Add simple taint tracking for env variables

2026-04-28 18:25:24 +02:00 · 2023-04-05 10:03:46 +02:00
parent 39ff3c72a2
commit 5c5b9f99a8
5 changed files with 106 additions and 12 deletions
--- a/javascript/ql/lib/semmle/javascript/Actions.qll
+++ b/javascript/ql/lib/semmle/javascript/Actions.qll
@@ -28,6 +28,9 @@ module Actions {
    /** Gets the `jobs` mapping from job IDs to job definitions in this workflow. */
    YamlMapping getJobs() { result = this.lookup("jobs") }

+    /** Gets the 'global' `env` mapping in this workflow. */
+    YamlMapping getEnv() { result = this.lookup("env") }
+
    /** Gets the name of the workflow. */
    string getName() { result = this.lookup("name").(YamlString).getValue() }

@@ -54,6 +57,54 @@ module Actions {
    Workflow getWorkflow() { result = workflow }
  }

+  /** An environment variable in 'env:' */
+  abstract class Env extends YamlNode, YamlString {
+    /** Gets the name of this environment variable. */
+    abstract string getName();
+  }
+
+  /** Workflow level 'global' environment variable. */
+  class GlobalEnv extends Env {
+    string envName;
+    Workflow workflow;
+
+    GlobalEnv() { this = workflow.getEnv().lookup(envName) }
+
+    /** Gets the workflow this field belongs to. */
+    Workflow getWorkflow() { result = workflow }
+
+    /** Gets the name of this environment variable. */
+    override string getName() { result = envName }
+  }
+
+  /** Job level environment variable. */
+  class JobEnv extends Env {
+    string envName;
+    Job job;
+
+    JobEnv() { this = job.getEnv().lookup(envName) }
+
+    /** Gets the job this field belongs to. */
+    Job getJob() { result = job }
+
+    /** Gets the name of this environment variable. */
+    override string getName() { result = envName }
+  }
+
+  /** Step level environment variable. */
+  class StepEnv extends Env {
+    string envName;
+    Step step;
+
+    StepEnv() { this = step.getEnv().lookup(envName) }
+
+    /** Gets the step this field belongs to. */
+    Step getStep() { result = step }
+
+    /** Gets the name of this environment variable. */
+    override string getName() { result = envName }
+  }
+
  /**
   * An Actions job within a workflow.
   * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobs.
@@ -88,6 +139,9 @@ module Actions {
    /** Gets the sequence of `steps` within this job. */
    YamlSequence getSteps() { result = this.lookup("steps") }

+    /** Gets the `env` mapping in this job. */
+    YamlMapping getEnv() { result = this.lookup("env") }
+
    /** Gets the workflow this job belongs to. */
    Workflow getWorkflow() { result = workflow }

@@ -149,6 +203,9 @@ module Actions {
    /** Gets the value of the `if` field in this step, if any. */
    StepIf getIf() { result.getStep() = this }

+    /** Gets the value of the `env` field in this step, if any. */
+    YamlMapping getEnv() { result = this.lookup("env") }
+
    /** Gets the ID of this step, if any. */
    string getId() { result = this.lookup("id").(YamlString).getValue() }
  }
@@ -259,6 +316,10 @@ module Actions {
          .regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1)
  }

+  /** Extracts the 'name' part from env.name */
+  bindingset[name]
+  string getEnvName(string name) { result = name.regexpCapture("env\\.([A-Za-z0-9_]+)", 1) }
+
  /**
   * A `script:` field within an Actions `with:` specific to `actions/github-script` action.
   *