Merge pull request #12 from GitHubSecurityLab/ctx_expressions

feat(bash-step): Improve bash step accuracy

Author: Alvaro Muñoz

ql/lib/codeql/actions/dataflow/FlowSteps.qll

@@ -21,11 +21,6 @@ class AdditionalTaintStep extends Unit {
   abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }
 
-// private class RunEnvToScriptStep extends AdditionalTaintStep {
-//   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-//     runEnvToScriptstep(pred, succ)
-//   }
-// }
 /**
  * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script.
  * e.g.
@@ -34,11 +29,9 @@ class AdditionalTaintStep extends Unit {
  *    env:
  *      BODY: ${{ github.event.comment.body }}
  *    run: |
- *      INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*')
- *      echo "Cleaned Initial URL: $INITIAL_URL"
- *      echo "::set-output name=initial_url::$INITIAL_URL"
- *      echo "foo=$(echo $TAINTED)" >> $GITHUB_OUTPUT
- *      echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT"
+ *      echo "::set-output name=foo::$BODY"
+ *      echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT
+ *      echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT"
  */
 predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) {
   exists(RunExpr r, string varName, string output |
@@ -51,8 +44,7 @@ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, Data
         output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or
         output = line.regexpCapture(".*echo\\s*\"(.*)=.*\\s*>>\\s*(\")?\\$GITHUB_OUTPUT.*", 1)
       ) and
-      // TODO: repalce script with line below
-      script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0
+      line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0
     ) and
     succ.asExpr() = r
   )

ql/src/Security/CWE-094/ExpressionInjection.ql

@@ -37,5 +37,4 @@ import MyFlow::PathGraph
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential injection from the ${{ " + sink.getNode().asExpr().(CtxAccessExpr).getExpression() +
-    " }}, which may be controlled by an external user."
+  "Potential expression injection, which may be controlled by an external user."

ql/src/test/.github/workflows/image_link_generator.yml

@@ -17,41 +17,21 @@ jobs:
         env:
           BODY: ${{ github.event.comment.body }}
         run: |
-          INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*')
-          echo "Cleaned Initial URL: $INITIAL_URL"
-          echo "::set-output name=initial_url::$INITIAL_URL"
+          echo "::set-output name=initial_url::$BODY"
 
       - name: Get Redirected URL with Debugging
         id: curl
         env:
           INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }}
         run: |
-          REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL")
-          echo "Curl Command Executed"
-          echo "Redirected URL: $REDIRECTED_URL"
-          echo "::set-output name=redirected_url::$REDIRECTED_URL"
-
+          echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUT
       - name: Trim URL after PNG
         id: trim-url
         env:
           REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }}
         run: |
-          TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/')
-          echo "Trimmed URL: $TRIMMED_URL"
-          echo "::set-output name=trimmed_url::$TRIMMED_URL"
+          echo "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT"
 
       - name: Update Comment with New URL
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COMMENT_URL: ${{ github.event.comment.url }}
-          ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }}
         run: |
           NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}"
-          UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}"
-
-          PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}')
-          curl -X PATCH \
-               -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-               -H "Accept: application/vnd.github.v3+json" \
-               "${COMMENT_URL}" \
-               -d "$PAYLOAD"