feat(bash-step): Improve bash step accuracy

Only pass the taint when the env var is directlty set as the step output
2026-04-30 19:26:02 +02:00 · 2024-02-15 11:51:28 +01:00
parent 0f73080a7b
commit 1cd32195a7
3 changed files with 8 additions and 37 deletions
--- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll
+++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll
@@ -21,11 +21,6 @@ class AdditionalTaintStep extends Unit {
  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
 }

-// private class RunEnvToScriptStep extends AdditionalTaintStep {
-//   override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-//     runEnvToScriptstep(pred, succ)
-//   }
-// }
 /**
 * Holds if a Run step declares an environment variable, uses it in its script and sets an output in its script.
 * e.g.
@@ -34,11 +29,9 @@ class AdditionalTaintStep extends Unit {
 *    env:
 *      BODY: ${{ github.event.comment.body }}
 *    run: |
- *      INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*')
- *      echo "Cleaned Initial URL: $INITIAL_URL"
- *      echo "::set-output name=initial_url::$INITIAL_URL"
- *      echo "foo=$(echo $TAINTED)" >> $GITHUB_OUTPUT
- *      echo "test=${{steps.step1.outputs.MSG}}" >> "$GITHUB_OUTPUT"
+ *      echo "::set-output name=foo::$BODY"
+ *      echo "foo=$(echo $BODY)" >> $GITHUB_OUTPUT
+ *      echo "foo=$(echo $BODY)" >> "$GITHUB_OUTPUT"
 */
 predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) {
  exists(RunExpr r, string varName, string output |
@@ -51,8 +44,7 @@ predicate runEnvToScriptStoreStep(DataFlow::Node pred, DataFlow::Node succ, Data
        output = line.regexpCapture(".*::set-output\\s+name=(.*)::.*", 1) or
        output = line.regexpCapture(".*echo\\s*\"(.*)=.*\\s*>>\\s*(\")?\\$GITHUB_OUTPUT.*", 1)
      ) and
-      // TODO: repalce script with line below
-      script.indexOf("$" + ["", "{", "ENV{"] + varName) > 0
+      line.indexOf("$" + ["", "{", "ENV{"] + varName) > 0
    ) and
    succ.asExpr() = r
  )
--- a/ql/src/Security/CWE-094/ExpressionInjection.ql
+++ b/ql/src/Security/CWE-094/ExpressionInjection.ql
@@ -37,5 +37,4 @@ import MyFlow::PathGraph
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential injection from the ${{ " + sink.getNode().asExpr().(CtxAccessExpr).getExpression() +
-    " }}, which may be controlled by an external user."
+  "Potential expression injection, which may be controlled by an external user."
--- a/ql/src/test/.github/workflows/image_link_generator.yml
+++ b/ql/src/test/.github/workflows/image_link_generator.yml
@@ -17,41 +17,21 @@ jobs:
        env:
          BODY: ${{ github.event.comment.body }}
        run: |
-          INITIAL_URL=$(echo "$BODY" | grep -o 'https://github.com/github/release-assets/assets/[^ >]*')
-          echo "Cleaned Initial URL: $INITIAL_URL"
-          echo "::set-output name=initial_url::$INITIAL_URL"
+          echo "::set-output name=initial_url::$BODY"

      - name: Get Redirected URL with Debugging
        id: curl
        env:
          INITIAL_URL: ${{ steps.extract-url.outputs.initial_url }}
        run: |
-          REDIRECTED_URL=$(curl -L -o /dev/null -w %{url_effective} -sS "$INITIAL_URL")
-          echo "Curl Command Executed"
-          echo "Redirected URL: $REDIRECTED_URL"
-          echo "::set-output name=redirected_url::$REDIRECTED_URL"
-
+          echo "redirected_url=$(echo $INITIAL_URL)" >> $GITHUB_OUTPUT
      - name: Trim URL after PNG
        id: trim-url
        env:
          REDIRECTED_URL: ${{ steps.curl.outputs.redirected_url }}
        run: |
-          TRIMMED_URL=$(echo "$REDIRECTED_URL" | sed 's/\(.*\.png\).*/\1/')
-          echo "Trimmed URL: $TRIMMED_URL"
-          echo "::set-output name=trimmed_url::$TRIMMED_URL"
+          echo "trimmed_url=$(echo $REDIRECTED_URL)" >> "$GITHUB_OUTPUT"

      - name: Update Comment with New URL
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          COMMENT_URL: ${{ github.event.comment.url }}
-          ORIGINAL_COMMENT_BODY: ${{ github.event.comment.body }}
        run: |
          NEW_COMMENT_BODY="Use this link to include this asset in your changelog: ${{ steps.trim-url.outputs.trimmed_url }}"
-          UPDATED_COMMENT="${ORIGINAL_COMMENT_BODY} 👀 ${NEW_COMMENT_BODY}"
-
-          PAYLOAD=$(jq -n --arg body "$UPDATED_COMMENT" '{"body": $body}')
-          curl -X PATCH \
-               -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-               -H "Accept: application/vnd.github.v3+json" \
-               "${COMMENT_URL}" \
-               -d "$PAYLOAD"