diff --git a/ql/lib/ext/8398a7_action-slack.model.yml b/ql/lib/ext/8398a7_action-slack.model.yml new file mode 100644 index 00000000000..e3d97adf69d --- /dev/null +++ b/ql/lib/ext/8398a7_action-slack.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["8398a7/action-slack", "*", "input.custom_payload", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/actions_github-script.model.yml b/ql/lib/ext/actions_github-script.model.yml index 2ed2e03a34e..cd409f38b59 100644 --- a/ql/lib/ext/actions_github-script.model.yml +++ b/ql/lib/ext/actions_github-script.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: sinkModel data: - - ["actions/github-script","*","input.script","expression-injection"] + - ["actions/github-script", "*", "input.script", "code-injection"] diff --git a/ql/lib/ext/akhileshns_heroku-deploy.model.yml b/ql/lib/ext/akhileshns_heroku-deploy.model.yml index f370a9fe222..ad65775e58d 100644 --- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml +++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml @@ -4,3 +4,18 @@ extensions: extensible: summaryModel data: - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["akhileshns/heroku-deploy", "*", "input.heroku_app_name", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.buildpack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.region", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.stack", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.team", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_heroku_process_type", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.docker_build_args", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.branch", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.appdir", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_api_key", "command-injection"] + - ["akhileshns/heroku-deploy", "*", "input.heroku_email", "command-injection"] diff --git a/ql/lib/ext/amannn_action-semantic-pull-request.model.yml b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml new file mode 100644 index 00000000000..c530a3af9b3 --- /dev/null +++ b/ql/lib/ext/amannn_action-semantic-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["amannn/action-semantic-pull-request", "*", "output.error_message", "pull_request_target", "PR title"] diff --git a/ql/lib/ext/anchore_sbom-action.model.yml b/ql/lib/ext/anchore_sbom-action.model.yml new file mode 100644 index 00000000000..c632a3a1ff2 --- /dev/null +++ b/ql/lib/ext/anchore_sbom-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/sbom-action", "*", "input.syft-version", "command-injection"] + - ["anchore/sbom-action", "*", "input.format", "command-injection"] + - ["anchore/sbom-action", "*", "input.path", "command-injection"] + - ["anchore/sbom-action", "*", "input.file", "command-injection"] + - ["anchore/sbom-action", "*", "input.image", "command-injection"] diff --git a/ql/lib/ext/anchore_scan-action.model.yml b/ql/lib/ext/anchore_scan-action.model.yml new file mode 100644 index 00000000000..26e5adea505 --- /dev/null +++ b/ql/lib/ext/anchore_scan-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["anchore/scan-action", "*", "input.grype-version", "command-injection"] diff --git a/ql/lib/ext/andresz1_size-limit-action.model.yml b/ql/lib/ext/andresz1_size-limit-action.model.yml new file mode 100644 index 00000000000..2903888a731 --- /dev/null +++ b/ql/lib/ext/andresz1_size-limit-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["andresz1/size-limit-action", "*", "input.package_manager", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.build_script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.script", "command-injection"] + - ["andresz1/size-limit-action", "*", "input.clean_script", "command-injection"] diff --git a/ql/lib/ext/asdf-vm_actions.model.yml b/ql/lib/ext/asdf-vm_actions.model.yml new file mode 100644 index 00000000000..21dcd22c8b7 --- /dev/null +++ b/ql/lib/ext/asdf-vm_actions.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["asdf-vm/actions", "*", "input.before_install", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/axel-op_googlejavaformat-action.model.yml b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml new file mode 100644 index 00000000000..236eade34a6 --- /dev/null +++ b/ql/lib/ext/axel-op_googlejavaformat-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["axel-op/googlejavaformat-action", "*", "input.commitMessage", "command-injection"] + - ["axel-op/googlejavaformat-action", "*", "input.commit-message", "command-injection"] diff --git a/ql/lib/ext/azure_powershell.model.yml b/ql/lib/ext/azure_powershell.model.yml new file mode 100644 index 00000000000..c0e11c8201f --- /dev/null +++ b/ql/lib/ext/azure_powershell.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["azure/powershell", "*", "input.azPSVersion", "command-injection"] diff --git a/ql/lib/ext/bahmutov_npm-install.model.yml b/ql/lib/ext/bahmutov_npm-install.model.yml new file mode 100644 index 00000000000..2841f406bda --- /dev/null +++ b/ql/lib/ext/bahmutov_npm-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bahmutov/npm-install", "*", "input.install-command", "command-injection"] diff --git a/ql/lib/ext/blackducksoftware_github-action.model.yml b/ql/lib/ext/blackducksoftware_github-action.model.yml new file mode 100644 index 00000000000..aa060de610d --- /dev/null +++ b/ql/lib/ext/blackducksoftware_github-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["blackducksoftware/github-action", "*", "input.args", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.url", "command-injection"] + - ["blackducksoftware/github-action", "*", "input.blackduck.api.token", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml index ee8e6abef09..7d5f699a0e9 100644 --- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-breaking-action", "*", "input.input", "command-injection"] + - ["bufbuild/buf-breaking-action", "*", "input.against", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-lint-action.model.yml b/ql/lib/ext/bufbuild_buf-lint-action.model.yml index c58b5a1e1d2..aeda7998631 100644 --- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml +++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-lint-action", "*", "input.input", "command-injection"] diff --git a/ql/lib/ext/bufbuild_buf-setup-action.model.yml b/ql/lib/ext/bufbuild_buf-setup-action.model.yml new file mode 100644 index 00000000000..38b18cf6cac --- /dev/null +++ b/ql/lib/ext/bufbuild_buf-setup-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["bufbuild/buf-setup-action", "*", "input.buf_domain", "command-injection"] + - ["bufbuild/buf-setup-action", "*", "input.buf_user", "command-injection"] diff --git a/ql/lib/ext/cachix_cachix-action.model.yml b/ql/lib/ext/cachix_cachix-action.model.yml index 1c6584eb9d5..2e4291eb480 100644 --- a/ql/lib/ext/cachix_cachix-action.model.yml +++ b/ql/lib/ext/cachix_cachix-action.