+    this.getEnclosingWorkflow().getPermissions().getAPermission().matches("%write")
+    or
+    not exists(this.getPermissions()) and
+    not exists(this.getEnclosingWorkflow().getPermissions()) and
+    this.getEnclosingWorkflow()
+        .(ReusableWorkflowImpl)
+        .getACaller()
+        .getPermissions()
+        .getAPermission()
+        .matches("%write")
   }
 
   private predicate hasRuntimeData() {
@@ -922,6 +970,8 @@ class JobImpl extends AstNodeImpl, TJobNode {
         // and the job is not explicitly non-privileged
         not (
           (
+            this.hasExplicitNonePermission() or
+            this.hasImplicitNonePermission() or
             this.hasExplicitReadPermission() or
             this.hasImplicitReadPermission()
           ) and
diff --git a/ql/lib/codeql/actions/security/ControlChecks.qll b/ql/lib/codeql/actions/security/ControlChecks.qll
@@ -38,7 +38,7 @@ abstract class ControlCheck extends AstNode {
   }
 
   predicate protects(Step step, Event event, string category) {
-    event.getEnclosingWorkflow() = step.getEnclosingWorkflow() and
+    event = step.getEnclosingWorkflow().getATriggerEvent() and
     this.dominates(step) and
     this.protectsCategoryAndEvent(category, event.getName())
   }
diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql b/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
@@ -20,39 +20,28 @@ import codeql.actions.security.ControlChecks
 
 query predicate edges(Step a, Step b) { a.getNextStep() = b }
 
-from PRHeadCheckoutStep checkout, PoisonableStep step
+from PRHeadCheckoutStep checkout, PoisonableStep step, Event event
 where
   // the checkout is followed by a known poisonable step
   checkout.getAFollowingStep() = step and
   // the checkout occurs in a privileged context
   inPrivilegedContext(checkout) and
+  event = checkout.getEnclosingJob().getATriggerEvent() and
   (
     // issue_comment: check for date comparison checks and actor/access control checks
-    exists(Event event |
-      event = checkout.getEnclosingJob().getATriggerEvent() and
+    event.getName() = "issue_comment" and
+    not exists(ControlCheck check, CommentVsHeadDateCheck date_check |
       (
-        event.getName() = "issue_comment"
-        or
-        event.getName() = "workflow_call" and
-        checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() =
-          "issue_comment"
+        check instanceof ActorCheck or
+        check instanceof AssociationCheck or
+        check instanceof PermissionCheck
       ) and
-      not exists(ControlCheck check, CommentVsHeadDateCheck date_check |
-        (
-          check instanceof ActorCheck or
-          check instanceof AssociationCheck or
-          check instanceof PermissionCheck
-        ) and
-        check.dominates(checkout) and
-        date_check.dominates(checkout)
-      )
+      check.dominates(checkout) and
+      date_check.dominates(checkout)
     )
     or
     // not issue_comment triggered workflows
-    exists(Event event |
-      not event.getName() = "issue_comment" and
-      event = checkout.getEnclosingJob().getATriggerEvent() and
-      not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
-    )
+    not event.getName() = "issue_comment" and
+    not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
   )
 select step, checkout, step, "Execution of untrusted code on a privileged workflow."
diff --git a/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql b/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
@@ -18,39 +18,28 @@ import codeql.actions.security.UntrustedCheckoutQuery
 import codeql.actions.security.PoisonableSteps
 import codeql.actions.security.ControlChecks
 
