Refactor getXXXExpr methods

Alvaro Muñoz · Alvaro Muñoz · commit 6875640c6439 · 2024-03-04T10:33:26.000+01:00
diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll
@@ -214,36 +214,39 @@ class Strategy extends AstNode instanceof YamlMapping {
   /**
    * Gets a specific matric expression (YamlMapping) by name.
    */
-  StringLiteral getMatrixVariable(string name) {
+  StringLiteral getMatrixVar(string name) {
     super.lookup("matrix").(YamlMapping).lookup(name) = result
   }
 
-  string getAMatrixVariableName() {
-    this.(YamlMapping).maps(any(YamlString s | s.getValue() = result), _)
-  }
+  /**
+   * Gets a specific matric expression (YamlMapping) by name.
+   */
+  StringLiteral getAMatrixVar() { super.lookup("matrix").(YamlMapping).lookup(_) = result }
 }
 
 /**
  * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds
  */
-class Needs extends AstNode {
+class Needs extends AstNode instanceof YamlMappingLikeNode {
   Job job;
 
   Needs() { job.(YamlMapping).lookup("needs") = this }
 
   Job getJob() { result = job }
 
   Job getANeededJob() {
-    if this instanceof YamlString
-    then
-      result.getId() = this.(YamlString).getValue() and
-      result.getLocation().getFile() = job.getLocation().getFile()
-    else
-      if this instanceof YamlSequence
-      then
-        result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and
-        result.getLocation().getFile() = job.getLocation().getFile()
-      else none()
+    result.getId() = super.getNode(_).(YamlString).getValue() and
+    result.getLocation().getFile() = job.getLocation().getFile()
+    // if this instanceof YamlString
+    // then
+    //   result.getId() = this.(YamlString).getValue() and
+    //   result.getLocation().getFile() = job.getLocation().getFile()
+    // else
+    //   if this instanceof YamlSequence
+    //   then
+    //     result.getId() = this.(YamlSequence).getElementNode(_).(YamlString).getValue() and
+    //     result.getLocation().getFile() = job.getLocation().getFile()
+    //   else none()
   }
 }
 
@@ -583,29 +586,30 @@ class StepsExpression extends ContextExpression {
  * e.g. `${{ needs.job1.outputs.foo}}`
  */
 class NeedsExpression extends ContextExpression {
-  Job job;
-  string jobId;
+  Job neededJob;
+  string neededJobId;
   string fieldName;
 
   NeedsExpression() {
     expr.regexpMatch(needsCtxRegex()) and
-    jobId = expr.regexpCapture(needsCtxRegex(), 1) and
+    neededJobId = expr.regexpCapture(needsCtxRegex(), 1) and
     fieldName = expr.regexpCapture(needsCtxRegex(), 2) and
-    job.getId() = jobId
+    neededJob.getId() = neededJobId
   }
 
-  predicate usesReusableWorkflow() { job.usesReusableWorkflow() }
+  predicate usesReusableWorkflow() { neededJob.usesReusableWorkflow() }
 
   override string getFieldName() { result = fieldName }
 
   override AstNode getTarget() {
-    job.getLocation().getFile() = this.getLocation().getFile() and
+    neededJob.getLocation().getFile() = this.getLocation().getFile() and
+    this.getJob().getANeededJob() = neededJob and
     (
       // regular jobs
-      job.getOutputs() = result
+      neededJob.getOutputs() = result
       or
       // reusable workflow calling jobs
-      job.getUses() = result
+      neededJob.getUses() = result
     )
   }
 }
@@ -701,12 +705,12 @@ class MatrixExpression extends ContextExpression {
 
   override AstNode getTarget() {
     exists(Workflow w |
-      w.getStrategy().getMatrixVariable(fieldName) = result and
+      w.getStrategy().getMatrixVar(fieldName) = result and
       w.getAChildNode*() = this
     )
     or
     exists(Job j |
-      j.getStrategy().getMatrixVariable(fieldName) = result and
+      j.getStrategy().getMatrixVar(fieldName) = result and
       j.getAChildNode*() = this
     )
   }
diff --git a/ql/lib/codeql/actions/controlflow/internal/Cfg.qll b/ql/lib/codeql/actions/controlflow/internal/Cfg.qll
@@ -215,7 +215,7 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy {
   override ControlFlowTree getChildNode(int i) {
     result =
       rank[i](AstNode child, Location l |
-        child = super.getMatrixVariable(_) and l = child.getLocation()
+        child = super.getAMatrixVar() and l = child.getLocation()
       |
         child
         order by
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job0.yml
@@ -1,6 +1,13 @@
-on: push
+jn: push
 
 jobs:
+  job0:
+    runs-on: ubuntu-latest
+    outputs:
+      job_output: foo
+    steps:
+      - run: echo "foo"
+
   job1:
     runs-on: ubuntu-latest
 
