hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-28 06:36:33 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #69 from github/improve_cache_poisoning

Browse Source 
Improve Cache Poisoning Query
This commit is contained in:
Alvaro Muñoz
2024-08-06 12:45:51 +02:00
committed by GitHub
parent 0990774302 d18179850d
commit 76210f53c8
46 changed files with 452 additions and 657 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
ql/lib/codeql/actions/security/CachePoisoningQuery.qll
View File

@@ -44,65 +44,20 @@ predicate runsOnDefaultBranch(Event e) {
)
}
abstract class CacheWritingStep extends Step { }
abstract class CacheWritingStep extends Step {
abstract string getPath();
}
class CacheActionUsesStep extends CacheWritingStep, UsesStep {
CacheActionUsesStep() { this.getCallee() = "actions/cache" }
override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") }
}
class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep {
CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" }
}
class SetupJavaUsesStep extends CacheWritingStep, UsesStep {
SetupJavaUsesStep() {
this.getCallee() = "actions/setup-java" and
(
exists(this.getArgument("cache")) or
exists(this.getArgument("cache-dependency-path"))
)
}
}
class SetupGoUsesStep extends CacheWritingStep, UsesStep {
SetupGoUsesStep() {
this.getCallee() = "actions/setup-go" and
(
not exists(this.getArgument("cache"))
or
this.getArgument("cache") = "true"
)
}
}
class SetupNodeUsesStep extends CacheWritingStep, UsesStep {
SetupNodeUsesStep() {
this.getCallee() = "actions/setup-node" and
(
exists(this.getArgument("cache")) or
exists(this.getArgument("cache-dependency-path"))
)
}
}
class SetupPythonUsesStep extends CacheWritingStep, UsesStep {
SetupPythonUsesStep() {
this.getCallee() = "actions/setup-python" and
(
exists(this.getArgument("cache")) or
exists(this.getArgument("cache-dependency-path"))
)
}
}
class SetupDotnetUsesStep extends CacheWritingStep, UsesStep {
SetupDotnetUsesStep() {
this.getCallee() = "actions/setup-dotnet" and
(
this.getArgument("cache") = "true" or
exists(this.getArgument("cache-dependency-path"))
)
}
override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") }
}
class SetupRubyUsesStep extends CacheWritingStep, UsesStep {
@@ -110,4 +65,6 @@ class SetupRubyUsesStep extends CacheWritingStep, UsesStep {
this.getCallee() = ["actions/setup-ruby", "ruby/setup-ruby"] and
this.getArgument("bundler-cache") = "true"
}
override string getPath() { result = "vendor/bundle" }
}

30
ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
View File

@@ -1,6 +1,12 @@
import actions
import codeql.actions.DataFlow
string getStepCWD() {
// TODO: This should be the path of the git command.
// Read if from the step's CWD, workspace or look for a cd command.
result = "?"
}
bindingset[s]
predicate containsPullRequestNumber(string s) {
exists(
@@ -68,7 +74,9 @@ predicate containsHeadRef(string s) {
}
/** Checkout of a Pull Request HEAD */
abstract class PRHeadCheckoutStep extends Step { }
abstract class PRHeadCheckoutStep extends Step {
abstract string getPath();
}
/** Checkout of a Pull Request HEAD ref */
abstract class MutableRefCheckoutStep extends PRHeadCheckoutStep { }
@@ -138,6 +146,12 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
)
)
}
override string getPath() {
if exists(this.(UsesStep).getArgument("path"))
then result = this.(UsesStep).getArgument("path")
else result = "?"
}
}
/** Checkout of a Pull Request HEAD ref using actions/checkout action */
@@ -194,6 +208,12 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
)
)
}
override string getPath() {
if exists(this.(UsesStep).getArgument("path"))
then result = this.(UsesStep).getArgument("path")
else result = "?"
}
}
/** Checkout of a Pull Request HEAD ref using git within a Run step */
@@ -216,6 +236,8 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
)
)
}
override string getPath() { result = getStepCWD() }
}
/** Checkout of a Pull Request HEAD ref using git within a Run step */
@@ -235,6 +257,8 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run {
)
)
}
override string getPath() { result = getStepCWD() }
}
/** Checkout of a Pull Request HEAD ref using gh within a Run step */
@@ -256,6 +280,8 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
)
)
}
override string getPath() { result = getStepCWD() }
}
/** Checkout of a Pull Request HEAD ref using gh within a Run step */
@@ -274,4 +300,6 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run {
)
)
}
override string getPath() { result = getStepCWD() }
}

