Merge pull request #4 from github/refactor_untrusted_checkout

Refactor untrusted checkout queries

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -3,6 +3,7 @@ private import codeql.actions.TaintTracking
 import codeql.actions.DataFlow
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
+import codeql.actions.security.PoisonableSteps
 
 string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" }
 
@@ -228,81 +229,19 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
   }
 }
 
-abstract class PoisonableStep extends Step { }
-
-// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16
-private string dangerousActions() {
-  result =
-    ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"]
-}
-
-class DangerousActionUsesStep extends PoisonableStep, UsesStep {
-  DangerousActionUsesStep() {
-    exists(UntrustedArtifactDownloadStep step |
-      step.getAFollowingStep() = this and
-      this.getCallee() = dangerousActions()
-    )
-  }
-}
-
-// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23
-private string dangerousCommands() {
-  result =
-    [
-      "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan",
-      "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate",
-      "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ",
-      "^ant ", "mkdocs build", "pytest"
-    ]
-}
-
-class BuildRunStep extends PoisonableStep, Run {
-  BuildRunStep() {
-    exists(UntrustedArtifactDownloadStep step |
-      step.getAFollowingStep() = this and
-      exists(
-        this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _)
-      )
-    )
-  }
-}
-
-class LocalCommandExecutionRunStep extends PoisonableStep, Run {
-  LocalCommandExecutionRunStep() {
-    exists(UntrustedArtifactDownloadStep step |
-      step.getAFollowingStep() = this and
-      // Heuristic:
-      // Run step with a command starting with `./xxxx`, `sh xxxx`, ...
-      exists(
-        this.getScript()
-            .splitAt("\n")
-            .trim()
-            .regexpFind("([^a-z]|^)(./|(ba|z|fi)?sh\\s+)" + step.getPath(), _, _)
-      )
-    )
-  }
-}
-
-class EnvVarInjectionRunStep extends PoisonableStep, Run {
-  EnvVarInjectionRunStep() {
-    exists(UntrustedArtifactDownloadStep step, string value |
-      step.getAFollowingStep() = this and
-      // Heuristic:
-      // Run step with env var definition based on file content.
-      // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV`
-      // eg: `echo "sha=$(<test-results/sha-number)" >> $GITHUB_ENV`
-      Utils::writeToGitHubEnv(this, _, value) and
-      // TODO: add support for other commands like `<`, `jq`, ...
-      value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"])
-    )
-  }
-}
-
 class ArtifactPoisoningSink extends DataFlow::Node {
   ArtifactPoisoningSink() {
-    exists(PoisonableStep step |
-      step.(Run).getScriptScalar() = this.asExpr() or
-      step.(UsesStep) = this.asExpr()
+    exists(UntrustedArtifactDownloadStep download, PoisonableStep poisonable |
+      download.getAFollowingStep() = poisonable and
+      (
+        poisonable.(Run).getScriptScalar() = this.asExpr()
+        or
+        poisonable.(UsesStep) = this.asExpr()
+      ) and
+      (
+        not poisonable instanceof LocalCommandExecutionRunStep or
+        poisonable.(LocalCommandExecutionRunStep).getCommand().matches(download.getPath() + "%")
+      )
     )
   }
 }

ql/lib/codeql/actions/security/PoisonableSteps.qll

@@ -0,0 +1,64 @@
+import actions
+
+abstract class PoisonableStep extends Step { }
+
+// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16
+private string dangerousActions() {
+  result =
+    ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"]
+}
+
+class DangerousActionUsesStep extends PoisonableStep, UsesStep {
+  DangerousActionUsesStep() { this.getCallee() = dangerousActions() }
+}
+
+// source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23
+private string dangerousCommands() {
+  result =
+    [
+      "npm install", "npm run ", "yarn ", "npm ci(\\b|$)", "make ", "terraform plan",
+      "terraform apply", "gomplate ", "pre-commit run", "pre-commit install", "go generate",
+      "msbuild ", "mvn ", "./mvnw ", "gradle ", "./gradlew ", "bundle install", "bundle exec ",
+      "^ant ", "mkdocs build", "pytest"
+    ]
+}
+
+class BuildRunStep extends PoisonableStep, Run {
+  BuildRunStep() {
+    exists(
+      this.getScript().splitAt("\n").trim().regexpFind("([^a-z]|^)" + dangerousCommands(), _, _)
+    )
+  }
+}
+
+class LocalCommandExecutionRunStep extends PoisonableStep, Run {
+  string cmd;
+
+  LocalCommandExecutionRunStep() {
+    // Heuristic:
+    // Run step with a command starting with `./xxxx`, `sh xxxx`, ...
+    exists(string line | line = this.getScript().splitAt("\n").trim() |
+      // ./xxxx
+      cmd = line.regexpCapture("(^|\\s+)\\.\\/(.*)", 2)
+      or
+      // sh xxxx
+      cmd = line.regexpCapture("(^|\\s+)(ba|z|fi)?sh\\s+(.*)", 3)
+    )
+  }
+
+  string getCommand() { result = cmd }
+}
+
+class EnvVarInjectionRunStep extends PoisonableStep, Run {
+  EnvVarInjectionRunStep() {
+    exists(string value |
+      // Heuristic:
+      // Run step with env var definition based on file content.
+      // eg: `echo "sha=$(cat test-results/sha-number)" >> $GITHUB_ENV`
+      // eg: `echo "sha=$(<test-results/sha-number)" >> $GITHUB_ENV`
+      Utils::writeToGitHubEnv(this, _, value) and
+      // TODO: add support for other commands like `<`, `jq`, ...
+      value.regexpMatch(["\\$\\(", "`"] + ["ls\\s+", "cat\\s+", "<"] + ".*" + ["`", "\\)"])
+    )
+  }
+}