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job1.yml
@@ -0,0 +1,43 @@
+on: push
+
+jobs:
+  job0:
+    runs-on: ubuntu-latest
+    outputs:
+      job_output: foo
+    steps:
+      - run: echo "foo"
+
+  job1:
+    runs-on: ubuntu-latest
+
+    outputs:
+      job_output: ${{ steps.step.outputs.value }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: source 
+        uses: tj-actions/changed-files@v40
+
+      - name: Remove foo from changed files
+        id: step
+        uses: mad9000/actions-find-and-replace-string@3
+        with:
+          source: ${{ steps.source.outputs.all_changed_files }}
+          find: 'foo'
+          replace: ''
+
+  job2:
+    runs-on: ubuntu-latest
+
+    if: ${{ always() }}
+
+    needs: [job0, job1]
+
+    steps:
+      - id: sink
+        run: echo ${{needs.job1.outputs.job_output}}
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job2.yml
@@ -0,0 +1,45 @@
+on: push
+
+jobs:
+  job0:
+    runs-on: ubuntu-latest
+    outputs:
+      job_output: foo
+    steps:
+      - run: echo "foo"
+
+  job1:
+    runs-on: ubuntu-latest
+
+    outputs:
+      job_output: ${{ steps.step.outputs.value }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: source 
+        uses: tj-actions/changed-files@v40
+
+      - name: Remove foo from changed files
+        id: step
+        uses: mad9000/actions-find-and-replace-string@3
+        with:
+          source: ${{ steps.source.outputs.all_changed_files }}
+          find: 'foo'
+          replace: ''
+
+  job2:
+    runs-on: ubuntu-latest
+
+    if: ${{ always() }}
+
+    needs:
+      - job0
+      - job1
+
+    steps:
+      - id: sink
+        run: echo ${{needs.job1.outputs.job_output}}
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml
@@ -0,0 +1,44 @@
+jn: push
+
+jobs:
+  job0:
+    runs-on: ubuntu-latest
+    outputs:
+      job_output: foo
+    steps:
+      - run: echo "foo"
+
+  job1:
+    runs-on: ubuntu-latest
+
+    outputs:
+      job_output: ${{ steps.step.outputs.value }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: source 
+        uses: tj-actions/changed-files@v40
+
+      - name: Remove foo from changed files
+        id: step
+        uses: mad9000/actions-find-and-replace-string@3
+        with:
+          source: ${{ steps.source.outputs.all_changed_files }}
+          find: 'foo'
+          replace: ''
+
+  job2:
+    runs-on: ubuntu-latest
+
+    if: ${{ always() }}
+
+    needs:
+      - job1
+
+    steps:
+      - id: sink
+        run: echo ${{needs.job1.outputs.job_output}}
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job5.yml
@@ -0,0 +1,45 @@
+jn: push
+
+jobs:
+  job0:
+    runs-on: ubuntu-latest
+    outputs:
+      job_output: foo
+    steps:
+      - run: echo "foo"
+
+  job1:
+    runs-on: ubuntu-latest
+
+    outputs:
+      job_output: ${{ steps.step.outputs.value }}
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: source 
+        uses: tj-actions/changed-files@v40
+
+      - name: Remove foo from changed files
+        id: step
+        uses: mad9000/actions-find-and-replace-string@3
+        with:
+          source: ${{ steps.source.outputs.all_changed_files }}
+          find: 'foo'
+          replace: ''
+
+  job2:
+    runs-on: ubuntu-latest
+
+    if: ${{ always() }}
+
+    needs:
+      - job0
+
+    steps:
+      - id: sink
+        # Should not be reported since job1 is not needed
+        run: echo ${{needs.job1.outputs.job_output}}
diff --git a/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/CriticalExpressionInjection.expected
@@ -15,11 +15,26 @@ edges
 | .github/workflows/image_link_generator.yml:25:24:25:67 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:22:9:28:6 | Run Step: curl [redirected_url] |
 | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | .github/workflows/image_link_generator.yml:36:14:37:126 | \| |
 | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] |
-| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} |
-| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] |
-| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} |
-| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} |
-| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] |
+| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} |
+| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} |
+| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} |
+| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} |
+| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} |
+| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} |
+| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} |
+| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} |
+| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} |
+| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] |
+| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} |
+| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] |
+| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} |
+| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} |
+| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] |
 | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | .github/workflows/issues.yaml:15:12:15:39 | echo '$ ... env }}' |
 | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | .github/workflows/issues.yaml:17:12:17:36 | echo '$ ... env }}' |
 | .github/workflows/issues.yaml:20:19:20:49 | ${{ git ... itle }} | .github/workflows/issues.yaml:18:12:18:37 | echo '$ ... env }}' |
@@ -75,12 +90,30 @@ nodes
 | .github/workflows/image_link_generator.yml:28:9:35:6 | Run Step: trim-url [trimmed_url] | semmle.label | Run Step: trim-url [trimmed_url] |
 | .github/workflows/image_link_generator.yml:31:27:31:66 | ${{ ste ... _url }} | semmle.label | ${{ ste ... _url }} |
 | .github/workflows/image_link_generator.yml:36:14:37:126 | \| | semmle.label | \| |
-| .github/workflows/inter-job.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
-| .github/workflows/inter-job.yml:8:19:8:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
-| .github/workflows/inter-job.yml:15:9:19:6 | Uses Step: source | semmle.label | Uses Step: source |
-| .github/workflows/inter-job.yml:19:9:27:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
-| .github/workflows/inter-job.yml:23:19:23:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
-| .github/workflows/inter-job.yml:36:14:36:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job0.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/inter-job0.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job0.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
+| .github/workflows/inter-job0.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
+| .github/workflows/inter-job0.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
+| .github/workflows/inter-job0.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job1.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/inter-job1.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job1.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
+| .github/workflows/inter-job1.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
+| .github/workflows/inter-job1.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
+| .github/workflows/inter-job1.yml:43:14:43:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job2.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/inter-job2.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
+| .github/workflows/inter-job2.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
+| .github/workflows/inter-job2.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
+| .github/workflows/inter-job2.yml:45:14:45:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
+| .github/workflows/inter-job4.yml:15:7:17:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
+| .github/workflows/inter-job4.yml:15:19:15:49 | ${{ ste ... alue }} | semmle.label | ${{ ste ... alue }} |
+| .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | semmle.label | Uses Step: source |
+| .github/workflows/inter-job4.yml:26:9:34:2 | Uses Step: step [value] | semmle.label | Uses Step: step [value] |
+| .github/workflows/inter-job4.yml:30:19:30:63 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
+| .github/workflows/inter-job4.yml:44:14:44:52 | echo ${ ... utput}} | semmle.label | echo ${ ... utput}} |
 | .github/workflows/issues.yaml:4:15:4:45 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} |
 | .github/workflows/issues.yaml:10:16:10:46 | ${{ git ... itle }} | semmle.label | ${{ git ... itle }} |
 | .github/workflows/issues.yaml:13:12:13:49 | echo '$ ... tle }}' | semmle.label | echo '$ ... tle }}' |
diff --git a/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected b/ql/test/query-tests/Security/CWE-094/ExpressionInjection.expected

Original file line number	Diff line number	Diff line change
`@@ -215,7 +215,7 @@ private class StrategyTree extends StandardPreOrderTree instanceof Strategy {`
`215`	`215`	`override ControlFlowTree getChildNode(int i) {`
`216`	`216`	`result =`
`217`	`217`	`rank[i](AstNode child, Location l \|`
`218`		`- child = super.getMatrixVariable(_) and l = child.getLocation()`
	`218`	`+ child = super.getAMatrixVar() and l = child.getLocation()`
`219`	`219`	`\|`
`220`	`220`	`child`
`221`	`221`	`order by`