hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Clean query

Browse Source
This commit is contained in:
Alvaro Muñoz
2024-05-06 17:24:43 +02:00
parent bb028e41d4
commit 2359e2de90
2 changed files with 16 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
ql/src/Security/CWE-349/CachePoisoning.ql
View File

@@ -15,22 +15,21 @@ import actions
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.CachePoisoningQuery
from Workflow w, PRHeadCheckoutStep checkout, LocalJob j
from LocalJob j
where
// The workflow runs in the context of the default branch
// TODO: (require to collect trigger types)
// - add push to default branch?
// - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch
w.hasTriggerEvent([
"check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum",
"issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column",
"public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule",
"watch", "workflow_run"
]) and
// Workflow is privileged
w.isPrivileged() and
// The workflow checkouts untrusted code from a pull request
j = w.getAJob() and
j.getAStep() = checkout and
// The checkout step is followed by a cache writing step
j.getEnclosingWorkflow()
.hasTriggerEvent([
"check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork",
"gollum", "issue_comment", "issues", "label", "milestone", "project", "project_card",
"project_column", "public", "pull_request_comment", "pull_request_target",
"repository_dispatch", "schedule", "watch", "workflow_run"
]) and
// The job checkouts untrusted code from a pull request
j.getAStep() instanceof PRHeadCheckoutStep and
// The job writes to the cache
j.getAStep() instanceof CacheWritingStep
select checkout, "Potential cache poisoning on privileged workflow."
select j.getAStep().(CacheWritingStep), "Potential cache poisoning on privileged workflow."

6
ql/test/query-tests/Security/CWE-349/CachePoisoning.expected
View File

@@ -1,3 +1,3 @@
| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. |
| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
| .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. |
| .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. |
| .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. |