-from PRHeadCheckoutStep checkout
+from PRHeadCheckoutStep checkout, Event event
 where
   // the checkout is NOT followed by a known poisonable step
   not checkout.getAFollowingStep() instanceof PoisonableStep and
   // the checkout occurs in a privileged context
   inPrivilegedContext(checkout) and
+  event = checkout.getEnclosingJob().getATriggerEvent() and
   (
     // issue_comment: check for date comparison checks and actor/access control checks
-    exists(Event event |
-      event = checkout.getEnclosingJob().getATriggerEvent() and
+    event.getName() = "issue_comment" and
+    not exists(ControlCheck check, CommentVsHeadDateCheck date_check |
       (
-        event.getName() = "issue_comment"
-        or
-        event.getName() = "workflow_call" and
-        checkout.getEnclosingWorkflow().(ReusableWorkflow).getACaller().getATriggerEvent().getName() =
-          "issue_comment"
+        check instanceof ActorCheck or
+        check instanceof AssociationCheck or
+        check instanceof PermissionCheck
       ) and
-      not exists(ControlCheck check, CommentVsHeadDateCheck date_check |
-        (
-          check instanceof ActorCheck or
-          check instanceof AssociationCheck or
-          check instanceof PermissionCheck
-        ) and
-        check.dominates(checkout) and
-        date_check.dominates(checkout)
-      )
+      check.dominates(checkout) and
+      date_check.dominates(checkout)
     )
     or
     // not issue_comment triggered workflows
-    exists(Event event |
-      not event.getName() = "issue_comment" and
-      event = checkout.getEnclosingJob().getATriggerEvent() and
-      not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
-    )
+    not event.getName() = "issue_comment" and
+    not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
   )
 select checkout, "Potential execution of untrusted code on a privileged workflow."
diff --git a/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml
@@ -2,7 +2,7 @@ name: Documentation
 
 on:
   workflow_dispatch:
-  workflow_call:
+  pull_request:
 
 jobs:
   parse_commit_info:
diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionCritical.expected
@@ -1,8 +1,6 @@
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
-| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 subpaths
 #select
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} |
-| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
diff --git a/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected b/ql/test/query-tests/Security/CWE-078/CommandInjectionMedium.expected
@@ -1,6 +1,5 @@
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
-| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 subpaths
 #select
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-1.yml
@@ -1,11 +1,11 @@
 name: Caller
 
 on:
-  issue_comment:
+  pull_request_target:
 
 jobs:
   test:
     permissions: {}
     uses: ./.github/workflows/reusable-workflow-1.yml
     with:
-      taint: ${{ github.event.comment.body }}
+      taint: ${{ github.event.pull_request.title }}
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/reusable-workflow-caller-2.yml
@@ -1,10 +1,10 @@
 name: Caller
 
 on:
-  issue_comment:
+  pull_request_target:
 
 jobs:
   test:
     uses: ./.github/workflows/reusable-workflow-2.yml
     with:
-      taint: ${{ github.event.comment.body }}
+      taint: ${{ github.event.pull_request.title }}
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -70,8 +70,8 @@ edges
 | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | provenance |  |
 | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | provenance |  |
 | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | provenance |  |
-| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance |  |
-| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance |  |
+| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | provenance |  |
+| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:6:7:6:11 | input taint | provenance |  |
 | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | provenance |  |
 | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | provenance |  |
@@ -287,8 +287,8 @@ nodes
 | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | semmle.label | env.log |
-| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | semmle.label | github.event.comment.body |
-| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
+| .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value |
 | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] |
@@ -451,9 +451,7 @@ subpaths
 | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:14:19:14:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} |
 | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:15:19:15:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
 | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:16:19:16:40 | github.head_ref | ${{ github.head_ref }} |
-| .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:46 | github.event.comment.body | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
-| .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} |
-| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:46 | github.event.comment.body | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
+| .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-2.yml:10:15:10:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
 | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-2.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-2.yml:53:26:53:39 | env.log | ${{ env.log }} |
 | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} |
 | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml b/ql/test/query-tests/Security/CWE-829/.github/workflows/reusable_caller3.yaml
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ abstract class ControlCheck extends AstNode {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`predicate protects(Step step, Event event, string category) {`
`41`		`- event.getEnclosingWorkflow() = step.getEnclosingWorkflow() and`
	`41`	`+ event = step.getEnclosingWorkflow().getATriggerEvent() and`
`42`	`42`	`this.dominates(step) and`
`43`	`43`	`this.protectsCategoryAndEvent(category, event.getName())`
`44`	`44`	`}`