Merge pull request #40 from GitHubSecurityLab/refactor_source_checks

feat(sources): Do not take triggers into consideration

Author: Alvaro Muñoz

ql/lib/codeql/actions/dataflow/ExternalFlow.qll

@@ -8,10 +8,9 @@ private import actions
  *    - action: Fully-qualified action name (NWO)
  *    - version: Either '*' or a specific SHA/Tag
  *    - output arg: To node (prefixed with either `env.` or `output.`)
- *    - trigger: Triggering event under which this model introduces tainted data. Use `*` for any event.
  */
-predicate sourceModel(string action, string version, string output, string trigger, string kind) {
-  Extensions::sourceModel(action, version, output, trigger, kind)
+predicate sourceModel(string action, string version, string output, string kind) {
+  Extensions::sourceModel(action, version, output, kind)
 }
 
 /**
@@ -39,11 +38,9 @@ predicate sinkModel(string action, string version, string input, string kind) {
   Extensions::sinkModel(action, version, input, kind)
 }
 
-predicate externallyDefinedSource(
-  DataFlow::Node source, string sourceType, string fieldName, string trigger
-) {
+predicate externallyDefinedSource(DataFlow::Node source, string sourceType, string fieldName) {
   exists(Uses uses, string action, string version, string kind |
-    sourceModel(action, version, fieldName, trigger, kind) and
+    sourceModel(action, version, fieldName, kind) and
     uses.getCallee() = action.toLowerCase() and
     (
       if version.trim() = "*"

ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -18,8 +18,6 @@ abstract class RemoteFlowSource extends SourceNode {
   /** Gets a string that describes the type of this remote flow source. */
   abstract string getSourceType();
 
-  abstract string getATriggerEvent();
-
   override string getThreatModel() { result = "remote" }
 }
 
@@ -122,47 +120,31 @@ private predicate isExternalUserControlledWorkflowRun(string context) {
 }
 
 private class EventSource extends RemoteFlowSource {
-  string trigger;
-
   EventSource() {
     exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() |
-      trigger = ["issues", "issue_comment"] and isExternalUserControlledIssue(context)
-      or
-      trigger = ["pull_request_target", "pull_request_review", "pull_request_review_comment"] and
-      isExternalUserControlledPullRequest(context)
-      or
-      trigger = ["pull_request_review"] and isExternalUserControlledReview(context)
-      or
-      trigger = ["pull_request_review_comment", "issue_comment", "discussion_comment"] and
-      isExternalUserControlledComment(context)
-      or
-      trigger = ["gollum"] and isExternalUserControlledGollum(context)
-      or
-      trigger = ["push"] and isExternalUserControlledCommit(context)
-      or
-      trigger = ["discussion", "discussion_comment"] and isExternalUserControlledDiscussion(context)
-      or
-      trigger = ["workflow_run"] and isExternalUserControlledWorkflowRun(context)
+      isExternalUserControlledIssue(context) or
+      isExternalUserControlledPullRequest(context) or
+      isExternalUserControlledReview(context) or
+      isExternalUserControlledComment(context) or
+      isExternalUserControlledGollum(context) or
+      isExternalUserControlledCommit(context) or
+      isExternalUserControlledDiscussion(context) or
+      isExternalUserControlledWorkflowRun(context)
     )
   }
 
   override string getSourceType() { result = "User-controlled events" }
-
-  override string getATriggerEvent() { result = trigger }
 }
 
 /**
  * A Source of untrusted data defined in a MaD specification
  */
 private class ExternallyDefinedSource extends RemoteFlowSource {
   string sourceType;
-  string trigger;
 
-  ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _, trigger) }
+  ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) }
 
   override string getSourceType() { result = sourceType }
-
-  override string getATriggerEvent() { result = trigger }
 }
 
 /**
@@ -174,6 +156,4 @@ private class CompositeActionInputSource extends RemoteFlowSource {
   CompositeActionInputSource() { c.getAnInput() = this.asExpr() }
 
   override string getSourceType() { result = "Composite action input" }
-
-  override string getATriggerEvent() { result = "*" }
 }

ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll

@@ -175,7 +175,7 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos =
  */
 predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) {
   exists(Uses astFrom, StepsExpression astTo |
-    externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and
+    externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and
     astFrom = nodeFrom.asExpr() and
     astTo = nodeTo.asExpr() and
     astTo.getTarget() = astFrom
@@ -192,7 +192,7 @@ predicate stepsCtxLocalStep(Node nodeFrom, Node nodeTo) {
  */
 predicate needsCtxLocalStep(Node nodeFrom, Node nodeTo) {
   exists(Uses astFrom, NeedsExpression astTo |
-    externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName(), _) and
+    externallyDefinedSource(nodeFrom, _, "output." + astTo.getFieldName()) and
     astFrom = nodeFrom.asExpr() and
     astTo = nodeTo.asExpr() and
     astTo.getTarget() = astFrom
@@ -232,7 +232,7 @@ predicate envCtxLocalStep(Node nodeFrom, Node nodeTo) {
     astFrom = nodeFrom.asExpr() and
     astTo = nodeTo.asExpr() and
     (
-      externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName(), _) or
+      externallyDefinedSource(nodeFrom, _, "env." + astTo.getFieldName()) or
       astTo.getTarget() = astFrom
     )
   )

ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll

@@ -5,9 +5,7 @@
 /**
  * Holds if a source model exists for the given parameters.
  */
-extensible predicate sourceModel(
-  string action, string version, string output, string trigger, string kind
-);
+extensible predicate sourceModel(string action, string version, string output, string kind);
 
 /**
  * Holds if a summary model exists for the given parameters.

ql/lib/ext/TEST-RW-MODELS.model.yml

@@ -9,7 +9,7 @@ extensions:
       pack: githubsecuritylab/actions-all
       extensible: sourceModel
     data:
-      - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "*", "Foo"]
+      - ["octo-org/source-repo/.github/workflows/workflow.yml", "*", "output.workflow-output", "Foo"]
   - addsTo:
       pack: githubsecuritylab/actions-all
       extensible: sinkModel

ql/lib/ext/ahmadnassri_action-changed-files.model.yml

@@ -3,5 +3,5 @@ extensions:
       pack: githubsecuritylab/actions-all
       extensible: sourceModel
     data:
-      - ["ahmadnassri/action-changed-files", "*", "output.files", "pull_request_target", "PR changed files"]
-      - ["ahmadnassri/action-changed-files", "*", "output.json", "pull_request_target", "PR changed files"]
+      - ["ahmadnassri/action-changed-files", "*", "output.files", "PR changed files"]
+      - ["ahmadnassri/action-changed-files", "*", "output.json", "PR changed files"]

ql/lib/ext/amannn_action-semantic-pull-request.model.yml

@@ -3,4 +3,4 @@ extensions:
       pack: githubsecuritylab/actions-all
       extensible: sourceModel
     data:
-      - ["amannn/action-semantic-pull-request", "*", "output.error_message", "pull_request_target", "PR title"]
+      - ["amannn/action-semantic-pull-request", "*", "output.error_message", "PR title"]

ql/lib/ext/cypress-io_github-action.model.yml

@@ -3,4 +3,4 @@ extensions:
       pack: githubsecuritylab/actions-all
       extensible: sourceModel
     data:
-      - ["cypress-io/github-action", "*", "env.GH_BRANCH", "pull_request_target", "PR branch"]
+      - ["cypress-io/github-action", "*", "env.GH_BRANCH", "PR branch"]

ql/lib/ext/dawidd6_action-download-artifact.model.yml

@@ -3,4 +3,4 @@ extensions:
       pack: githubsecuritylab/actions-all
       extensible: sourceModel
     data:
-      - ["dawidd6/action-download-artifact", "*", "output.artifacts", "*", "Artifact details"]
+      - ["dawidd6/action-download-artifact", "*", "output.artifacts", "Artifact details"]

ql/lib/ext/dorny_paths-filter.model.yml

@@ -3,4 +3,4 @@ extensions:
       pack: githubsecuritylab/actions-all
       extensible: sourceModel
     data:
-      - ["dorny/paths-filter", "*", "output.changes", "pull_request_target", "PR changed files"]
+      - ["dorny/paths-filter", "*", "output.changes", "PR changed files"]