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cachix/cachix-action", "*", "input.installCommand", "command-injection"] + - ["cachix/cachix-action", "*", "input.cachixBin", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/changesets_action.model.yml b/ql/lib/ext/changesets_action.model.yml new file mode 100644 index 00000000000..3be7669275c --- /dev/null +++ b/ql/lib/ext/changesets_action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["changesets/action", "*", "input.publish", "command-injection"] + - ["changesets/action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/cloudflare_wrangler-action.model.yml b/ql/lib/ext/cloudflare_wrangler-action.model.yml new file mode 100644 index 00000000000..cb0870b4883 --- /dev/null +++ b/ql/lib/ext/cloudflare_wrangler-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cloudflare/wrangler-action", "*", "input.preCommands", "command-injection"] + - ["cloudflare/wrangler-action", "*", "input.postCommands", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml new file mode 100644 index 00000000000..30e59e91d60 --- /dev/null +++ b/ql/lib/ext/crazy-max_ghaction-chocolatey.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["crazy-max/ghaction-chocolatey", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml index d4e35196c6c..f3b021d226b 100644 --- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml +++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] + - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/cycjimmy_semantic-release-action.model.yml b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml new file mode 100644 index 00000000000..25df02dacaa --- /dev/null +++ b/ql/lib/ext/cycjimmy_semantic-release-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["cycjimmy/semantic-release-action", "*", "input.semantic_version", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extra_plugins", "command-injection"] + - ["cycjimmy/semantic-release-action", "*", "input.extends", "command-injection"] diff --git a/ql/lib/ext/cypress-io_github-action.model.yml b/ql/lib/ext/cypress-io_github-action.model.yml new file mode 100644 index 00000000000..2fda092f20a --- /dev/null +++ b/ql/lib/ext/cypress-io_github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["cypress-io/github-action", "*", "env.GH_BRANCH", "pull_request_target", "PR branch"] diff --git a/ql/lib/ext/dailydotdev_action-devcard.model.yml b/ql/lib/ext/dailydotdev_action-devcard.model.yml new file mode 100644 index 00000000000..324171f3c4b --- /dev/null +++ b/ql/lib/ext/dailydotdev_action-devcard.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dailydotdev/action-devcard", "*", "input.commit_branch", "sql-injection"] + - ["dailydotdev/action-devcard", "*", "input.commit_filename", "sql-injection"] diff --git a/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml new file mode 100644 index 00000000000..cc5c311eea7 --- /dev/null +++ b/ql/lib/ext/danielpalme_reportgenerator-github-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["danielpalme/reportgenerator-github-action", "*", "input.toolpath", "command-injection"] diff --git a/ql/lib/ext/daspn_private-actions-checkout.model.yml b/ql/lib/ext/daspn_private-actions-checkout.model.yml new file mode 100644 index 00000000000..f45aae02158 --- /dev/null +++ b/ql/lib/ext/daspn_private-actions-checkout.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["daspn/private-actions-checkout", "*", "input.actions_list", "command-injection"] + - ["daspn/private-actions-checkout", "*", "input.checkout_base_path", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml new file mode 100644 index 00000000000..7445d673fcf --- /dev/null +++ b/ql/lib/ext/dawidd6_action-ansible-playbook.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["dawidd6/action-ansible-playbook", "*", "input.playbook", "command-injection"] + - ["dawidd6/action-ansible-playbook", "*", "input.options", "command-injection"] diff --git a/ql/lib/ext/dawidd6_action-download-artifact.model.yml b/ql/lib/ext/dawidd6_action-download-artifact.model.yml new file mode 100644 index 00000000000..a8a54dbda29 --- /dev/null +++ b/ql/lib/ext/dawidd6_action-download-artifact.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sourceModel + data: + - ["dawidd6/action-download-artifact", "*", "output.artifacts", "*", "Artifact details"] diff --git a/ql/lib/ext/delaguardo_setup-clojure.model.yml b/ql/lib/ext/delaguardo_setup-clojure.model.yml index 2aa6013c872..82f491390d2 100644 --- a/ql/lib/ext/delaguardo_setup-clojure.model.yml +++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] + - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml new file mode 100644 index 00000000000..430a96f6cbe --- /dev/null +++ b/ql/lib/ext/determinatesystems_magic-nix-cache-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-url", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-tag", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-pr", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-branch", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-revision", "command-injection"] + - ["determinatesystems/magic-nix-cache-action", "*", "input.source-binary", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/docker-practice_actions-setup-docker.model.yml b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml new file mode 100644 index 00000000000..37bcf2cc781 --- /dev/null +++ b/ql/lib/ext/docker-practice_actions-setup-docker.