Initial implementation

Author: Alvaro Muñoz

build-dbs.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+rm -rf ql/src/test-db || true
+rm -rf ql/lib/test-db || true
+codeql database create ql/src/test-db -l yaml -s ql/src/test
+codeql database create ql/lib/test-db -l yaml -s ql/lib/test

codeql-workspace.yml

@@ -0,0 +1,3 @@
+provide:
+  - "**/ql/src/qlpack.yml"
+  - "**/ql/lib/qlpack.yml"

ql/lib/actions.qll

@@ -0,0 +1 @@
+import codeql.actions.Ast

ql/lib/codeql-pack.lock.yml

@@ -0,0 +1,16 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/controlflow:
+    version: 0.1.7
+  codeql/dataflow:
+    version: 0.1.7
+  codeql/ssa:
+    version: 0.2.7
+  codeql/typetracking:
+    version: 0.2.7
+  codeql/util:
+    version: 0.2.7
+  codeql/yaml:
+    version: 0.2.7
+compiled: false

ql/lib/codeql/Locations.qll

@@ -0,0 +1,71 @@
+/** Provides classes for working with locations. */
+
+import files.FileSystem
+
+bindingset[loc]
+pragma[inline_late]
+private string locationToString(Location loc) {
+  exists(string filepath, int startline, int startcolumn, int endline, int endcolumn |
+    loc.hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn) and
+    result = filepath + "@" + startline + ":" + startcolumn + ":" + endline + ":" + endcolumn
+  )
+}
+
+/**
+ * A location as given by a file, a start line, a start column,
+ * an end line, and an end column.
+ *
+ * For more information about locations see [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+ */
+class Location extends @location_default {
+  /** Gets the file for this location. */
+  File getFile() { locations_default(this, result, _, _, _, _) }
+
+  /** Gets the 1-based line number (inclusive) where this location starts. */
+  int getStartLine() { locations_default(this, _, result, _, _, _) }
+
+  /** Gets the 1-based column number (inclusive) where this location starts. */
+  int getStartColumn() { locations_default(this, _, _, result, _, _) }
+
+  /** Gets the 1-based line number (inclusive) where this location ends. */
+  int getEndLine() { locations_default(this, _, _, _, result, _) }
+
+  /** Gets the 1-based column number (inclusive) where this location ends. */
+  int getEndColumn() { locations_default(this, _, _, _, _, result) }
+
+  /** Gets the number of lines covered by this location. */
+  int getNumLines() { result = this.getEndLine() - this.getStartLine() + 1 }
+
+  /** Gets a textual representation of this element. */
+  pragma[inline]
+  string toString() { result = locationToString(this) }
+
+  /**
+   * Holds if this element is at the specified location.
+   * The location spans column `startcolumn` of line `startline` to
+   * column `endcolumn` of line `endline` in file `filepath`.
+   * For more information, see
+   * [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
+   */
+  predicate hasLocationInfo(
+    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  ) {
+    exists(File f |
+      locations_default(this, f, startline, startcolumn, endline, endcolumn) and
+      filepath = f.getAbsolutePath()
+    )
+  }
+
+  /** Holds if this location starts strictly before the specified location. */
+  pragma[inline]
+  predicate strictlyBefore(Location other) {
+    this.getStartLine() < other.getStartLine()
+    or
+    this.getStartLine() = other.getStartLine() and this.getStartColumn() < other.getStartColumn()
+  }
+}
+
+/** An entity representing an empty location. */
+class EmptyLocation extends Location {
+  EmptyLocation() { this.hasLocationInfo("", 0, 0, 0, 0) }
+}

