Merge pull request #34 from GitHubSecurityLab/refactor_queries

Refactor queries

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -0,0 +1,25 @@
+private import actions
+private import codeql.actions.TaintTracking
+private import codeql.actions.dataflow.ExternalFlow
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.DataFlow
+
+class CodeInjectionSink extends DataFlow::Node {
+  CodeInjectionSink() {
+    exists(Run e | e.getAnScriptExpr() = this.asExpr()) or
+    externallyDefinedSink(this, "code-injection")
+  }
+}
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to construct and evaluate a code script.
+ */
+private module CodeInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
+}
+
+/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
+module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;

ql/lib/codeql/actions/security/CommandInjectionQuery.qll

@@ -0,0 +1,22 @@
+private import actions
+private import codeql.actions.TaintTracking
+private import codeql.actions.dataflow.ExternalFlow
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.DataFlow
+
+private class CommandInjectionSink extends DataFlow::Node {
+  CommandInjectionSink() { externallyDefinedSink(this, "command-injection") }
+}
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to construct and evaluate a system command.
+ */
+private module CommandInjectionConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
+}
+
+/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
+module CommandInjectionFlow = TaintTracking::Global<CommandInjectionConfig>;

ql/lib/codeql/actions/security/RequestForgeryQuery.qll

@@ -0,0 +1,22 @@
+private import actions
+private import codeql.actions.TaintTracking
+private import codeql.actions.dataflow.ExternalFlow
+import codeql.actions.dataflow.FlowSources
+import codeql.actions.DataFlow
+
+private class RequestForgerySink extends DataFlow::Node {
+  RequestForgerySink() { externallyDefinedSink(this, "request-forgery") }
+}
+
+/**
+ * A taint-tracking configuration for unsafe user input
+ * that is used to construct and evaluate a system command.
+ */
+private module RequestForgeryConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
+}
+
+/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
+module RequestForgeryFlow = TaintTracking::Global<RequestForgeryConfig>;

ql/lib/ext/TEST-RW-MODELS.model.yml

@@ -14,4 +14,4 @@ extensions:
       pack: githubsecuritylab/actions-all
       extensible: sinkModel
     data:
-      - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "expression-injection"]
+      - ["octo-org/sink-repo/.github/workflows/workflow.yml", "*", "input.config-path", "code-injection"]

ql/src/Security/CWE-020/CompositeActionsSinks.ql

@@ -12,24 +12,16 @@
  */
 
 import actions
-import codeql.actions.DataFlow
+import codeql.actions.security.CodeInjectionQuery
 import codeql.actions.TaintTracking
-import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
 
-private class ExpressionInjectionSink extends DataFlow::Node {
-  ExpressionInjectionSink() {
-    exists(Run e | e.getAnScriptExpr() = this.asExpr()) or
-    externallyDefinedSink(this, "expression-injection")
-  }
-}
-
 private module MyConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     exists(CompositeAction c | c.getAnInput() = source.asExpr())
   }
 
-  predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

ql/src/Security/CWE-020/ReusableWorkflowsSinks.ql

@@ -12,24 +12,16 @@
  */
 
 import actions
-import codeql.actions.DataFlow
+import codeql.actions.security.CodeInjectionQuery
 import codeql.actions.TaintTracking
-import codeql.actions.dataflow.FlowSources
 import codeql.actions.dataflow.ExternalFlow
 
-private class ExpressionInjectionSink extends DataFlow::Node {
-  ExpressionInjectionSink() {
-    exists(Run e | e.getAnScriptExpr() = this.asExpr()) or
-    externallyDefinedSink(this, "expression-injection")
-  }
-}
-
 private module MyConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     exists(ReusableWorkflow w | w.getAnInput() = source.asExpr())
   }
 
-  predicate isSink(DataFlow::Node sink) { sink instanceof ExpressionInjectionSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

ql/src/Security/CWE-078/CommandInjection.ql

@@ -13,27 +13,11 @@
  */
 
 import actions
-import codeql.actions.DataFlow
-import codeql.actions.TaintTracking
-import codeql.actions.dataflow.FlowSources
-import codeql.actions.dataflow.ExternalFlow
+import codeql.actions.security.CommandInjectionQuery
+import CommandInjectionFlow::PathGraph
 
-private class CommandInjectionSink extends DataFlow::Node {
-  CommandInjectionSink() { externallyDefinedSink(this, "command-injection") }
-}
-
-private module MyConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }
-}
-
-module MyFlow = TaintTracking::Global<MyConfig>;
-
-import MyFlow::PathGraph
-
-from MyFlow::PathNode source, MyFlow::PathNode sink
-where MyFlow::flowPath(source, sink)
+from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink
+where CommandInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "Potential command injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-078/CriticalCommandInjection.ql

@@ -0,0 +1,29 @@
+/**
+ * @name Command built from user-controlled sources on a privileged context
+ * @description Building a system command from user-controlled sources is vulnerable to insertion of
+ *              malicious code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9
+ * @precision high
+ * @id actions/privileged-command-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-078
+ */
+
+import actions
+import codeql.actions.security.CommandInjectionQuery
+import CommandInjectionFlow::PathGraph
+
+from CommandInjectionFlow::PathNode source, CommandInjectionFlow::PathNode sink, Workflow w
+where
+  CommandInjectionFlow::flowPath(source, sink) and
+  w = source.getNode().asExpr().getEnclosingWorkflow() and
+  (
+    w instanceof ReusableWorkflow or
+    w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent())
+  )
+select sink.getNode(), source, sink,
+  "Potential privileged command injection in $@, which may be controlled by an external user.",
+  sink, sink.getNode().asExpr().(Expression).getRawExpression()

ql/src/Security/CWE-078/PrivilegedCommandInjection.ql

@@ -15,27 +15,11 @@
  */
 
 import actions
-import codeql.actions.DataFlow
-import codeql.actions.TaintTracking
-import codeql.actions.dataflow.FlowSources
-import codeql.actions.dataflow.ExternalFlow
+import codeql.actions.security.CodeInjectionQuery
+import CodeInjectionFlow::PathGraph
 
-private class CodeInjectionSink extends DataFlow::Node {
-  CodeInjectionSink() { externallyDefinedSink(this, "code-injection") }
-}
-
-private module MyConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
-}
-
-module MyFlow = TaintTracking::Global<MyConfig>;
-
-import MyFlow::PathGraph
-
-from MyFlow::PathNode source, MyFlow::PathNode sink
-where MyFlow::flowPath(source, sink)
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
+where CodeInjectionFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()