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker-practice/actions-setup-docker", "*", "input.docker_version", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_channel", "command-injection"] + - ["docker-practice/actions-setup-docker", "*", "input.docker_daemon_json", "command-injection"] diff --git a/ql/lib/ext/docker_build-push-action.model.yml b/ql/lib/ext/docker_build-push-action.model.yml new file mode 100644 index 00000000000..77eaf3ae10f --- /dev/null +++ b/ql/lib/ext/docker_build-push-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["docker/build-push-action", "*", "input.context", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/endbug_latest-tag.model.yml b/ql/lib/ext/endbug_latest-tag.model.yml new file mode 100644 index 00000000000..63cdb2a496b --- /dev/null +++ b/ql/lib/ext/endbug_latest-tag.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["endbug/latest-tag", "*", "input.ref", "command-injection"] + - ["endbug/latest-tag", "*", "input.tag-name", "command-injection"] + - ["endbug/latest-tag", "*", "input.git-directory", "command-injection"] + - ["endbug/latest-tag", "*", "input.description", "command-injection"] diff --git a/ql/lib/ext/expo_expo-github-action.model.yml b/ql/lib/ext/expo_expo-github-action.model.yml new file mode 100644 index 00000000000..d0bcbb4da98 --- /dev/null +++ b/ql/lib/ext/expo_expo-github-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["expo/expo-github-action", "*", "input.command", "command-injection"] + - ["expo/expo-github-action", "*", "input.packager", "command-injection"] diff --git a/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml new file mode 100644 index 00000000000..6418e71f22a --- /dev/null +++ b/ql/lib/ext/firebaseextended_action-hosting-deploy.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["firebaseextended/action-hosting-deploy", "*", "input.firebaseToolsVersion", "command-injection"] diff --git a/ql/lib/ext/gabrielbb_xvfb-action.model.yml b/ql/lib/ext/gabrielbb_xvfb-action.model.yml new file mode 100644 index 00000000000..86705319e23 --- /dev/null +++ b/ql/lib/ext/gabrielbb_xvfb-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gabrielbb/xvfb-action", "*", "input.run", "command-injection"] + - ["gabrielbb/xvfb-action", "*", "input.options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/game-ci_unity-builder.model.yml b/ql/lib/ext/game-ci_unity-builder.model.yml new file mode 100644 index 00000000000..61fdcd9254a --- /dev/null +++ b/ql/lib/ext/game-ci_unity-builder.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["game-ci/unity-builder", "*", "input.cacheKey", "command-injection"] + - ["game-ci/unity-builder", "*", "input.unityHubVersionOnMac", "command-injection"] diff --git a/ql/lib/ext/game-ci_unity-test-runner.model.yml b/ql/lib/ext/game-ci_unity-test-runner.model.yml index ab413b6e975..2d142d98099 100644 --- a/ql/lib/ext/game-ci_unity-test-runner.model.yml +++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml @@ -3,4 +3,4 @@ extensions: pack: githubsecuritylab/actions-all extensible: summaryModel data: - - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] + - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"] \ No newline at end of file diff --git a/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml new file mode 100644 index 00000000000..1727ca60e25 --- /dev/null +++ b/ql/lib/ext/gautamkrishnar_blog-post-workflow.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gautamkrishnar/blog-post-workflow", "*", "input.item_exec", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/go-semantic-release_action.model.yml b/ql/lib/ext/go-semantic-release_action.model.yml new file mode 100644 index 00000000000..146f4a17a55 --- /dev/null +++ b/ql/lib/ext/go-semantic-release_action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["go-semantic-release/action", "*", "input.bin", "command-injection"] diff --git a/ql/lib/ext/golangci_golangci-lint-action.model.yml b/ql/lib/ext/golangci_golangci-lint-action.model.yml new file mode 100644 index 00000000000..8c0f7a5ad61 --- /dev/null +++ b/ql/lib/ext/golangci_golangci-lint-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["golangci/golangci-lint-action", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml new file mode 100644 index 00000000000..9c7c03b9f35 --- /dev/null +++ b/ql/lib/ext/gonuit_heroku-docker-deploy.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gonuit/heroku-docker-deploy", "*", "input.email", "command-injection"] + - ["gonuit/heroku-docker-deploy", "*", "input.heroku_api_key", "command-injection"] diff --git a/ql/lib/ext/goreleaser_goreleaser-action.model.yml b/ql/lib/ext/goreleaser_goreleaser-action.model.yml new file mode 100644 index 00000000000..9d9eac38af0 --- /dev/null +++ b/ql/lib/ext/goreleaser_goreleaser-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["goreleaser/goreleaser-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml new file mode 100644 index 00000000000..4c74301d1c3 --- /dev/null +++ b/ql/lib/ext/gr2m_create-or-update-pull-request-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["gr2m/create-or-update-pull-request-action", "*", "input.branch", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.path", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.commit-message", "command-injection"] + - ["gr2m/create-or-update-pull-request-action", "*", "input.author", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml new file mode 100644 index 00000000000..6332cbfdad8 --- /dev/null +++ b/ql/lib/ext/ilammy_msvc-dev-cmd.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/msvc-dev-cmd", "*", "input.vsversion", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.arch", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.sdk", "command-injection"] + - ["ilammy/msvc-dev-cmd", "*", "input.toolset", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/ilammy_setup-nasm.model.yml b/ql/lib/ext/ilammy_setup-nasm.model.yml new file mode 100644 index 00000000000..f8b8490c213 --- /dev/null +++ b/ql/lib/ext/ilammy_setup-nasm.