Add CachePoisoning by Code Injection query

Alvaro Muñoz · Alvaro Muñoz · commit fafb44d4f662 · 2024-05-08T15:20:48.000+02:00
diff --git a/ql/lib/codeql/actions/security/CachePoisoningQuery.qll b/ql/lib/codeql/actions/security/CachePoisoningQuery.qll
@@ -1,5 +1,15 @@
 import actions
 
+string defaultBranchTriggerEvent() {
+  result =
+    [
+      "check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum",
+      "issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column",
+      "public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule",
+      "watch", "workflow_run"
+    ]
+}
+
 abstract class CacheWritingStep extends Step { }
 
 class CacheActionUsesStep extends CacheWritingStep, UsesStep {
@@ -60,3 +70,10 @@ class SetupDotnetUsesStep extends CacheWritingStep, UsesStep {
     )
   }
 }
+
+class SetupRubyUsesStep extends CacheWritingStep, UsesStep {
+  SetupRubyUsesStep() {
+    this.getCallee() = ["actions/setup-ruby", "ruby/setup-ruby"] and
+    this.getArgument("bundler-cache") = "true"
+  }
+}
diff --git a/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql b/ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql
@@ -0,0 +1,41 @@
+/**
+ * @name Cache Poisoning via low-privilege code injection
+ * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @security-severity 9.3
+ * @id actions/cache-poisoning/code-injection
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-349
+ *       external/cwe/cwe-094
+ */
+
+import actions
+import codeql.actions.security.CodeInjectionQuery
+import codeql.actions.security.CachePoisoningQuery
+import CodeInjectionFlow::PathGraph
+
+from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, LocalJob j
+where
+  CodeInjectionFlow::flowPath(source, sink) and
+  j = sink.getNode().asExpr().getEnclosingJob() and
+  not j.isPrivileged() and
+  // The workflow runs in the context of the default branch
+  // TODO: (require to collect trigger types)
+  // - add push to default branch?
+  // - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch
+  (
+    j.getEnclosingWorkflow().hasTriggerEvent(defaultBranchTriggerEvent())
+    or
+    j.getEnclosingWorkflow().hasTriggerEvent("workflow_call") and
+    exists(ExternalJob call, Workflow caller |
+      call.getCallee() = j.getLocation().getFile().getRelativePath() and
+      caller = call.getWorkflow() and
+      caller.hasTriggerEvent(defaultBranchTriggerEvent())
+    )
+  )
+select sink.getNode(), source, sink,
+  "Potential code injection in $@, which may be controlled by an external user.", sink,
+  sink.getNode().asExpr().(Expression).getRawExpression()
diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml
@@ -0,0 +1,12 @@
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  pr-comment:
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - run: |
+          echo ${{ github.event.comment.body }}
+
diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected
@@ -1,5 +1,6 @@
-| .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. |
-| .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. |
-| .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. |
-| .github/workflows/test6.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. |
-| .github/workflows/test7.yml:12:9:15:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test6.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test7.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
+| .github/workflows/test8.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. |
diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected
@@ -0,0 +1,6 @@
+edges
+nodes
+| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body |
+subpaths
+#select
+| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} |
diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref b/ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref
@@ -0,0 +1,2 @@
+Security/CWE-349/CachePoisoningByCodeInjection.ql
+

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Security/CWE-349/CachePoisoningByCodeInjection.ql`
	`2`	`+`