Refactor runOnDefaultBranch

Alvaro Muñoz · Alvaro Muñoz · commit 8590a0ba8fbf · 2024-05-10T14:12:54.000+02:00
diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll
@@ -10,6 +10,56 @@ string defaultBranchTriggerEvent() {
     ]
 }
 
+predicate test(Event e) {
+  e.getName() = "pull_request_target" and
+  // branches and branches-ignore filters
+  e.hasProperty("branches") and
+  e.hasProperty("branches-ignore") and
+  e.getAPropertyValue("branches") = ["main", "master", "default"] and
+  not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"]
+}
+
+predicate runsOnDefaultBranch(Job j) {
+  exists(Event e |
+    j.getATriggerEvent() = e and
+    (
+      e.getName() = defaultBranchTriggerEvent() and
+      not e.getName() = "pull_request_target"
+      or
+      e.getName() = "push" and
+      e.getAPropertyValue("branches") = ["main", "master", "default"]
+      or
+      e.getName() = "pull_request_target" and
+      (
+        // no filtering
+        not e.hasProperty("branches") and not e.hasProperty("branches-ignore")
+        or
+        // only branches-ignore filter
+        e.hasProperty("branches-ignore") and
+        not e.hasProperty("branches") and
+        not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"]
+        or
+        // only branches filter
+        e.hasProperty("branches") and
+        not e.hasProperty("branches-ignore") and
+        e.getAPropertyValue("branches") = ["main", "master", "default"]
+        or
+        // branches and branches-ignore filters
+        e.hasProperty("branches") and
+        e.hasProperty("branches-ignore") and
+        e.getAPropertyValue("branches") = ["main", "master", "default"] and
+        not e.getAPropertyValue("branches-ignore") = ["main", "master", "default"]
+      )
+    )
+  )
+  or
+  j.getATriggerEvent().getName() = "workflow_call" and
+  exists(ExternalJob call |
+    call.getCallee() = j.getLocation().getFile().getRelativePath() and
+    runsOnDefaultBranch(call)
+  )
+}
+
 abstract class CacheWritingStep extends Step { }
 
 class CacheActionUsesStep extends CacheWritingStep, UsesStep {
diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql
@@ -21,19 +21,7 @@ where
   // Excluding privileged workflows since they can be easily exploited in similar circumstances
   not j.isPrivileged() and
   // The workflow runs in the context of the default branch
-  // TODO: (require to collect trigger types)
-  // - add push to default branch?
-  // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch
-  (
-    j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent())
-    or
-    j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and
-    exists(ExternalJob call, Workflow caller |
-      call.getCallee() = j.getLocation().getFile().getRelativePath() and
-      caller = call.getWorkflow() and
-      caller.hasTriggerEvent(defaultBranchTriggerEvent())
-    )
-  ) and
+  runsOnDefaultBranch(j) and
   // The job checkouts untrusted code from a pull request
   j.getAStep() = checkout and
   (
diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql
@@ -21,21 +21,10 @@ from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Local
 where
   CodeInjectionFlow::flowPath(source, sink) and
   j = sink.getNode().asExpr().getEnclosingJob() and
+  // Excluding privileged workflows since they can be easily exploited in similar circumstances
   not j.isPrivileged() and
   // The workflow runs in the context of the default branch
-  // TODO: (require to collect trigger types)
-  // - add push to default branch?
-  // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch
-  (
-    j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent())
-    or
-    j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and
-    exists(ExternalJob call, Workflow caller |
-      call.getCallee() = j.getLocation().getFile().getRelativePath() and
-      caller = call.getWorkflow() and
-      caller.hasTriggerEvent(defaultBranchTriggerEvent())
-    )
-  )
+  runsOnDefaultBranch(j)
 select sink.getNode(), source, sink,
   "Unprivileged code injection in $@, which may lead to cache poisoning.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()
