Improve Env path/var injection queries

Author: Alvaro Muñoz

ql/lib/codeql/actions/Ast.qll

@@ -298,6 +298,8 @@ abstract class Job extends AstNode instanceof JobImpl {
   Strategy getStrategy() { result = super.getStrategy() }
 
   predicate isPrivileged() { super.isPrivileged() }
+
+  string getARunsOnLabel() { result = super.getARunsOnLabel() }
 }
 
 class LocalJob extends Job instanceof LocalJobImpl {
@@ -352,6 +354,8 @@ class ExternalJob extends Job, Uses instanceof ExternalJobImpl { }
 class Run extends Step instanceof RunImpl {
   string getScript() { result = super.getScript() }
 
+  ScalarValue getScriptScalar() { result = super.getScriptScalar() }
+
   Expression getAnScriptExpr() { result = super.getAnScriptExpr() }
 }
 

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -579,10 +579,12 @@ class JobImpl extends AstNodeImpl, TJobNode {
   YamlMapping n;
   string jobId;
   WorkflowImpl workflow;
+  YamlMappingLikeNode runson;
 
   JobImpl() {
     this = TJobNode(n) and
-    workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n
+    workflow.getNode().lookup("jobs").(YamlMapping).lookup(jobId) = n and
+    runson = n.lookup("runs-on").(YamlMappingLikeNode)
   }
 
   override string toString() { result = "Job: " + jobId }
@@ -660,6 +662,19 @@ class JobImpl extends AstNodeImpl, TJobNode {
     // The enclosing workflow is privileged
     this.getEnclosingWorkflow().isPrivileged()
   }
+
+  /** Gets the runs-on field of the job. */
+  string getARunsOnLabel() {
+    exists(string lbl, YamlNode r |
+      (
+        r = runson.getNode(lbl) and
+        not lbl = ["group", "labels"]
+        or
+        r = runson.getNode("labels").(YamlMappingLikeNode).getNode(lbl)
+      ) and
+      result = lbl.trim().regexpReplaceAll("^('|\")", "").regexpReplaceAll("('|\")$", "").trim()
+    )
+  }
 }
 
 class LocalJobImpl extends JobImpl {
@@ -865,6 +880,8 @@ class RunImpl extends StepImpl {
 
   string getScript() { result = script.getValue() }
 
+  ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) }
+
   ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script }
 
   override string toString() {

ql/lib/codeql/actions/controlflow/internal/Cfg.qll

@@ -260,7 +260,11 @@ private class RunTree extends StandardPreOrderTree instanceof Run {
   override ControlFlowTree getChildNode(int i) {
     result =
       rank[i](AstNode child, Location l |
-        (child = super.getInScopeEnvVarExpr(_) or child = super.getAnScriptExpr()) and
+        (
+          child = super.getInScopeEnvVarExpr(_) or
+          child = super.getAnScriptExpr() or
+          child = super.getScriptScalar()
+        ) and
         l = child.getLocation()
       |
         child
@@ -291,3 +295,5 @@ private class InputTree extends LeafTree instanceof Input { }
 private class ScalarValueLeaf extends LeafTree instanceof ScalarValue { }
 
 private class ExpressionLeaf extends LeafTree instanceof Expression { }
+
+predicate test(ScalarValueLeaf f) { any() }

ql/lib/codeql/actions/dataflow/FlowSteps.qll

@@ -33,9 +33,13 @@ class AdditionalTaintStep extends Unit {
 predicate envToRunStep(DataFlow::Node pred, DataFlow::Node succ) {
   exists(Run run, string varName, string value |
     run.getInScopeEnvVarExpr(varName) = pred.asExpr() and
-    Utils::writeToGitHubEnv(run, _, value) and
-    value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0 and
-    succ.asExpr() = run
+    (
+      Utils::writeToGitHubEnv(run, _, value) or
+      Utils::writeToGitHubOutput(run, _, value) or
+      Utils::writeToGitHubPath(run, value)
+    ) and
+    value.matches("%$" + ["", "{", "ENV{"] + varName + "%") and
+    succ.asExpr() = run.getScriptScalar()
   )
 }
 
@@ -85,12 +89,9 @@ predicate artifactToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Da
   exists(Run run, string key, string value, UntrustedArtifactDownloadStep download |
     c = any(DataFlow::FieldContent ct | ct.getName() = key) and
     download.getAFollowingStep() = run and
-    pred.asExpr() = run and
+    pred.asExpr() = run.getScriptScalar() and
     succ.asExpr() = run and
-    (
-      Utils::writeToGitHubOutput(run, key, value) or
-      Utils::writeToGitHubEnv(run, key, value)
-    ) and
+    Utils::writeToGitHubOutput(run, key, value) and
     value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
   )
 }
@@ -99,7 +100,7 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF
   exists(Run run, string key, string value, UntrustedArtifactDownloadStep download |
     c = any(DataFlow::FieldContent ct | ct.getName() = key) and
     download.getAFollowingStep() = run and
-    pred.asExpr() = run and
+    pred.asExpr() = run.getScriptScalar() and
     // we store the taint on the enclosing job since the may not exist an implicit env attribute
     succ.asExpr() = run.getEnclosingJob() and
     Utils::writeToGitHubEnv(run, key, value) and
@@ -110,12 +111,16 @@ predicate artifactToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataF
 /**
  * A download artifact step followed by a step that may use downloaded artifacts.
  */
+predicate artifactDownloadToUseStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(UntrustedArtifactDownloadStep download, Run run |
+    pred.asExpr() = download and
+    succ.asExpr() = run.getScriptScalar() and
+    download.getAFollowingStep() = run
+  )
+}
+
 class ArtifactDownloadToUseTaintStep extends AdditionalTaintStep {
   override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(UntrustedArtifactDownloadStep download, Run run |
-      node1.asExpr() = download and
-      node2.asExpr() = run and
-      download.getAFollowingStep() = run
-    )
+    artifactDownloadToUseStep(node1, node2)
   }
 }

ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll

@@ -61,7 +61,8 @@ class DataFlowExpr extends Cfg::Node {
     this.getAstNode() instanceof Uses or
     this.getAstNode() instanceof Run or
     this.getAstNode() instanceof Outputs or
-    this.getAstNode() instanceof Input
+    this.getAstNode() instanceof Input or
+    this.getAstNode() instanceof ScalarValue
   }
 }
 

ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -299,7 +299,12 @@ class EnvVarInjectionRunStep extends PoisonableStep, Run {
 }
 
 class ArtifactPoisoningSink extends DataFlow::Node {
-  ArtifactPoisoningSink() { this.asExpr() instanceof PoisonableStep }
+  ArtifactPoisoningSink() {
+    exists(PoisonableStep step |
+      step.(Run).getScriptScalar() = this.asExpr() or
+      step.(UsesStep) = this.asExpr()
+    )
+  }
 }
 
 /**

ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll

@@ -5,23 +5,18 @@ import codeql.actions.dataflow.FlowSources
 private import codeql.actions.security.ArtifactPoisoningQuery
 import codeql.actions.DataFlow
 
-predicate envPathInjectionFromExprSink(DataFlow::Node sink) {
-  exists(Expression expr, Run run, string value |
-    Utils::writeToGitHubPath(run, value) and
-    expr = sink.asExpr() and
-    run.getAnScriptExpr() = expr and
-    value.indexOf(expr.getExpression()) > 0
-  )
-}
+abstract class EnvPathInjectionSink extends DataFlow::Node { }
 
-predicate envPathInjectionFromFileSink(DataFlow::Node sink) {
-  exists(Run run, UntrustedArtifactDownloadStep step, string value |
-    sink.asExpr() = run and
-    step.getAFollowingStep() = run and
-    Utils::writeToGitHubPath(run, value) and
-    // TODO: add support for other commands like `<`, `jq`, ...
-    value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
-  )
+class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink {
+  EnvPathInjectionFromFileReadSink() {
+    exists(Run run, UntrustedArtifactDownloadStep step, string value |
+      this.asExpr() = run.getScriptScalar() and
+      step.getAFollowingStep() = run and
+      Utils::writeToGitHubPath(run, value) and
+      // TODO: add support for other commands like `<`, `jq`, ...
+      value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
+    )
+  }
 }
 
 /**
@@ -32,26 +27,23 @@ predicate envPathInjectionFromFileSink(DataFlow::Node sink) {
  *    run: |
  *      echo "$BODY" >> $GITHUB_PATH
  */
-predicate envPathInjectionFromEnvSink(DataFlow::Node sink) {
-  exists(Run run, Expression expr, string varname, string value |
-    sink.asExpr().getInScopeEnvVarExpr(varname) = expr and
-    run = sink.asExpr() and
-    Utils::writeToGitHubPath(run, value) and
-    (
-      value = ["$" + varname, "${" + varname + "}", "$ENV{" + varname + "}"]
-      or
-      value.matches("$(echo %") and value.indexOf(varname) > 0
+class EnvPathInjectionFromEnvVarSink extends EnvPathInjectionSink {
+  EnvPathInjectionFromEnvVarSink() {
+    exists(Run run, Expression expr, string varname, string value |
+      this.asExpr().getInScopeEnvVarExpr(varname) = expr and
+      run.getScriptScalar() = this.asExpr() and
+      Utils::writeToGitHubPath(run, value) and
+      (
+        value.matches("%$" + ["", "{", "ENV{"] + varname + "%")
+        or
+        value.matches("$(echo %") and value.indexOf(varname) > 0
+      )
     )
-  )
+  }
 }
 
-private class EnvPathInjectionSink extends DataFlow::Node {
-  EnvPathInjectionSink() {
-    envPathInjectionFromExprSink(this) or
-    envPathInjectionFromFileSink(this) or
-    envPathInjectionFromEnvSink(this) or
-    externallyDefinedSink(this, "envpath-injection")
-  }
+class EnvPathInjectionFromMaDSink extends EnvPathInjectionSink {
+  EnvPathInjectionFromMaDSink() { externallyDefinedSink(this, "envpath-injection") }
 }
 