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ilammy/setup-nasm", "*", "input.version", "command-injection"] + - ["ilammy/setup-nasm", "*", "input.destination", "command-injection"] diff --git a/ql/lib/ext/imjohnbo_issue-bot.model.yml b/ql/lib/ext/imjohnbo_issue-bot.model.yml new file mode 100644 index 00000000000..64024ef5c72 --- /dev/null +++ b/ql/lib/ext/imjohnbo_issue-bot.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["imjohnbo/issue-bot", "*", "input.body", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-previous-issue-text", "code-injection"] + - ["imjohnbo/issue-bot", "*", "input.linked-comments-new-issue-text", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/iterative_setup-cml.model.yml b/ql/lib/ext/iterative_setup-cml.model.yml new file mode 100644 index 00000000000..1771ac2bad0 --- /dev/null +++ b/ql/lib/ext/iterative_setup-cml.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-cml", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/iterative_setup-dvc.model.yml b/ql/lib/ext/iterative_setup-dvc.model.yml new file mode 100644 index 00000000000..e8600c6f7df --- /dev/null +++ b/ql/lib/ext/iterative_setup-dvc.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["iterative/setup-dvc", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml new file mode 100644 index 00000000000..2ab70905db1 --- /dev/null +++ b/ql/lib/ext/jamesives_github-pages-deploy-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jamesives/github-pages-deploy-action", "*", "input.branch", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.commit-message", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-email", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.git-config-name", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.target-folder", "command-injection"] + - ["jamesives/github-pages-deploy-action", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/johnnymorganz_stylua-action.model.yml b/ql/lib/ext/johnnymorganz_stylua-action.model.yml new file mode 100644 index 00000000000..948be24b45c --- /dev/null +++ b/ql/lib/ext/johnnymorganz_stylua-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["johnnymorganz/stylua-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/jurplel_install-qt-action.model.yml b/ql/lib/ext/jurplel_install-qt-action.model.yml new file mode 100644 index 00000000000..928c1f918d3 --- /dev/null +++ b/ql/lib/ext/jurplel_install-qt-action.model.yml @@ -0,0 +1,11 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jurplel/install-qt-action", "*", "input.version", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.arch", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.dir", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.aqtversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.py7zrversion", "command-injection"] + - ["jurplel/install-qt-action", "*", "input.extra", "command-injection"] diff --git a/ql/lib/ext/jwalton_gh-ecr-push.model.yml b/ql/lib/ext/jwalton_gh-ecr-push.model.yml index b237ac313d2..ad95f1f323a 100644 --- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml +++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml @@ -4,3 +4,10 @@ extensions: extensible: summaryModel data: - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["jwalton/gh-ecr-push", "*", "input.image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.local-image", "command-injection"] + - ["jwalton/gh-ecr-push", "*", "input.region", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-lua.model.yml b/ql/lib/ext/leafo_gh-actions-lua.model.yml new file mode 100644 index 00000000000..b3cb5aa3940 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-lua.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-lua", "*", "input.luaVersion", "command-injection"] + - ["leafo/gh-actions-lua", "*", "input.luaCompileFlags", "command-injection"] diff --git a/ql/lib/ext/leafo_gh-actions-luarocks.model.yml b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml new file mode 100644 index 00000000000..a84880cfdf1 --- /dev/null +++ b/ql/lib/ext/leafo_gh-actions-luarocks.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["leafo/gh-actions-luarocks", "*", "input.withLuaPath", "command-injection"] diff --git a/ql/lib/ext/lucasbento_auto-close-issues.model.yml b/ql/lib/ext/lucasbento_auto-close-issues.model.yml new file mode 100644 index 00000000000..f32484a4f0d --- /dev/null +++ b/ql/lib/ext/lucasbento_auto-close-issues.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["lucasbento/auto-close-issues", "*", "input.issue-close-message", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/magefile_mage-action.model.yml b/ql/lib/ext/magefile_mage-action.model.yml new file mode 100644 index 00000000000..9ce43e68a75 --- /dev/null +++ b/ql/lib/ext/magefile_mage-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["magefile/mage-action", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/maierj_fastlane-action.model.yml b/ql/lib/ext/maierj_fastlane-action.model.yml new file mode 100644 index 00000000000..ac3aaa67def --- /dev/null +++ b/ql/lib/ext/maierj_fastlane-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["maierj/fastlane-action", "*", "input.lane", "command-injection"] + - ["maierj/fastlane-action", "*", "input.options", "command-injection"] + - ["maierj/fastlane-action", "*", "input.env", "command-injection"] diff --git a/ql/lib/ext/manusa_actions-setup-minikube.model.yml b/ql/lib/ext/manusa_actions-setup-minikube.model.yml new file mode 100644 index 00000000000..90fd673c705 --- /dev/null +++ b/ql/lib/ext/manusa_actions-setup-minikube.