Add externally triggereable data model and predicates

2026-05-05 13:45:19 +02:00 · 2024-05-17 12:28:06 +02:00
parent d3bff87f9a
commit 313acfcac2
5 changed files with 38 additions and 2 deletions
--- a/ql/lib/codeql/actions/Ast.qll
+++ b/ql/lib/codeql/actions/Ast.qll
@@ -348,6 +348,8 @@ abstract class Job extends AstNode instanceof JobImpl {

  predicate isPrivileged() { super.isPrivileged() }

+  predicate isExternallyTriggerable() { super.isExternallyTriggerable() }
+
  string getARunsOnLabel() { result = super.getARunsOnLabel() }
 }

--- a/ql/lib/codeql/actions/ast/internal/Ast.qll
+++ b/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -703,6 +703,11 @@ class JobImpl extends AstNodeImpl, TJobNode {
  /** Gets the strategy for this job. */
  StrategyImpl getStrategy() { result.getNode() = n.lookup("strategy") }

+  /** Holds if the job can be triggered by an external actor. */
+  predicate isExternallyTriggerable() {
+    externallyTriggerableEventsDataModel(this.getATriggerEvent().getName())
+  }
+
  /** Holds if the job is privileged. */
  predicate isPrivileged() {
    // the job has privileged runtime permissions
--- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
+++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
@@ -38,6 +38,15 @@ predicate contextTriggerDataModel(string trigger, string context_prefix) {
  Extensions::contextTriggerDataModel(trigger, context_prefix)
 }

+/**
+ * MaD models for externally triggerable events
+ * Fields:
+ *    - event: Event name
+ */
+predicate externallyTriggerableEventsDataModel(string event) {
+  Extensions::externallyTriggerableEventsDataModel(event)
+}
+
 /**
 * MaD sources
 * Fields:
--- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll
+++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll
@@ -36,6 +36,11 @@ extensible predicate workflowDataModel(
 extensible predicate repositoryDataModel(string visibility, string default_branch_name);

 /**
- * Holds if context/trigger mapping exists for the given parameters.
+ * Holds if a context expression starting with context_prefix is available for a given trigger.
 */
 extensible predicate contextTriggerDataModel(string trigger, string context_prefix);
+
+/**
+ * Holds if a given trigger event can be fired by an external actor.
+ */
+extensible predicate externallyTriggerableEventsDataModel(string event);
--- a/ql/lib/ext/workflow-models/workflow-models.yml
+++ b/ql/lib/ext/workflow-models/workflow-models.yml
@@ -11,7 +11,6 @@ extensions:
      pack: githubsecuritylab/actions-all
      extensible: contextTriggerDataModel 
    data:
-      # This predicate maps triggering events with the github event context available for that event
      - ["commit_comment", "github.event.comment"] 
      - ["discussion", "github.event.discussion"]
      - ["discussion_comment", "github.event.comment"] 
@@ -55,3 +54,19 @@ extensions:
      - ["workflow_call", "github.event.review"] 
      - ["workflow_call", "github.event.workflow"]
      - ["workflow_call", "github.event.workflow_run"]
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: externallyTriggerableEventsDataModel
+    data:
+      - ["discussion"]
+      - ["discussion_comment"]
+      - ["fork"]
+      - ["issue_comment"]
+      - ["issues"]
+      - ["pull_request"]
+      - ["pull_request_comment"]
+      - ["pull_request_review"]
+      - ["pull_request_review_comment"]
+      - ["pull_request_target"]
+      - ["workflow_run"] # depending on trigger workflow
+      - ["workflow_call"] # depending on caller