ql/lib/codeql/actions/Ast.qll

@@ -0,0 +1,256 @@
+private import codeql.actions.ast.internal.Actions
+private import codeql.Locations
+
+class AstNode instanceof YamlNode {
+  AstNode getParentNode() {
+    if exists(YamlMapping m | m.maps(_, this))
+    then exists(YamlMapping m | m.maps(result, this))
+    else result = super.getParentNode()
+  }
+
+  AstNode getAChildNode() {
+    if this instanceof YamlMapping
+    then this.(YamlMapping).maps(result, _)
+    else
+      if this instanceof YamlCollection
+      then result = super.getChildNode(_)
+      else
+        if this instanceof YamlScalar and exists(YamlMapping m | m.maps(this, _))
+        then exists(YamlMapping m | m.maps(this, result))
+        else none()
+  }
+
+  AstNode getChildNodeByOrder(int i) {
+    result =
+      rank[i](Expression child, Location l |
+        child = this.getAChildNode() and
+        child.getLocation() = l
+      |
+        child
+        order by
+          l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString()
+      )
+  }
+
+  string toString() { result = super.toString() }
+
+  string getAPrimaryQlClass() { result = super.getAPrimaryQlClass() }
+
+  Location getLocation() { result = super.getLocation() }
+}
+
+class Statement extends AstNode {
+  // narrow down to something that is a statement
+  // A statement is a group of expressions and/or statements that you design to carry out a task or an action.
+  // Any statement that can return a value is automatically qualified to be used as an expression.
+}
+
+class Expression extends Statement {
+  // narrow down to something that is an expression
+  // An expression is any word or group of words or symbols that is a value. In programming, an expression is a value, or anything that executes and ends up being a value.
+}
+
+/**
+ * A Job is a collection of steps that run in an execution environment.
+ */
+class JobStmt extends Statement instanceof Actions::Job {
+  /**
+   * Gets the ID of this job, as a string.
+   * This is the job's key within the `jobs` mapping.
+   */
+  string getId() { result = super.getId() }
+
+  /** Gets the human-readable name of this job, if any, as a string. */
+  string getName() {
+    result = super.getId()
+    or
+    not exists(string s | s = super.getId()) and result = "unknown"
+  }
+
+  /** Gets the step at the given index within this job. */
+  StepStmt getStep(int index) { result = super.getStep(index) }
+
+  /** Gets any steps that are defined within this job. */
+  StepStmt getAStep() { result = super.getStep(_) }
+
+  JobStmt getNeededJob() {
+    exists(Actions::Needs needs |
+      needs.getJob() = this and
+      result = needs.getANeededJob().(JobStmt)
+    )
+  }
+
+  Expression getJobOutputExpr(string varName) {
+    this.(Actions::Job)
+        .lookup("outputs")
+        .(YamlMapping)
+        .maps(any(YamlScalar a | a.getValue() = varName), result)
+  }
+
+  JobOutputStmt getJobOutputStmt() { result = this.(Actions::Job).lookup("outputs") }
+
+  Statement getSuccNode(int i) {
+    result =
+      rank[i](Expression child, Location l |
+        (child = this.getAStep() or child = this.getJobOutputStmt()) and
+        l = child.getLocation()
+      |
+        child
+        order by
+          l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString()
+      )
+  }
+}
+
+class JobOutputStmt extends Statement instanceof YamlMapping {
+  JobStmt job;
+
+  JobOutputStmt() { job.(YamlMapping).lookup("outputs") = this }
+
+  StepOutputAccessExpr getSuccNode(int i) { result = this.(YamlMapping).getValueNode(i) }
+}
+
+/**
+ * A Step is a single task that can be executed as part of a job.
+ */
+class StepStmt extends Statement instanceof Actions::Step {
+  string getId() { result = super.getId() }
+
+  string getName() {
+    result = super.getId()
+    or
+    not exists(string s | s = super.getId()) and result = "unknown"
+  }
+
+  JobStmt getJob() { result = super.getJob() }
+
+  abstract AstNode getSuccNode(int i);
+}
+
+/**
+ * A Uses step represents a call to an action that is defined in a GitHub repository.
+ */
+class UsesExpr extends StepStmt, Expression {
+  Actions::Uses uses;
+
+  UsesExpr() { uses.getStep() = this }
+
+  string getTarget() { result = uses.getGitHubRepository() }
