Improper access check queries and tests

Alvaro Muñoz · Alvaro Muñoz · commit 73fbd2311bc0 · 2024-05-14T10:20:04.000+02:00
diff --git a/ql/src/Security/CWE-285/ImproperAccessControl.ql b/ql/src/Security/CWE-285/ImproperAccessControl.ql
@@ -0,0 +1,30 @@
+/**
+ * @name Improper Access Control
+ * @description The access control mechanism is not properly implemented, allowing untrusted code to be executed in a privileged context.
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @security-severity 9.3
+ * @id actions/improper-access-control
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-285
+ */
+
+import codeql.actions.security.UntrustedCheckoutQuery
+
+from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event
+where
+  job = checkout.getEnclosingJob() and
+  job.isPrivileged() and
+  job.getATriggerEvent() = event and
+  event.getName() = "pull_request_target" and
+  event.getAnActivityType() = "synchronize" and
+  job.getAStep() = checkout and
+  (
+    checkout.getIf() = check
+    or
+    checkout.getEnclosingJob().getIf() = check
+  )
+select checkout, "The checked-out code can be changed after the authorization check o step $@.",
+  check, check.toString()
diff --git a/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-285/.github/workflows/test1.yml
@@ -0,0 +1,20 @@
+name: Pull request feedback
+
+on:
+  pull_request_target:
+    types: [ opened, synchronize ]
+
+permissions: {}
+jobs:
+  test:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repo for OWNER TEST
+      uses: actions/checkout@v3
+      if: contains(github.event.pull_request.labels.*.name, 'safe to test')
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+    - run: ./cmd
diff --git a/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml b/ql/test/query-tests/Security/CWE-285/.github/workflows/test2.yml
@@ -0,0 +1,20 @@
+name: Pull request feedback
+
+on:
+  pull_request_target:
+    types: [ labeled ]
+
+permissions: {}
+jobs:
+  test:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repo for OWNER TEST
+      uses: actions/checkout@v3
+      if: contains(github.event.pull_request.labels.*.name, 'safe to test')
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+    - run: ./cmd
diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.expected
@@ -0,0 +1 @@
+| .github/workflows/test1.yml:15:7:20:4 | Uses Step | The checked-out code can be changed after the authorization check o step $@. | .github/workflows/test1.yml:17:11:17:75 | contain ...  test') | contain ...  test') |
diff --git a/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref b/ql/test/query-tests/Security/CWE-285/ImproperAccessControl.qlref
@@ -0,0 +1,2 @@
+Security/CWE-285/ImproperAccessControl.ql
+

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+\| .github/workflows/test1.yml:15:7:20:4 \| Uses Step \| The checked-out code can be changed after the authorization check o step $@. \| .github/workflows/test1.yml:17:11:17:75 \| contain ... test') \| contain ... test') \|`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Security/CWE-285/ImproperAccessControl.ql`
	`2`	`+`