61
ql/src/Security/CWE-349/CachePoisoning.ql
View File

@@ -1,61 +0,0 @@
/**
* @name Cache Poisoning
* @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
* @kind path-problem
* @problem.severity error
* @precision high
* @security-severity 7.5
* @id actions/cache-poisoning
* @tags actions
* security
* external/cwe/cwe-349
*/
import actions
import codeql.actions.security.ArtifactPoisoningQuery
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.CachePoisoningQuery
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.ControlChecks
query predicate edges(Step a, Step b) { a.getNextStep() = b }
from LocalJob j, Event e, Step artifact, Step s
where
(
artifact instanceof PRHeadCheckoutStep or
artifact instanceof UntrustedArtifactDownloadStep
) and
j.getATriggerEvent() = e and
// job can be triggered by an external user
e.isExternallyTriggerable() and
// the checkout is not controlled by an access check
not exists(ControlCheck check | check.protects(artifact, j.getATriggerEvent())) and
(
// the workflow runs in the context of the default branch
runsOnDefaultBranch(e)
or
// the workflow caller runs in the context of the default branch
e.getName() = "workflow_call" and
exists(ExternalJob caller |
caller.getCallee() = j.getLocation().getFile().getRelativePath() and
runsOnDefaultBranch(caller.getATriggerEvent())
)
) and
// the job checkouts untrusted code from a pull request
j.getAStep() = artifact and
(
// the job writes to the cache
// (No need to follow the checkout step as the cache writing is normally done after the job completes)
j.getAStep() = s and
s instanceof CacheWritingStep and
not s instanceof PoisonableStep
or
// the job executes checked-out code
// (The cache specific token can be leaked even for non-privileged workflows)
artifact.getAFollowingStep() = s and
s instanceof PoisonableStep and
// excluding privileged workflows since they can be exploited in easier circumstances
not j.isPrivileged()
)
select s, artifact, s, "Potential cache poisoning in the context of the default branch"

2
ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql → ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
View File

@@ -1,5 +1,5 @@
/**
* @name Cache Poisoning via low-privilege code injection
* @name Cache Poisoning via low-privileged code injection
* @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
* @kind path-problem
* @problem.severity error

90
ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql Normal file
View File

@@ -0,0 +1,90 @@
/**
* @name Cache Poisoning via caching of untrusted files
* @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
* @kind path-problem
* @problem.severity error
* @precision high
* @security-severity 7.5
* @id actions/cache-poisoning/direct-cache
* @tags actions
* security
* external/cwe/cwe-349
*/
import actions
import codeql.actions.security.ArtifactPoisoningQuery
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.CachePoisoningQuery
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.ControlChecks
/**
* Holds if the path cache_path is a subpath of the path untrusted_path.
*/
bindingset[cache_path, untrusted_path]
predicate controlledCachePath(string cache_path, string untrusted_path) {
exists(string normalized_cache_path, string normalized_untrusted_path |
(
cache_path.regexpMatch("^[a-zA-Z0-9_-].*") and
normalized_cache_path = "./" + cache_path.regexpReplaceAll("/$", "")
or
normalized_cache_path = cache_path.regexpReplaceAll("/$", "")
) and
(
untrusted_path.regexpMatch("^[a-zA-Z0-9_-].*") and
normalized_untrusted_path = "./" + untrusted_path.regexpReplaceAll("/$", "")
or
normalized_untrusted_path = untrusted_path.regexpReplaceAll("/$", "")
) and
normalized_cache_path.substring(0, normalized_untrusted_path.length()) =
normalized_untrusted_path
)
}
query predicate edges(Step a, Step b) { a.getNextStep() = b }
from LocalJob j, Event e, Step source, Step s, string message, string path
where
// the job checkouts untrusted code from a pull request or downloads an untrusted artifact
j.getAStep() = source and
(
source instanceof PRHeadCheckoutStep and
message = "due to privilege checkout of untrusted code." and
path = source.(PRHeadCheckoutStep).getPath()
or
source instanceof UntrustedArtifactDownloadStep and
message = "due to downloading an untrusted artifact." and
path = source.(UntrustedArtifactDownloadStep).getPath()
) and
// the checkout/download is not controlled by an access check
not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and
j.getATriggerEvent() = e and
// job can be triggered by an external user
e.isExternallyTriggerable() and
(
// the workflow runs in the context of the default branch
runsOnDefaultBranch(e)
or
// the workflow's caller runs in the context of the default branch
e.getName() = "workflow_call" and
exists(ExternalJob caller |
caller.getCallee() = j.getLocation().getFile().getRelativePath() and
runsOnDefaultBranch(caller.getATriggerEvent())
)
) and
// the job writes to the cache
// (No need to follow the checkout/download step since the cache is normally write after the job completes)
j.getAStep() = s and
s instanceof CacheWritingStep and
(
// we dont know what code can be controlled by the attacker
path = "?"
or
// we dont know what files are being cached
s.(CacheWritingStep).getPath() = "?"
or
// the cache writing step reads from a path the attacker can control
not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path)
) and
not s instanceof PoisonableStep
select s, source, s, "Potential cache poisoning in the context of the default branch " + message