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["manusa/actions-setup-minikube", "*", "input.kubernetes_version", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.driver", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.container_runtime", "command-injection"] + - ["manusa/actions-setup-minikube", "*", "input.start_args", "command-injection"] diff --git a/ql/lib/ext/mattdavis0351_actions.model.yml b/ql/lib/ext/mattdavis0351_actions.model.yml index 91741f58706..2c9f46b46f4 100644 --- a/ql/lib/ext/mattdavis0351_actions.model.yml +++ b/ql/lib/ext/mattdavis0351_actions.model.yml @@ -5,3 +5,12 @@ extensions: data: - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"] - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mattdavis0351/actions", "*", "input.repo-token", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-location", "command-injection"] + - ["mattdavis0351/actions", "*", "input.image-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.dockerfile-name", "command-injection"] + - ["mattdavis0351/actions", "*", "input.tag", "command-injection"] diff --git a/ql/lib/ext/meteorengineer_setup-meteor.model.yml b/ql/lib/ext/meteorengineer_setup-meteor.model.yml new file mode 100644 index 00000000000..1bcf8e7ce7a --- /dev/null +++ b/ql/lib/ext/meteorengineer_setup-meteor.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["meteorengineer/setup-meteor", "*", "input.meteor-release", "command-injection"] diff --git a/ql/lib/ext/microsoft_setup-msbuild.model.yml b/ql/lib/ext/microsoft_setup-msbuild.model.yml new file mode 100644 index 00000000000..81706744568 --- /dev/null +++ b/ql/lib/ext/microsoft_setup-msbuild.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["microsoft/setup-msbuild", "*", "input.vs-version", "command-injection"] + - ["microsoft/setup-msbuild", "*", "input.vswhere-path", "command-injection"] diff --git a/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml new file mode 100644 index 00000000000..aeca6db0d98 --- /dev/null +++ b/ql/lib/ext/mr-smithers-excellent_docker-build-push.model.yml @@ -0,0 +1,16 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mr-smithers-excellent/docker-build-push", "*", "input.tags", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.buildArgs", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.labels", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.target", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.directory", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.platform", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.image", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.registry", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.dockerfile", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.githubOrg", "command-injection"] + - ["mr-smithers-excellent/docker-build-push", "*", "input.username", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/msys2_setup-msys2.model.yml b/ql/lib/ext/msys2_setup-msys2.model.yml new file mode 100644 index 00000000000..b9358bd2d69 --- /dev/null +++ b/ql/lib/ext/msys2_setup-msys2.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["msys2/setup-msys2", "*", "input.install", "command-injection"] + - ["msys2/setup-msys2", "*", "input.pacboy", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/mxschmitt_action-tmate.model.yml b/ql/lib/ext/mxschmitt_action-tmate.model.yml new file mode 100644 index 00000000000..a18319954e3 --- /dev/null +++ b/ql/lib/ext/mxschmitt_action-tmate.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mxschmitt/action-tmate", "*", "input.tmate-server-rsa-fingerprint", "command-injection"] + - ["mxschmitt/action-tmate", "*", "input.tmate-server-ed25519-fingerprint", "command-injection"] diff --git a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml index 3db3e9cf66c..f46c40a8f9c 100644 --- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml +++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml @@ -4,3 +4,9 @@ extensions: extensible: summaryModel data: - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "command-injection"] + - ["mymindstorm/setup-emsdk", "*", "input.version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-chromedriver.model.yml b/ql/lib/ext/nanasess_setup-chromedriver.model.yml new file mode 100644 index 00000000000..219de80c39e --- /dev/null +++ b/ql/lib/ext/nanasess_setup-chromedriver.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-chromedriver", "*", "input.chromedriver-version", "command-injection"] diff --git a/ql/lib/ext/nanasess_setup-php.model.yml b/ql/lib/ext/nanasess_setup-php.model.yml new file mode 100644 index 00000000000..dc3c2739e87 --- /dev/null +++ b/ql/lib/ext/nanasess_setup-php.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nanasess/setup-php", "*", "input.php-version", "command-injection"] diff --git a/ql/lib/ext/nick-fields_retry.model.yml b/ql/lib/ext/nick-fields_retry.model.yml new file mode 100644 index 00000000000..30679750f13 --- /dev/null +++ b/ql/lib/ext/nick-fields_retry.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["nick-fields/retry", "*", "input.on_retry_command", "command-injection"] + - ["nick-fields/retry", "*", "input.new_command_on_retry", "command-injection"] + - ["nick-fields/retry", "*", "input.command", "command-injection"] diff --git a/ql/lib/ext/octokit_graphql-action.model.yml b/ql/lib/ext/octokit_graphql-action.model.yml new file mode 100644 index 00000000000..c600e7a93b6 --- /dev/null +++ b/ql/lib/ext/octokit_graphql-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/graphql-action", "*", "input.query", "request-forgery"] diff --git a/ql/lib/ext/octokit_request-action.model.yml b/ql/lib/ext/octokit_request-action.model.yml new file mode 100644 index 00000000000..ed9088c9f56 --- /dev/null +++ b/ql/lib/ext/octokit_request-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["octokit/request-action", "*", "input.route", "request-forgery"] diff --git a/ql/lib/ext/olafurpg_setup-scala.model.yml b/ql/lib/ext/olafurpg_setup-scala.model.yml new file mode 100644 index 00000000000..988c3d5e674 --- /dev/null +++ b/ql/lib/ext/olafurpg_setup-scala.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["olafurpg/setup-scala", "*", "input.jabba-version", "command-injection"] diff --git a/ql/lib/ext/paambaati_codeclimate-action.model.yml b/ql/lib/ext/paambaati_codeclimate-action.model.yml new file mode 100644 index 00000000000..91a3382348c --- /dev/null +++ b/ql/lib/ext/paambaati_codeclimate-action.