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

@@ -0,0 +1,229 @@
+import actions
+import codeql.actions.DataFlow
+
+bindingset[s]
+predicate containsPullRequestNumber(string s) {
+  exists(
+    Utils::normalizeExpr(s)
+        .regexpFind([
+            "\\bgithub\\.event\\.number\\b", "\\bgithub\\.event\\.issue\\.number\\b",
+            "\\bgithub\\.event\\.pull_request\\.id\\b",
+            "\\bgithub\\.event\\.pull_request\\.number\\b",
+            "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b",
+            "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b",
+            "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.id\\b",
+            "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.number\\b",
+            "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b",
+            "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b",
+            // heuristics
+            "\\bpr_number\\b", "\\bpr_id\\b"
+          ], _, _)
+  )
+}
+
+bindingset[s]
+predicate containsHeadSHA(string s) {
+  exists(
+    Utils::normalizeExpr(s)
+        .regexpFind([
+            "\\bgithub\\.event\\.pull_request\\.head\\.sha\\b",
+            "\\bgithub\\.event\\.pull_request\\.merge_commit_sha\\b",
+            "\\bgithub\\.event\\.workflow_run\\.head_commit\\.id\\b",
+            "\\bgithub\\.event\\.workflow_run\\.head_sha\\b",
+            "\\bgithub\\.event\\.check_suite\\.after\\b",
+            "\\bgithub\\.event\\.check_suite\\.head_commit\\.id\\b",
+            "\\bgithub\\.event\\.check_suite\\.head_sha\\b",
+            "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b",
+            "\\bgithub\\.event\\.check_run\\.check_suite\\.after\\b",
+            "\\bgithub\\.event\\.check_run\\.check_suite\\.head_commit\\.id\\b",
+            "\\bgithub\\.event\\.check_run\\.check_suite\\.head_sha\\b",
+            "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b",
+            "\\bgithub\\.event\\.check_run\\.head_sha\\b",
+            "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b",
+            // heuristics
+            "\\bhead\\.sha\\b", "\\bhead_sha\\b", "\\bpr_head_sha\\b"
+          ], _, _)
+  )
+}
+
+bindingset[s]
+predicate containsHeadRef(string s) {
+  exists(
+    Utils::normalizeExpr(s)
+        .regexpFind([
+            "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b",
+            "\\bgithub\\.event\\.workflow_run\\.head_branch\\b",
+            "\\bgithub\\.event\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b",
+            "\\bgithub\\.event\\.check_run\\.check_suite\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b",
+            "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.ref\\b",
+            // heuristics
+            "\\bhead\\.ref\\b", "\\bhead_ref\\b", "\\bpr_head_ref\\b",
+            // env vars
+            "\\benv\\.GITHUB_HEAD_REF\\b",
+          ], _, _)
+  )
+}
+
+/** Checkout of a Pull Request HEAD ref */
+abstract class PRHeadCheckoutStep extends Step { }
+
+/** Checkout of a Pull Request HEAD ref using actions/checkout action */
+class ActionsMutableRefCheckout extends PRHeadCheckoutStep instanceof UsesStep {
+  ActionsMutableRefCheckout() {
+    this.getCallee() = "actions/checkout" and
+    (
+      // ref argument contains the PR id/number or head ref/sha
+      exists(Expression e |
+        (
+          containsHeadRef(e.getExpression()) or
+          containsPullRequestNumber(e.getExpression())
+        ) and
+        DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref"))
+      )
+      or
+      // 3rd party actions returning the PR head sha/ref
+      exists(UsesStep step |
+        step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
+        // TODO: This should be read step of the head_sha or head_ref output vars
+        this.getArgument("ref").regexpMatch(".*head_ref.*") and
+        DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref"))
+      )
+      or
+      // heuristic base on the step id and field name
+      exists(StepsExpression e |
+        this.getArgumentExpr("ref") = e and
+        (
+          e.getStepId().matches(["%ref%", "%branch%"]) or
+          e.getFieldName().matches(["%ref%", "%branch%"])
+        )
+      )
+    )
+  }
+}
+