58
ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql Normal file
View File

@@ -0,0 +1,58 @@
/**
* @name Cache Poisoning via execution of untrusted code
* @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
* @kind path-problem
* @problem.severity error
* @precision high
* @security-severity 7.5
* @id actions/cache-poisoning/poisonable-step
* @tags actions
* security
* external/cwe/cwe-349
*/
import actions
import codeql.actions.security.ArtifactPoisoningQuery
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.CachePoisoningQuery
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.ControlChecks
query predicate edges(Step a, Step b) { a.getNextStep() = b }
from LocalJob j, Event e, Step source, Step s, string message, string path
where
// the job checkouts untrusted code from a pull request or downloads an untrusted artifact
j.getAStep() = source and
(
source instanceof PRHeadCheckoutStep and
message = "due to privilege checkout of untrusted code." and
path = source.(PRHeadCheckoutStep).getPath()
or
source instanceof UntrustedArtifactDownloadStep and
message = "due to downloading an untrusted artifact." and
path = source.(UntrustedArtifactDownloadStep).getPath()
) and
// the checkout/download is not controlled by an access check
not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and
j.getATriggerEvent() = e and
// job can be triggered by an external user
e.isExternallyTriggerable() and
(
// the workflow runs in the context of the default branch
runsOnDefaultBranch(e)
or
// the workflow's caller runs in the context of the default branch
e.getName() = "workflow_call" and
exists(ExternalJob caller |
caller.getCallee() = j.getLocation().getFile().getRelativePath() and
runsOnDefaultBranch(caller.getATriggerEvent())
)
) and
// the job executes checked-out code
// (The cache specific token can be leaked even for non-privileged workflows)
source.getAFollowingStep() = s and
s instanceof PoisonableStep and
// excluding privileged workflows since they can be exploited in easier circumstances
not j.isPrivileged()
select s, source, s, "Potential cache poisoning in the context of the default branch " + message

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test9.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection1.yml vendored
View File

16
ql/test/query-tests/Security/CWE-349/.github/workflows/code_injection2.yml vendored Normal file
View File

@@ -0,0 +1,16 @@
name: Test
on:
pull_request_target:
branches: [ master, main, dev ]
jobs:
test:
name: Test
runs-on: ubuntu-latest
steps:
- id: modified_files
uses: trilom/file-changes-action@v1.2.4
with:
output: ","
- run: echo "${{ steps.modified_files.outputs.files_modified }}"

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test1.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache1.yml vendored
View File

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test2.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache2.yml vendored
View File

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test11.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache3.yml vendored
View File

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test15.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache4.yml vendored
View File

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test16.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache5.yml vendored
View File

35
ql/test/query-tests/Security/CWE-349/.github/workflows/direct_cache6.yml vendored Normal file
View File

@@ -0,0 +1,35 @@
name: Test
on:
issue_comment:
permissions:
actions: write
jobs:
generate-results:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Cache pip dependencies
uses: actions/cache@v4
id: cache-pip
with:
path: ./results/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }}
restore-keys: ${{ runner.os }}-pip-
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: results
path: results/
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: results
path: results/
if-no-files-found: ignore

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test10.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/neg_code_injection1.yml vendored
View File

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test13.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache1.yml vendored
View File

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test14.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache2.yml vendored
View File

35
ql/test/query-tests/Security/CWE-349/.github/workflows/neg_direct_cache3.yml vendored Normal file
View File

@@ -0,0 +1,35 @@
name: Test
on:
issue_comment:
permissions:
actions: write
jobs:
generate-results:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Cache pip dependencies
uses: actions/cache@v4
id: cache-pip
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }}
restore-keys: ${{ runner.os }}-pip-
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: results
path: results/
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: results
path: results/
if-no-files-found: ignore