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["paambaati/codeclimate-action", "*", "input.coverageCommand", "command-injection"] diff --git a/ql/lib/ext/peter-evans_create-pull-request.model.yml b/ql/lib/ext/peter-evans_create-pull-request.model.yml new file mode 100644 index 00000000000..d9d15dc94b2 --- /dev/null +++ b/ql/lib/ext/peter-evans_create-pull-request.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["peter-evans/create-pull-request", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/plasmicapp_plasmic-action.model.yml b/ql/lib/ext/plasmicapp_plasmic-action.model.yml new file mode 100644 index 00000000000..6bc0467692d --- /dev/null +++ b/ql/lib/ext/plasmicapp_plasmic-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["plasmicapp/plasmic-action", "*", "input.project_id", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.project_api_token", "command-injection"] + - ["plasmicapp/plasmic-action", "*", "input.branch", "command-injection"] diff --git a/ql/lib/ext/preactjs_compressed-size-action.model.yml b/ql/lib/ext/preactjs_compressed-size-action.model.yml new file mode 100644 index 00000000000..62dea47d818 --- /dev/null +++ b/ql/lib/ext/preactjs_compressed-size-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["preactjs/compressed-size-action", "*", "input.build-script", "command-injection"] + - ["preactjs/compressed-size-action", "*", "input.clean-script", "command-injection"] diff --git a/ql/lib/ext/py-actions_flake8.model.yml b/ql/lib/ext/py-actions_flake8.model.yml new file mode 100644 index 00000000000..525d0199859 --- /dev/null +++ b/ql/lib/ext/py-actions_flake8.model.yml @@ -0,0 +1,12 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/flake8", "*", "input.flake8-version", "command-injection"] + - ["py-actions/flake8", "*", "input.plugins", "command-injection"] + - ["py-actions/flake8", "*", "input.path", "command-injection"] + - ["py-actions/flake8", "*", "input.ignore", "command-injection"] + - ["py-actions/flake8", "*", "input.exclude", "command-injection"] + - ["py-actions/flake8", "*", "input.max-line-length", "command-injection"] + - ["py-actions/flake8", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/py-actions_py-dependency-install.model.yml b/ql/lib/ext/py-actions_py-dependency-install.model.yml new file mode 100644 index 00000000000..5aac0f89432 --- /dev/null +++ b/ql/lib/ext/py-actions_py-dependency-install.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["py-actions/py-dependency-install", "*", "input.path", "command-injection"] diff --git a/ql/lib/ext/pyo3_maturin-action.model.yml b/ql/lib/ext/pyo3_maturin-action.model.yml new file mode 100644 index 00000000000..d32c6509ad7 --- /dev/null +++ b/ql/lib/ext/pyo3_maturin-action.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["pyo3/maturin-action", "*", "input.before-script-linux", "command-injection"] + - ["pyo3/maturin-action", "*", "input.target", "command-injection"] + - ["pyo3/maturin-action", "*", "input.command", "command-injection"] + - ["pyo3/maturin-action", "*", "input.manylinux", "command-injection"] diff --git a/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml new file mode 100644 index 00000000000..c4ea326ecef --- /dev/null +++ b/ql/lib/ext/reactivecircus_android-emulator-runner.model.yml @@ -0,0 +1,24 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reactivecircus/android-emulator-runner", "*", "input.api-level", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.target", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.arch", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.profile", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.sdcard-path-or-size'", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cores", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ram-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.heap-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.disk-size", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-options", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.emulator-build", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.cmake", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] + - ["reactivecircus/android-emulator-runner", "*", "input.ndk", "command-injection"] diff --git a/ql/lib/ext/reggionick_s3-deploy.model.yml b/ql/lib/ext/reggionick_s3-deploy.model.yml new file mode 100644 index 00000000000..7213a39f992 --- /dev/null +++ b/ql/lib/ext/reggionick_s3-deploy.model.yml @@ -0,0 +1,13 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["reggionick/s3-deploy", "*", "input.bucket", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.bucket-region", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.dist-id", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.invalidation", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.delete-removed", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cacheControl", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.cache", "command-injection"] + - ["reggionick/s3-deploy", "*", "input.files-to-include", "command-injection"] diff --git a/ql/lib/ext/renovatebot_github-action.model.yml b/ql/lib/ext/renovatebot_github-action.model.yml new file mode 100644 index 00000000000..3207c6d7521 --- /dev/null +++ b/ql/lib/ext/renovatebot_github-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["renovatebot/github-action", "*", "input.renovate-image", "command-injection"] + - ["renovatebot/github-action", "*", "input.renovate-version", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-cmd-file", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-user", "command-injection"] + - ["renovatebot/github-action", "*", "input.docker-volumes", "command-injection"] diff --git a/ql/lib/ext/roots_issue-closer-action.model.yml b/ql/lib/ext/roots_issue-closer-action.model.yml new file mode 100644 index 00000000000..d00d78bcba8 --- /dev/null +++ b/ql/lib/ext/roots_issue-closer-action.