hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-04 10:10:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

WIP. todo: modify help text in query to be helpful, write qlhelp file, find out how to not release to customers

Browse Source
This commit is contained in:
Kylie Stradley
2024-10-18 16:51:31 -04:00
parent e5508343b1
commit 2d5cd1a61a
6 changed files with 38 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ql/lib/codeql/actions/config/Config.qll
View File

@@ -120,7 +120,7 @@ predicate vulnerableActionsDataModel(
}
/**
* MaD models for vulnerable actions
* MaD models for immutable actions
* Fields:
* - action: action name
*/

11
ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll Normal file
View File

@@ -0,0 +1,11 @@
import actions
class UnversionedImmutableAction extends UsesStep {
string immutable_action;
UnversionedImmutableAction() {
immutableActionsDataModel(immutable_action) and
this.getCallee() = immutable_action and
not this.getVersion().regexpMatch("^(v)?[0-9]+(\\.[0-9]+)*(\\.[xX])?$")
}
}

29
ql/src/Security/CWE-829/UnversionedImmutableAction.ql
View File

@@ -2,7 +2,6 @@
* @name Unversioned Immutable Action
* @description Using an Immutable Action without a semantic version tag opts out of the protections of Immutable Action
* @kind problem
* @security-severity 5.0
* @problem.severity recommendation
* @precision high
* @id actions/unversioned-immutable-action
@@ -12,27 +11,9 @@
*/
import actions
import codeql.actions.security.UseOfUnversionedImmutableAction
bindingset[version]
private predicate isSemanticVersioned(string version) { version.regexpMatch("^v[0-9]+(\\.[0-9]+)*(\\.[xX])?$") }
bindingset[repo]
private predicate isTrustedOrg(string repo) {
exists(string org | org in ["actions", "github", "advanced-security", "octokit"] | repo.matches(org + "/%"))
}
from UsesStep uses, string repo, string version, Workflow workflow, string name
where
uses.getCallee() = repo and
uses.getEnclosingWorkflow() = workflow and
(
workflow.getName() = name
or
not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
) and
uses.getVersion() = version and
not isTrustedOrg(repo) and
not isPinnedCommit(version)
select uses.getCalleeNode(),
"Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
"', not a pinned commit hash", uses, uses.toString()
from UnversionedImmutableAction step
select step,
"The workflow is using an immutable action ($@) without versinoning so it doesn't work", step,
step.getCallee()

2
ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml vendored
View File

@@ -4,7 +4,7 @@ runs:
using: "composite"
steps:
- name: Checkout repo
uses: actions/checkout@v4
uses: actions/checkout@4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 2

19
ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.expected Normal file
View File

@@ -0,0 +1,19 @@
| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | actions/github-script |
| .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/actions/download-artifact/action.yaml:6:7:25:4 | Uses Step | actions/github-script |
| .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:17:9:18:6 | Uses Step | actions/checkout |
| .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | actions/checkout |
| .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:17:9:18:6 | Uses Step | actions/checkout |
| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | actions/checkout |
| .github/workflows/poc.yml:30:9:36:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:30:9:36:6 | Uses Step | actions/checkout |
| .github/workflows/poc.yml:36:9:38:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:36:9:38:6 | Uses Step | actions/configure-pages |
| .github/workflows/poc.yml:43:9:47:2 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:43:9:47:2 | Uses Step | actions/upload-pages-artifact |
| .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/poc.yml:59:9:63:26 | Uses Step: deployment | actions/deploy-pages |
| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | actions/checkout |
| .github/workflows/test8.yml:20:9:26:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test8.yml:20:9:26:6 | Uses Step | actions/checkout |
| .github/workflows/test9.yml:11:9:16:6 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test9.yml:11:9:16:6 | Uses Step | actions/checkout |
| .github/workflows/test11.yml:84:7:90:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test11.yml:84:7:90:4 | Uses Step | actions/checkout |
| .github/workflows/test12.yml:86:7:92:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test12.yml:86:7:92:4 | Uses Step | actions/checkout |
| .github/workflows/test14.yml:101:7:105:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:101:7:105:4 | Uses Step | actions/checkout |
| .github/workflows/test14.yml:105:7:111:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test14.yml:105:7:111:4 | Uses Step | actions/checkout |
| .github/workflows/test15.yml:60:7:65:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:60:7:65:4 | Uses Step | actions/checkout |
| .github/workflows/test15.yml:110:7:115:4 | Uses Step | The workflow is using an immutable action ($@) without versinoning so it doesn't work | .github/workflows/test15.yml:110:7:115:4 | Uses Step | actions/checkout |

1
ql/test/query-tests/Security/CWE-829/UnversionedImmutableAction.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE-829/UnversionedImmutableAction.ql