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test12.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step1.yml vendored
View File

16
ql/test/query-tests/Security/CWE-349/.github/workflows/test18.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/neg_poisonable_step2.yml vendored
View File

@@ -5,27 +5,13 @@ on:
push:
branches:
- main
- 'releases/*'
jobs:
verify-build:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: .nvmrc
- name: Install NPM dependencies
run: npm ci
- name: Rebuild the dist/ directory
run: npm run build
- name: Compare the expected and actual dist/ directories
run: bin/check-build-output-in-dist-directory

63
ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml vendored
View File

@@ -1,63 +0,0 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# Sample workflow for building and deploying a Jekyll site to GitHub Pages
name: Deploy Jekyll site to Pages preview environment
on:
# Runs on pull requests targeting the default branch
pull_request_target:
branches: ["main"]
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
concurrency:
group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
cancel-in-progress: false
jobs:
# Build job
build:
# Limit permissions of the GITHUB_TOKEN for untrusted code
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
# For PRs make sure to checkout the PR branch
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: Setup Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
- name: Build with Jekyll
uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1
with:
source: ./
destination: ./_site
- name: Upload artifact
# Automatically uploads an artifact from the './_site' directory by default
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
# Deployment job
deploy:
environment:
name: 'Pages Preview'
url: ${{ steps.deployment.outputs.page_url }}
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
runs-on: ubuntu-latest
needs: build
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
with:
preview: 'true'

58
ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml vendored
View File

@@ -1,58 +0,0 @@
name: branch-deploy
on:
issue_comment:
types: [created]
# Permissions needed for reacting and adding comments for IssueOps commands
permissions:
pull-requests: write
deployments: write
contents: write
checks: read
jobs:
branch-deploy:
name: branch-deploy
if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings
${{ github.event.issue.pull_request &&
(startsWith(github.event.comment.body, '.deploy') ||
startsWith(github.event.comment.body, '.noop') ||
startsWith(github.event.comment.body, '.lock') ||
startsWith(github.event.comment.body, '.help') ||
startsWith(github.event.comment.body, '.wcid') ||
startsWith(github.event.comment.body, '.unlock')) }}
runs-on: ubuntu-latest
steps:
- name: branch-deploy
id: branch-deploy
uses: github/branch-deploy@v9
with:
trigger: ".deploy"
environment: "production"
sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md
# Check out the ref from the output of the IssueOps command
- uses: actions/checkout@v4
if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
with:
ref: ${{ steps.branch-deploy.outputs.ref }}
- uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0
if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
with:
bundler-cache: true
- name: bootstrap
if: ${{ steps.branch-deploy.outputs.continue == 'true' }}
run: script/bootstrap
# Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue
- name: deploy
if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }}
run: |
set -o pipefail
script/deploy | tee deploy.out
bundle exec ruby script/ci/render_deploy_message.rb
rm deploy.out

64
ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml vendored
View File

@@ -1,64 +0,0 @@
name: Publish
on:
push:
branches:
- main
pull_request_target:
workflow_dispatch:
workflow_call:
jobs:
build-and-upload:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout PR
if: ${{ github.event_name == 'pull_request_target' }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: Checkout
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v3
with:
ref: main
- name: Setup Pages
uses: actions/configure-pages@v1
- name: Use Node.js
uses: actions/setup-node@v3
with:
node-version: 18
cache: npm
- name: Update npm to latest
run: npm i --prefer-online --no-fund --no-audit -g npm@latest
- run: npm -v
- run: npm i --ignore-scripts --no-audit --no-fund --package-lock
- run: npm run build -w www
- name: Upload artifact
uses: actions/upload-pages-artifact@v1
with:
path: './workspaces/www/build'
deploy:
runs-on: ubuntu-latest
needs: build-and-upload
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
permissions:
pages: write
id-token: write
outputs:
deployment_url: ${{ steps.deployment.outputs.page_url }}
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v1
with:
preview: ${{ github.event_name == 'pull_request_target' }}

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test8.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step1.yml vendored
View File

0
ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml → ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step2.yml vendored
View File

19
ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step3.yml vendored Normal file
View File

@@ -0,0 +1,19 @@
name: Publish
on:
pull_request_target:
jobs:
build-and-upload:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout PR
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- run: npm run build -w www