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["roots/issue-closer-action", "*", "input.issue-close-message", "code-injection"] + - ["roots/issue-closer-action", "*", "input.pr-close-message", "code-injection"] diff --git a/ql/lib/ext/ros-tooling_setup-ros.model.yml b/ql/lib/ext/ros-tooling_setup-ros.model.yml new file mode 100644 index 00000000000..e2813105bdc --- /dev/null +++ b/ql/lib/ext/ros-tooling_setup-ros.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ros-tooling/setup-ros", "*", "input.required-ros-distributions", "command-injection"] diff --git a/ql/lib/ext/ruby_setup-ruby.model.yml b/ql/lib/ext/ruby_setup-ruby.model.yml index 0190ffd9ad7..d6ba27a5079 100644 --- a/ql/lib/ext/ruby_setup-ruby.model.yml +++ b/ql/lib/ext/ruby_setup-ruby.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["ruby/setup-ruby", "*", "input.ruby-version", "command-injection"] diff --git a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml index 87610c43440..413f4f3058b 100644 --- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml +++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml @@ -4,3 +4,8 @@ extensions: extensible: summaryModel data: - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["salsify/action-detect-and-tag-new-version", "*", "input.version-command", "command-injection"] diff --git a/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml new file mode 100644 index 00000000000..42361b203e0 --- /dev/null +++ b/ql/lib/ext/skitionek_notify-microsoft-teams.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["skitionek/notify-microsoft-teams", "*", "input.overwrite", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/snow-actions_eclint.model.yml b/ql/lib/ext/snow-actions_eclint.model.yml new file mode 100644 index 00000000000..474b36186b0 --- /dev/null +++ b/ql/lib/ext/snow-actions_eclint.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["snow-actions/eclint", "*", "input.args", "command-injection"] diff --git a/ql/lib/ext/stackhawk_hawkscan-action.model.yml b/ql/lib/ext/stackhawk_hawkscan-action.model.yml new file mode 100644 index 00000000000..73b93dbb88a --- /dev/null +++ b/ql/lib/ext/stackhawk_hawkscan-action.model.yml @@ -0,0 +1,10 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["stackhawk/hawkscan-action", "*", "input.workspace", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.apiKey", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.command", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.args", "command-injection"] + - ["stackhawk/hawkscan-action", "*", "input.version", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/step-security_harden-runner.model.yml b/ql/lib/ext/step-security_harden-runner.model.yml new file mode 100644 index 00000000000..4138b97f0fb --- /dev/null +++ b/ql/lib/ext/step-security_harden-runner.model.yml @@ -0,0 +1,6 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection"] diff --git a/ql/lib/ext/tibdex_backport.model.yml b/ql/lib/ext/tibdex_backport.model.yml new file mode 100644 index 00000000000..1bcbac476a8 --- /dev/null +++ b/ql/lib/ext/tibdex_backport.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tibdex/backport", "*", "input.body_template", "code-injection"] + - ["tibdex/backport", "*", "input.head_template", "code-injection"] + - ["tibdex/backport", "*", "input.labels_template", "code-injection"] + - ["tibdex/backport", "*", "input.title_template", "code-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tj-actions_changed-files.model.yml b/ql/lib/ext/tj-actions_changed-files.model.yml index 21a0b479ef5..7c681d8a64b 100644 --- a/ql/lib/ext/tj-actions_changed-files.model.yml +++ b/ql/lib/ext/tj-actions_changed-files.model.yml @@ -19,4 +19,4 @@ extensions: - ["tj-actions/changed-files", "*", "output.other_modified_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.other_deleted_files", "pull_request_target", "PR changed files"] - ["tj-actions/changed-files", "*", "output.modified_keys", "pull_request_target", "PR changed files"] - - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] + - ["tj-actions/changed-files", "*", "output.changed_keys", "pull_request_target", "PR changed files"] \ No newline at end of file diff --git a/ql/lib/ext/tripss_conventional-changelog-action.model.yml b/ql/lib/ext/tripss_conventional-changelog-action.model.yml new file mode 100644 index 00000000000..3072c6f54fd --- /dev/null +++ b/ql/lib/ext/tripss_conventional-changelog-action.model.yml @@ -0,0 +1,15 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tripss/conventional-changelog-action", "*", "input.pre-release-identifier", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-name", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-user-email", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-url", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.github-token", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-pull-method", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.fallback-version", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-message", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.git-branch", "command-injection"] + - ["tripss/conventional-changelog-action", "*", "input.tag-prefix'", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/tryghost_action-deploy-theme.model.yml b/ql/lib/ext/tryghost_action-deploy-theme.model.yml new file mode 100644 index 00000000000..5fe53ea3d07 --- /dev/null +++ b/ql/lib/ext/tryghost_action-deploy-theme.model.yml @@ -0,0 +1,7 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["tryghost/action-deploy-theme", "*", "input.theme-name", "command-injection"] + - ["tryghost/action-deploy-theme", "*", "input.exclude", "command-injection"] diff --git a/ql/lib/ext/veracode_veracode-sca.model.yml b/ql/lib/ext/veracode_veracode-sca.model.yml new file mode 100644 index 00000000000..5e87f6c3b94 --- /dev/null +++ b/ql/lib/ext/veracode_veracode-sca.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] + - ["veracode/veracode-sca", "*", "input.path", "command-injection"] + - ["veracode/veracode-sca", "*", "input.skip-collectors", "command-injection"] + - ["veracode/veracode-sca", "*", "input.url", "command-injection"] diff --git a/ql/lib/ext/wearerequired_lint-action.model.yml b/ql/lib/ext/wearerequired_lint-action.model.yml new file mode 100644 index 00000000000..dbe5d2d542d --- /dev/null +++ b/ql/lib/ext/wearerequired_lint-action.