Merge pull request #33 from github/fix_32

Add context paths containing tainted fields

Author: Alvaro Muñoz

ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -76,22 +76,6 @@ private predicate textEvent(string context) {
   )
 }
 
-// bindingset[context]
-// private predicate repoNameEvent(string context) {
-//   exists(string reg |
-//     reg =
-//       [
-//         // repo name
-//         // Owner: All characters must be either a hyphen (-) or alphanumeric
-//         // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point
-//         "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name
-//         "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name
-//         "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo
-//       ]
-//   |
-//     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
-//   )
-// }
 bindingset[context]
 private predicate branchEvent(string context) {
   exists(string reg |
@@ -194,7 +178,19 @@ private predicate jsonEvent(string context) {
     reg =
       [
         // json
-        "github\\.event",
+        "github\\.event", "github\\.event\\.client_payload", "github\\.event\\.comment",
+        "github\\.event\\.commits", "github\\.event\\.discussion", "github\\.event\\.head_commit",
+        "github\\.event\\.head_commit\\.author", "github\\.event\\.head_commit\\.committer",
+        "github\\.event\\.inputs", "github\\.event\\.issue", "github\\.event\\.merge_group",
+        "github\\.event\\.merge_group\\.committer", "github\\.event\\.pull_request",
+        "github\\.event\\.pull_request\\.head", "github\\.event\\.pull_request\\.head\\.repo",
+        "github\\.event\\.pages", "github\\.event\\.review", "github\\.event\\.workflow",
+        "github\\.event\\.workflow_run", "github\\.event\\.workflow_run\\.head_branch",
+        "github\\.event\\.workflow_run\\.head_commit",
+        "github\\.event\\.workflow_run\\.head_commit\\.author",
+        "github\\.event\\.workflow_run\\.head_commit\\.committer",
+        "github\\.event\\.workflow_run\\.head_repository",
+        "github\\.event\\.workflow_run\\.pull_requests",
       ]
   |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))

ql/test/query-tests/Security/CWE-094/.github/workflows/test4.yml

@@ -0,0 +1,19 @@
+name: Test
+on:
+  issue_comment:
+    types: [created, edited]
+
+permissions:
+  contents: write
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Dump GitHub comment context
+        id: github_comment_step
+        run: echo '${{ toJSON(github.event.comment) }}'
+
+      - name: Dump GitHub issue context
+        id: github_issue_step
+        run: echo '${{ toJSON(github.event.issue) }}'

ql/test/query-tests/Security/CWE-094/CodeInjection.expected

@@ -229,6 +229,8 @@ nodes
 | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload |
 | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request |
 | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
+| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) |
+| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |

ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected

@@ -229,6 +229,8 @@ nodes
 | .github/workflows/test3.yml:11:17:11:70 | steps.issue_body_parser_request.outputs.payload | semmle.label | steps.issue_body_parser_request.outputs.payload |
 | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | semmle.label | Uses Step: issue_body_parser_request |
 | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
+| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) |
+| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) |
 | .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:12:9:18:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -341,6 +343,8 @@ subpaths
 | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | .github/workflows/test2.yml:17:9:25:6 | Uses Step: changed | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:27:26:27:66 | steps.changed.outputs.locale_files | ${{ steps.changed.outputs.locale_files }} |
 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | .github/workflows/test2.yml:29:9:37:6 | Uses Step: changed2 | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:39:25:39:66 | steps.changed2.outputs.locale_files | ${{ steps.changed2.outputs.locale_files }} |
 | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | .github/workflows/test3.yml:13:9:21:2 | Uses Step: issue_body_parser_request | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | ${{ needs.parse-issue.outputs.payload }} |
+| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | ${{ toJSON(github.event.comment) }} |
+| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | ${{ toJSON(github.event.issue) }} |
 | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} |
 | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:10:19:10:70 | github.event.workflow_run.head_commit.message | ${{ github.event.workflow_run.head_commit.message }} |