+
+  string getVersion() { result = uses.getVersion() }
+
+  Expression getArgument(string key) {
+    exists(Actions::With with |
+      with.getStep() = this and
+      result = with.lookup(key)
+    )
+  }
+
+  Expression getArgumentByOrder(int i) {
+    exists(Actions::With with |
+      with.getStep() = uses.getStep() and
+      result =
+        rank[i](Expression child, Location l |
+          child = with.lookup(_) and l = child.getLocation()
+        |
+          child
+          order by
+            l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString()
+        )
+    )
+  }
+
+  Expression getAnArgument() {
+    exists(Actions::With with |
+      with.getStep() = this and
+      result = with.lookup(_)
+    )
+  }
+
+  override AstNode getSuccNode(int i) { result = this.getArgumentByOrder(i) }
+}
+
+/**
+ * An argument passed to a UsesExpr.
+ */
+class ArgumentExpr extends Expression {
+  UsesExpr uses;
+
+  ArgumentExpr() { this = uses.getAnArgument() }
+}
+
+/**
+ * A Run step represents a call to an inline script or executable on the runner machine.
+ */
+class RunExpr extends StepStmt {
+  Actions::Run scriptExpr;
+
+  RunExpr() { scriptExpr.getStep() = this }
+
+  Expression getScriptExpr() { result = scriptExpr }
+
+  string getScript() { result = scriptExpr.getValue() }
+
+  override AstNode getSuccNode(int i) { result = this.getScriptExpr() and i = 0 }
+}
+
+/**
+ * A YAML string containing a workflow expression.
+ */
+class ExprAccessExpr extends Expression instanceof YamlString {
+  string expr;
+
+  ExprAccessExpr() { expr = Actions::getASimpleReferenceExpression(this) }
+
+  string getExpression() { result = expr }
+
+  JobStmt getJob() { result.getAChildNode*() = this }
+}
+
+/**
+ * A ExprAccessExpr where the expression references a step output.
+ * eg: `${{ steps.changed-files.outputs.all_changed_files }}`
+ */
+class StepOutputAccessExpr extends ExprAccessExpr {
+  string stepId;
+  string varName;
+
+  StepOutputAccessExpr() {
+    stepId =
+      this.getExpression().regexpCapture("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and
+    varName =
+      this.getExpression().regexpCapture("steps\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1)
+  }
+
+  string getStepId() { result = stepId }
+
+  string getVarName() { result = varName }
+
+  StepStmt getStep() { result.getId() = stepId }
+}
+
+/**
+ * A ExprAccessExpr where the expression references a job output.
+ * eg: `${{ needs.job1.outputs.foo}}`
+ */
+class JobOutputAccessExpr extends ExprAccessExpr {
+  string jobId;
+  string varName;
+
+  JobOutputAccessExpr() {
+    jobId =
+      this.getExpression().regexpCapture("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.[A-Za-z0-9_-]+", 1) and
+    varName =
+      this.getExpression().regexpCapture("needs\\.[A-Za-z0-9_-]+\\.outputs\\.([A-Za-z0-9_-]+)", 1)
+  }
+
+  string getVarName() { result = varName }
+
+  Expression getOutputExpr() {
+    exists(JobStmt job |
+      job.getId() = jobId and
+      job.getLocation().getFile() = this.getLocation().getFile() and
+      job.getJobOutputExpr(varName) = result
+    )
+  }
+}

ql/lib/codeql/actions/Cfg.qll

@@ -0,0 +1,7 @@
+/** Provides classes representing the control flow graph. */
+
+private import codeql.actions.controlflow.internal.Cfg as CfgInternal
+import CfgInternal::Completion
+import CfgInternal::CfgScope
+import CfgInternal::CfgImpl
+

ql/lib/codeql/actions/DataFlow.qll

@@ -0,0 +1,10 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) data flow analyses.
+ */
+module DataFlow {
+  private import codeql.dataflow.DataFlow
+  private import codeql.actions.dataflow.internal.DataFlowImplSpecific
+  import DataFlowMake<ActionsDataFlow>
+  import codeql.actions.dataflow.internal.DataFlowPublic
+}

ql/lib/codeql/actions/TaintTracking.qll

@@ -0,0 +1,10 @@
+/**
+ * Provides classes for performing local (intra-procedural) and
+ * global (inter-procedural) taint-tracking analyses.
+ */
+module TaintTracking {
+  private import codeql.actions.dataflow.internal.DataFlowImplSpecific
+  private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific
+  private import codeql.dataflow.TaintTracking
+  import TaintFlowMake<ActionsDataFlow, ActionsTaintTracking>
+}