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["wearerequired/lint-action", "*", "input.git_name", "command-injection"] + - ["wearerequired/lint-action", "*", "input.git_email", "command-injection"] + - ["wearerequired/lint-action", "*", "input.commit_message", "command-injection"] diff --git a/ql/lib/ext/webfactory_ssh-agent.model.yml b/ql/lib/ext/webfactory_ssh-agent.model.yml new file mode 100644 index 00000000000..9ecbdb6329f --- /dev/null +++ b/ql/lib/ext/webfactory_ssh-agent.model.yml @@ -0,0 +1,8 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["webfactory/ssh-agent", "*", "input.ssh-agent-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.ssh-add-cmd", "command-injection"] + - ["webfactory/ssh-agent", "*", "input.git-cmd", "command-injection"] diff --git a/ql/lib/ext/zaproxy_action-baseline.model.yml b/ql/lib/ext/zaproxy_action-baseline.model.yml new file mode 100644 index 00000000000..10920eb6bf5 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-baseline.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-baseline", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.target", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-baseline", "*", "input.cmd_options", "command-injection"] \ No newline at end of file diff --git a/ql/lib/ext/zaproxy_action-full-scan.model.yml b/ql/lib/ext/zaproxy_action-full-scan.model.yml new file mode 100644 index 00000000000..a1d49af0845 --- /dev/null +++ b/ql/lib/ext/zaproxy_action-full-scan.model.yml @@ -0,0 +1,9 @@ +extensions: + - addsTo: + pack: githubsecuritylab/actions-all + extensible: sinkModel + data: + - ["zaproxy/action-full-scan", "*", "input.docker_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.target", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.rules_file_name", "command-injection"] + - ["zaproxy/action-full-scan", "*", "input.cmd_options", "command-injection"] diff --git a/ql/src/Security/CWE-078/CommandInjection.ql b/ql/src/Security/CWE-078/CommandInjection.ql new file mode 100644 index 00000000000..9891f786f7c --- /dev/null +++ b/ql/src/Security/CWE-078/CommandInjection.ql @@ -0,0 +1,38 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential command injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-078/CriticalCommandInjection.ql b/ql/src/Security/CWE-078/CriticalCommandInjection.ql new file mode 100644 index 00000000000..5d418ec1816 --- /dev/null +++ b/ql/src/Security/CWE-078/CriticalCommandInjection.ql @@ -0,0 +1,44 @@ +/** + * @name Command built from user-controlled sources + * @description Building a system command from user-controlled sources is vulnerable to insertion of + * malicious code by the user. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/critical-command-injection + * @tags actions + * security + * external/cwe/cwe-078 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CommandInjectionSink extends DataFlow::Node { + CommandInjectionSink() { externallyDefinedSink(this, "command-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential critical command injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CodeInjection.ql b/ql/src/Security/CWE-094/CodeInjection.ql new file mode 100644 index 00000000000..bc2dbffdcdf --- /dev/null +++ b/ql/src/Security/CWE-094/CodeInjection.ql @@ -0,0 +1,40 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity warning + * @security-severity 5.0 + * @precision high + * @id actions/code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential code injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-094/CriticalCodeInjection.ql b/ql/src/Security/CWE-094/CriticalCodeInjection.ql new file mode 100644 index 00000000000..2a1e4388d24 --- /dev/null +++ b/ql/src/Security/CWE-094/CriticalCodeInjection.ql @@ -0,0 +1,46 @@ +/** + * @name Code injection + * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary + * code execution. + * @kind path-problem + * @problem.severity error + * @security-severity 9 + * @precision high + * @id actions/critical-code-injection + * @tags actions + * security + * external/cwe/cwe-094 + * external/cwe/cwe-095 + * external/cwe/cwe-116 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class CodeInjectionSink extends DataFlow::Node { + CodeInjectionSink() { externallyDefinedSink(this, "code-injection") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink, Workflow w +where + MyFlow::flowPath(source, sink) and + w = source.getNode().asExpr().getEnclosingWorkflow() and + ( + w instanceof ReusableWorkflow or + w.hasTriggerEvent(source.getNode().(RemoteFlowSource).getATriggerEvent()) + ) +select sink.getNode(), source, sink, + "Potential critical code injection in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression() diff --git a/ql/src/Security/CWE-918/RequestForgery.ql b/ql/src/Security/CWE-918/RequestForgery.ql new file mode 100644 index 00000000000..d665a368991 --- /dev/null +++ b/ql/src/Security/CWE-918/RequestForgery.ql @@ -0,0 +1,37 @@ +/** + * @name Uncontrolled data used in network request + * @description Sending network requests with user-controlled data allows for request forgery attacks. + * @kind path-problem + * @problem.severity error + * @security-severity 9.1 + * @precision high + * @id actions/request-forgery + * @tags actions + * security + * external/cwe/cwe-918 + */ + +import actions +import codeql.actions.TaintTracking +import codeql.actions.dataflow.FlowSources +import codeql.actions.dataflow.ExternalFlow + +private class RequestForgerySink extends DataFlow::Node { + RequestForgerySink() { externallyDefinedSink(this, "request-forgery") } +} + +private module MyConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink } +} + +module MyFlow = TaintTracking::Global; + +import MyFlow::PathGraph + +from MyFlow::PathNode source, MyFlow::PathNode sink +where MyFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "Potential request forgery in $@, which may be controlled by an external user.", sink, + sink.getNode().asExpr().(Expression).getRawExpression()