Merge branch 'master' of https://github.com/github/codeql-actions

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

@@ -227,17 +227,46 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run {
 }
 
 /** An If node that contains an actor, user or label check */
-class ControlCheck extends If {
-  ControlCheck() {
+abstract class ControlCheck extends If { }
+
+class LabelControlCheck extends ControlCheck {
+  LabelControlCheck() {
+    // eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
+    // eg: github.event.label.name == 'safe to test'
+    exists(
+      Utils::normalizeExpr(this.getCondition())
+          .regexpFind([
+              "\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b"
+            ], _, _)
+    )
+  }
+}
+
+class ActorControlCheck extends ControlCheck {
+  ActorControlCheck() {
+    // eg: contains(github.actor, 'dependabot')
+    // eg: github.triggering_actor != 'CI Agent'
+    // eg: github.event.pull_request.user.login == 'mybot'
+    exists(
+      Utils::normalizeExpr(this.getCondition())
+          .regexpFind([
+              "\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b",
+              "\\bgithub\\.event\\.comment\\.user\\.login\\b",
+              "\\bgithub\\.event\\.pull_request\\.user\\.login\\b",
+            ], _, _)
+    )
+  }
+}
+
+class AssociationControlCheck extends ControlCheck {
+  AssociationControlCheck() {
+    // eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association)
     exists(
       Utils::normalizeExpr(this.getCondition())
           .regexpFind([
-              "\\bgithub\\.actor\\b", // actor
-              "\\bgithub\\.triggering_actor\\b", // actor
-              "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user
-              "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user
-              "\\bgithub\\.event\\.pull_request\\.labels\\b", // label
-              "\\bgithub\\.event\\.label\\.name\\b" // label
+              "\\bgithub\\.event\\.comment\\.author_association\\b",
+              "\\bgithub\\.event\\.issue\\.author_association\\b",
+              "\\bgithub\\.event\\.pull_request\\.author_association\\b",
             ], _, _)
     )
   }

ql/lib/ext/peter-murray_issue-body-parser-action.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sourceModel
+    data:
+      - ["peter-murray/issue-body-parser-action", "*", "output.*", "text", "manual"]

ql/src/Security/CWE-285/ImproperAccessControl.ql

@@ -0,0 +1,30 @@
+/**
+ * @name Improper Access Control
+ * @description The access control mechanism is not properly implemented, allowing untrusted code to be executed in a privileged context.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @security-severity 9.3
+ * @id actions/improper-access-control
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-285
+ */
+
+import codeql.actions.security.UntrustedCheckoutQuery
+
+from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event
+where
+  job = checkout.getEnclosingJob() and
+  job.isPrivileged() and
+  job.getATriggerEvent() = event and
+  event.getName() = "pull_request_target" and
+  event.getAnActivityType() = "synchronize" and
+  job.getAStep() = checkout and
+  (
+    checkout.getIf() = check
+    or
+    checkout.getEnclosingJob().getIf() = check
+  )
+select checkout, "The checked-out code can be changed after the authorization check o step $@.",
+  check, check.toString()

ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Untrusted Checkout TOCTOU
+ * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @security-severity 9.3
+ * @id actions/untrusted-checkout-toctou/critical
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-367
+ */
+
+import actions
+import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.PoisonableSteps
+
+from ControlCheck check, MutableRefCheckoutStep checkout
+where
+  // the mutable checkout step is protected by an access check
+  check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
+  // the checked-out code may lead to arbitrary code execution
+  checkout.getAFollowingStep() instanceof PoisonableStep
+select checkout, "The checked-out code can be changed after the authorization check o step $@.",
+  check, check.toString()

ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Untrusted Checkout TOCTOU
+ * @description Untrusted Checkout is protected by a security check but the checked-out branch can be changed after the check.
+ * @kind problem
+ * @problem.severity warning
+ * @precision medium
+ * @security-severity 5.3
+ * @id actions/untrusted-checkout-toctou/high
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-367
+ */
+
+import actions
+import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.PoisonableSteps
+
+from ControlCheck check, MutableRefCheckoutStep checkout
+where
+  // the mutable checkout step is protected by an access check
+  check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
+  // there are no evidences that the  checked-out code can lead to arbitrary code execution
+  not checkout.getAFollowingStep() instanceof PoisonableStep
+select checkout, "The checked-out code can be changed after the authorization check o step $@.",
+  check, check.toString()

ql/test/library-tests/test.expected

@@ -464,6 +464,7 @@ sources
 | jitterbit/get-changed-files | * | output.renamed | filename | manual |
 | khan/pull-request-comment-trigger | * | output.comment_body | text | manual |
 | marocchino/on_artifact | * | output.* | artifact | manual |
+| peter-murray/issue-body-parser-action | * | output.* | text | manual |
 | puppeteer/puppeteer/.github/workflows/changed-packages.yml | * | output.changes | filename | manual |
 | redhat-plumbers-in-action/download-artifact | * | output.* | artifact | manual |
 | tj-actions/branch-names | * | output.current_branch | branch | manual |