+/** Checkout of a Pull Request HEAD ref using actions/checkout action */
+class ActionsSHACheckout extends PRHeadCheckoutStep instanceof UsesStep {
+  ActionsSHACheckout() {
+    this.getCallee() = "actions/checkout" and
+    (
+      // ref argument contains the PR id/number or head ref/sha
+      exists(Expression e |
+        containsHeadSHA(e.getExpression()) and
+        DataFlow::hasLocalFlowExpr(e, this.getArgumentExpr("ref"))
+      )
+      or
+      // 3rd party actions returning the PR head sha/ref
+      exists(UsesStep step |
+        step.getCallee() = ["eficode/resolve-pr-refs", "xt0rted/pull-request-comment-branch"] and
+        this.getArgument("ref").regexpMatch(".*head_sha.*") and
+        DataFlow::hasLocalFlowExpr(step, this.getArgumentExpr("ref"))
+      )
+      or
+      // heuristic base on the step id and field name
+      exists(StepsExpression e |
+        this.getArgumentExpr("ref") = e and
+        (
+          e.getStepId().matches(["%sha%", "%commit%"]) or
+          e.getFieldName().matches(["%sha%", "%commit%"])
+        )
+      )
+    )
+  }
+}
+
+/** Checkout of a Pull Request HEAD ref using git within a Run step */
+class GitMutableRefCheckout extends PRHeadCheckoutStep instanceof Run {
+  GitMutableRefCheckout() {
+    exists(string line |
+      this.getScript().splitAt("\n") = line and
+      line.regexpMatch(".*git\\s+(fetch|pull).*") and
+      (
+        (containsHeadRef(line) or containsPullRequestNumber(line))
+        or
+        exists(string varname, string expr |
+          expr = this.getInScopeEnvVarExpr(varname).getExpression() and
+          (
+            containsHeadRef(expr) or
+            containsPullRequestNumber(expr)
+          ) and
+          exists(line.regexpFind(varname, _, _))
+        )
+      )
+    )
+  }
+}
+
+/** Checkout of a Pull Request HEAD ref using git within a Run step */
+class GitSHACheckout extends PRHeadCheckoutStep instanceof Run {
+  GitSHACheckout() {
+    exists(string line |
+      this.getScript().splitAt("\n") = line and
+      line.regexpMatch(".*git\\s+(fetch|pull).*") and
+      (
+        containsHeadSHA(line)
+        or
+        exists(string varname, string expr |
+          expr = this.getInScopeEnvVarExpr(varname).getExpression() and
+          containsHeadSHA(expr) and
+          exists(line.regexpFind(varname, _, _))
+        )
+      )
+    )
+  }
+}
+
+/** Checkout of a Pull Request HEAD ref using gh within a Run step */
+class GhMutableRefCheckout extends PRHeadCheckoutStep instanceof Run {
+  GhMutableRefCheckout() {
+    exists(string line |
+      this.getScript().splitAt("\n") = line and
+      line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and
+      (
+        (containsHeadRef(line) or containsPullRequestNumber(line))
+        or
+        exists(string varname |
+          (
+            containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) or
+            containsPullRequestNumber(this.getInScopeEnvVarExpr(varname).getExpression())
+          ) and
+          exists(line.regexpFind(varname, _, _))
+        )
+      )
+    )
+  }
+}
+
+/** Checkout of a Pull Request HEAD ref using gh within a Run step */
+class GhSHACheckout extends PRHeadCheckoutStep instanceof Run {
+  GhSHACheckout() {
+    exists(string line |
+      this.getScript().splitAt("\n") = line and
+      line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and
+      (
+        containsHeadSHA(line)
+        or
+        exists(string varname |
+          containsHeadSHA(this.getInScopeEnvVarExpr(varname).getExpression()) and
+          exists(line.regexpFind(varname, _, _))
+        )
+      )
+    )
+  }
+}
+
+/** An If node that contains an actor, user or label check */
+class ControlCheck extends If {
+  ControlCheck() {
+    exists(
+      Utils::normalizeExpr(this.getCondition())
+          .regexpFind([
+              "\\bgithub\\.actor\\b", // actor
+              "\\bgithub\\.triggering_actor\\b", // actor
+              "\\bgithub\\.event\\.comment\\.user\\.login\\b", //user
+              "\\bgithub\\.event\\.pull_request\\.user\\.login\\b", //user
+              "\\bgithub\\.event\\.pull_request\\.labels\\b", // label
+              "\\bgithub\\.event\\.label\\.name\\b" // label
+            ], _, _)
+    )
+  }
+}