hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-04 02:00:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Improve labelgate accuracy

Browse Source
This commit is contained in:
Alvaro Muñoz
2024-10-23 15:48:42 +02:00
parent 9a0795cc75
commit 674afc5edd
5 changed files with 50 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
ql/lib/codeql/actions/security/ControlChecks.qll
View File

@@ -159,14 +159,16 @@ abstract class CommentVsHeadDateCheck extends ControlCheck {
/* Specific implementations of control checks */
class LabelIfCheck extends LabelCheck instanceof If {
string condition;
LabelIfCheck() {
// eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
// eg: github.event.label.name == 'safe to test'
exists(
normalizeExpr(this.getCondition())
.regexpFind([
"\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b"
], _, _)
condition = normalizeExpr(this.getCondition()) and
(
// eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
condition.regexpMatch("(^|[^!])contains\\(\\s*github\\.event\\.pull_request\\.labels\\b.*")
or
// eg: github.event.label.name == 'safe to test'
condition.regexpMatch(".*\\bgithub\\.event\\.label\\.name\\s*==.*")
)
}
}

0
ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout.yml → ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout1.yml vendored
View File

28
ql/test/query-tests/Security/CWE-829/.github/workflows/label_trusted_checkout2.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
on:
pull_request_target:
types: [labeled]
jobs:
build:
name: Build and test
runs-on: ubuntu-latest
if: |
!contains(github.event.pull_request.labels.*.name, 'safe to test')
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-node@v1
- run: |
npm install
npm build
- uses: completely/fakeaction@v2
with:
arg1: ${{ secrets.supersecret }}
- uses: fakerepo/comment-on-pr@v1
with:
message: |
Thank you!

6
ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected
View File

@@ -13,8 +13,10 @@
| .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue |
| .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/request-action@v2.x | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr |
| .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/request-action@v2.0.2 | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request |
| .github/workflows/label_trusted_checkout.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | Uses Step |
| .github/workflows/label_trusted_checkout.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step | Uses Step |
| .github/workflows/label_trusted_checkout1.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | Uses Step |
| .github/workflows/label_trusted_checkout1.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | Uses Step |
| .github/workflows/label_trusted_checkout2.yml:21:13:21:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | Uses Step |
| .github/workflows/label_trusted_checkout2.yml:25:13:25:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:25:7:28:21 | Uses Step | Uses Step |
| .github/workflows/level0.yml:36:15:36:47 | rlespinasse/github-slug-action@v4 | Unpinned 3rd party Action 'Poutine Level 0' step $@ uses 'rlespinasse/github-slug-action' with ref 'v4', not a pinned commit hash | .github/workflows/level0.yml:36:9:39:6 | Uses Step | Uses Step |
| .github/workflows/mend.yml:31:15:31:34 | ruby/setup-ruby@v1 | Unpinned 3rd party Action 'Test' step $@ uses 'ruby/setup-ruby' with ref 'v1', not a pinned commit hash | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Uses Step |
| .github/workflows/pr-workflow.yml:60:15:60:52 | amannn/action-semantic-pull-request@v5 | Unpinned 3rd party Action 'pr-workflow' step $@ uses 'amannn/action-semantic-pull-request' with ref 'v5', not a pinned commit hash | .github/workflows/pr-workflow.yml:60:9:70:6 | Uses Step | Uses Step |

13
ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
View File

@@ -101,10 +101,14 @@ edges
| .github/workflows/issue_comment_octokit.yml:66:9:79:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step |
| .github/workflows/issue_comment_octokit.yml:87:9:95:6 | Uses Step: sha | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step |
| .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step |
| .github/workflows/label_trusted_checkout.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step |
| .github/workflows/label_trusted_checkout.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step |
| .github/workflows/label_trusted_checkout.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step |
| .github/workflows/label_trusted_checkout.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout.yml:24:7:27:21 | Uses Step |
| .github/workflows/label_trusted_checkout1.yml:11:7:15:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step |
| .github/workflows/label_trusted_checkout1.yml:15:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step |
| .github/workflows/label_trusted_checkout1.yml:16:7:20:4 | Run Step | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step |
| .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step |
| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step |
| .github/workflows/label_trusted_checkout2.yml:16:7:17:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step |
| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step |
| .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:25:7:28:21 | Uses Step |
| .github/workflows/level0.yml:33:9:36:6 | Uses Step | .github/workflows/level0.yml:36:9:39:6 | Uses Step |
| .github/workflows/level0.yml:36:9:39:6 | Uses Step | .github/workflows/level0.yml:39:9:52:2 | Run Step: check_profanities |
| .github/workflows/level0.yml:62:9:65:6 | Uses Step | .github/workflows/level0.yml:65:9:86:2 | Uses Step |
@@ -310,6 +314,7 @@ edges
| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | .github/workflows/dependabot3.yml |
| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | .github/workflows/gitcheckout.yml |
| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | .github/workflows/label_trusted_checkout2.yml |
| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:3:3:3:8 | issues | .github/workflows/level0.yml |
| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | .github/workflows/level0.yml |
| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | .github/workflows/level0.yml |