ql/test/query-tests/Security/CWE-094/.github/workflows/test3.yml

@@ -0,0 +1,61 @@
+name: Approve or Deny Marketplace Action Request
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  parse-issue:
+    runs-on: self-hosted
+    outputs:
+      payload: ${{ steps.issue_body_parser_request.outputs.payload }}
+    steps:
+      - name: Get JSON Data out of Issue Request
+        uses: peter-murray/issue-body-parser-action@v2
+        id: issue_body_parser_request
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          issue_id: ${{ github.event.issue.number }}
+          payload_marker: request
+          fail_on_missing: false
+  approve-or-deny-request:
+    runs-on: self-hosted
+    needs: parse-issue
+    if: needs.parse-issue.outputs.payload != 'NOT_FOUND'
+    steps:
+    - name: Lookup the latest release of ${{ fromJson(needs.parse-issue.outputs.payload).owner }}/${{ fromJson(needs.parse-issue.outputs.payload).repo }}
+      id: get_version
+      env:
+        OWNER: ${{ fromJson(needs.parse-issue.outputs.payload).owner }}
+        REPO: ${{ fromJson(needs.parse-issue.outputs.payload).repo }}
+        REQUEST_VERSION: ${{ fromJson(needs.parse-issue.outputs.payload).version }}
+      run: |
+        if [ $REQUEST_VERSION == 'latest' ]; then
+          echo "Finding latest release of $OWNER/$REPO..."
+          export VERSION=`curl https://api.github.com/repos/$OWNER/$REPO/releases/latest | jq -r .name`
+        else
+          export VERSION=$REQUEST_VERSION
+        fi
+        echo "VERSION: $VERSION"
+        echo "version=$VERSION" >> $GITHUB_OUTPUT
+    - name: Check out scripts
+      uses: actions/checkout@v3
+    - name: Setup Node
+      uses: actions/setup-node@v3
+      with:
+        node-version: '14'
+        check-latest: true
+    - name: Install dependencies
+      run: |
+        cd .github/scripts
+        npm install
+    - name: Approve or deny request
+      uses: actions/github-script@main
+      env:
+        VERSION: ${{ steps.get_version.outputs.version }}
+      with:
+        debug: true
+        script: |
+          const options = { token: '${{ secrets.TOKEN }}', adminOpsOrg: '${{ vars.ADMIN_OPS_ORG }}', actionsApprovedOrg: '${{ vars.ACTIONS_APPROVED_ORG }}', actionsApproverTeam: '${{ vars.ACTIONS_APPROVERS_TEAM }}', baseUrl: '${{ github.api_url }}', version: process.env.VERSION };
+          const payload = ${{ needs.parse-issue.outputs.payload }}
+          await require('./.github/scripts/approve-or-deny-request.js')({github, context, payload, options});

ql/test/query-tests/Security/CWE-094/CodeInjection.expected

@@ -59,6 +59,9 @@ edges
 | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY |
 | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files |
 | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files |
+| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload |
+| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] |
+| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value |
@@ -222,6 +225,10 @@ nodes
 | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files |
 | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 |
 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files |
+| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] |
+| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload |
+| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request |
+| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |

ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected

@@ -59,6 +59,9 @@ edges
 | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY |
 | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files |
 | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files |
+| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload |
+| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] |
+| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | .github/workflows/test.yml:20:18:20:48 | steps.step0.outputs.value |
@@ -222,6 +225,10 @@ nodes
 | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | semmle.label | steps.changed.outputs.locale_files |
 | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | semmle.label | Uses Step: changed2 |
 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | semmle.label | steps.changed2.outputs.locale_files |
+| .github/workflows/test3.yml:11:7:12:4 | Job outputs node [payload] | semmle.label | Job outputs node [payload] |
+| .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload |
+| .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request |
+| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -333,6 +340,7 @@ subpaths
 | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:25:20:25:39 | env.ISSUE_KEY | ${{ env.ISSUE_KEY }} |
 | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} |
 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} |
+| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} |
 | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
 | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} |

ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml

@@ -0,0 +1,20 @@
+name: Pull request feedback
+
+on:
+  pull_request_target:
+    types: [ opened, synchronize ]
+
+permissions: {}
+jobs:
+  test:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repo for OWNER TEST
+      uses: actions/checkout@v3
+      if: contains(github.event.pull_request.labels.*.name, 'safe to test')
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+    - run: ./cmd