 /**

ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -5,33 +5,43 @@ import codeql.actions.dataflow.FlowSources
 private import codeql.actions.security.ArtifactPoisoningQuery
 import codeql.actions.DataFlow
 
-predicate envVarInjectionFromExprSink(DataFlow::Node sink) {
-  exists(Expression expr, Run run, string key, string value |
-    Utils::writeToGitHubEnv(run, key, value) and
-    expr = sink.asExpr() and
-    run.getAnScriptExpr() = expr and
-    value.indexOf(expr.getExpression()) > 0
-  )
-}
+abstract class EnvVarInjectionSink extends DataFlow::Node { }
 
-predicate envVarInjectionFromFileSink(DataFlow::Node sink) {
-  exists(Run run, UntrustedArtifactDownloadStep step, string value |
-    sink.asExpr() = run and
-    step.getAFollowingStep() = run and
-    Utils::writeToGitHubEnv(run, _, value) and
-    // TODO: add support for other commands like `<`, `jq`, ...
-    value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
-  )
+// predicate envVarInjectionFromEnvVarSink(DataFlow::Node sink) {
+//   exists(Expression expr, Run run, string varName, string key, string value |
+//     expr = run.getInScopeEnvVarExpr(varName) and
+//     Utils::writeToGitHubEnv(run, key, value) and
+//     expr = sink.asExpr() and
+//     value.matches("%$" + ["", "{", "ENV{"] + varName + "%")
+//   )
+// }
+class EnvVarInjectionFromEnvVarSink extends EnvVarInjectionSink {
+  EnvVarInjectionFromEnvVarSink() {
+    exists(Run run, Expression expr, string varname, string key, string value |
+      expr = run.getInScopeEnvVarExpr(varname) and
+      Utils::writeToGitHubEnv(run, key, value) and
+      run.getScriptScalar() = this.asExpr() and
+      value.matches("%$" + ["", "{", "ENV{"] + varname + "%")
+    )
+  }
 }
 
-private class EnvVarInjectionSink extends DataFlow::Node {
-  EnvVarInjectionSink() {
-    envVarInjectionFromExprSink(this) or
-    envVarInjectionFromFileSink(this) or
-    externallyDefinedSink(this, "envvar-injection")
+class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
+  EnvVarInjectionFromFileReadSink() {
+    exists(Run run, UntrustedArtifactDownloadStep step, string value |
+      this.asExpr() = run.getScriptScalar() and
+      step.getAFollowingStep() = run and
+      Utils::writeToGitHubEnv(run, _, value) and
+      // TODO: add support for other commands like `<`, `jq`, ...
+      value.regexpMatch(["\\$\\(", "`"] + ["cat\\s+", "<"] + ".*" + ["`", "\\)"])
+    )
   }
 }
 
+class EnvVarInjectionFromMaDSink extends EnvVarInjectionSink {
+  EnvVarInjectionFromMaDSink() { externallyDefinedSink(this, "envvar-injection") }
+}
+
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate an environment variable.

ql/lib/qlpack.yml

@@ -2,7 +2,7 @@
 library: true
 warnOnImplicitThis: true
 name: githubsecuritylab/actions-all
-version: 0.0.17
+version: 0.0.18
 dependencies:
   codeql/util: ^0.2.0
   codeql/yaml: ^0.1.2

ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql

@@ -0,0 +1,47 @@
+/**
+ * @name Pull Request code execution on self-hosted runner
+ * @description Running untrusted code on a public repository's self-hosted runner can lead to the compromise of the runner machine
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.0
+ * @precision high
+ * @id actions/pr-on-self-hosted-runner
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-284
+ */
+
+import actions
+import codeql.actions.dataflow.ExternalFlow
+
+/**
+ * This predicate uses data available in the workflow file to identify self-hosted runners.
+ * It does not know if the repository is public or private.
+ * It is a best-effort approach to identify self-hosted runners.
+ */
+predicate staticallyIdentifiedSelfHostedRunner(Job job) {
+  exists(string label |
+    job.getEnclosingWorkflow().getATriggerEvent() =
+      ["pull_request", "pull_request_review", "pull_request_review_comment", "pull_request_target"] and
+    label = job.getARunsOnLabel() and
+    // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/poutine/utils.rego#L49C3-L49C136
+    not label
+        .regexpMatch("(?i)^((ubuntu-(([0-9]{2})\\.04|latest)|macos-([0-9]{2}|latest)(-x?large)?|windows-(20[0-9]{2}|latest)|(buildjet|warp)-[a-z0-9-]+))$")
+  )
+}
+
+/**
+ * This predicate uses data available in the job log files to identify self-hosted runners.
+ * It is a best-effort approach to identify self-hosted runners.
+ */
+predicate dynamicallyIdentifiedSelfHostedRunner(Job job) {
+  exists(string runner_info |
+    workflowDataModel(job.getEnclosingWorkflow().getLocation().getFile().getRelativePath(),
+      "public", job.getId(), _, _, runner_info) and
+    runner_info.matches("self-hosted:true")
+  )
+}
+
+from Job job
+where staticallyIdentifiedSelfHostedRunner(job) or dynamicallyIdentifiedSelfHostedRunner(job)
+select job, "Job runs on self-hosted runner"