18
ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step4.yml vendored Normal file
View File

@@ -0,0 +1,18 @@
name: OpenAPI
on:
pull_request_target:
permissions: {}
jobs:
openapi-base:
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ github.event.pull_request.head.sha }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- run: ./foo

28
ql/test/query-tests/Security/CWE-349/.github/workflows/poisonable_step5.yml vendored Normal file
View File

@@ -0,0 +1,28 @@
name: Test
on:
pull_request_target:
branches: ["main"]
permissions:
contents: read
pages: write
id-token: write
jobs:
build:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: Setup Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
- name: Build with Jekyll
uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1
with:
source: ./
destination: ./_site

42
ql/test/query-tests/Security/CWE-349/.github/workflows/test19.yml vendored
View File

@@ -1,42 +0,0 @@
name: Close Translation Pull Requests
on:
pull_request_target:
branches: [ master, main, dev ]
jobs:
close-translation-prs:
name: Close Translation Pull Requests
runs-on: ubuntu-latest
steps:
- name: Get changed files
id: modified_files
uses: trilom/file-changes-action@v1.2.4
with:
output: ","
- name: Check the PR for translations
id: check
run: |
shopt -s nocasematch
if [[ "${{ steps.modified_files.outputs.files_modified }}" == *"en_gb/strings.po"* ]]; then
echo "Found modified en_gb, likely a valid PR"
unset CLOSE
elif [[ "${{ steps.modified_files.outputs.files_modified }}" == *"strings.po"* ]]; then
echo "Found modified strings.po, unwanted."
CLOSE="true"
elif [[ "${{ steps.modified_files.outputs.files_added }}" == *"strings.po"* ]]; then
echo "Found added strings.po, unwanted."
CLOSE="true"
elif [[ "${{ steps.modified_files.outputs.files_removed }}" == *"strings.po"* ]]; then
echo "Found removed strings.po, unwanted."
CLOSE="true"
else
echo "No strings.po were modified or added, not a translation."
unset CLOSE
fi
echo ::set-output name=close::${CLOSE}

46
ql/test/query-tests/Security/CWE-349/.github/workflows/test20.yml vendored
View File

@@ -1,46 +0,0 @@
name: Publish
on:
push:
branches:
- main
pull_request_target:
workflow_dispatch:
workflow_call:
jobs:
build-and-upload:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout PR
if: ${{ github.event_name == 'pull_request_target' }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: Checkout
if: ${{ github.event_name != 'pull_request_target' }}
uses: actions/checkout@v3
with:
ref: main
- name: Setup Pages
uses: actions/configure-pages@v1
- name: Use Node.js
uses: actions/setup-node@v3
with:
node-version: 18
cache: npm
- name: Update npm to latest
run: npm i --prefer-online --no-fund --no-audit -g npm@latest
- run: npm -v
- run: npm i --ignore-scripts --no-audit --no-fund --package-lock
- run: npm run build -w www
- name: Upload artifact
uses: actions/upload-pages-artifact@v1
with:
path: './workspaces/www/build'

44
ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml vendored
View File

@@ -1,44 +0,0 @@
name: OpenAPI
on:
push:
branches:
- master
tags:
- 'v*'
pull_request_target:
permissions: {}
jobs:
openapi-base:
name: OpenAPI - BASE
if: ${{ github.base_ref != '' }}
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Checkout repository
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ github.event.pull_request.head.sha }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
fetch-depth: 0
- name: Generate openapi.json
run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests"
publish-unstable:
name: OpenAPI - Publish Unstable Spec
if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
runs-on: ubuntu-latest
needs:
- openapi-base
steps:
- name: Upload openapi.json (unstable) to repository server
uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
with:
host: "${{ secrets.REPO_HOST }}"
username: "${{ secrets.REPO_USER }}"
key: "${{ secrets.REPO_KEY }}"
source: openapi-head/openapi.json
strip_components: 1
target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}"

23
ql/test/query-tests/Security/CWE-349/.github/workflows/test3.yml vendored
View File

@@ -1,23 +0,0 @@
name: Cache Poisoning
on: pull_request_target
permissions: {}
jobs:
poison:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-java@v2
with:
distribution: 'zulu'
java-version: '21'
cache: 'gradle'
cache-dependency-path: |
sub-project/*.gradle*
sub-project/**/gradle-wrapper.properties
- run: |
java HelloWorldApp.java

21
ql/test/query-tests/Security/CWE-349/.github/workflows/test4.yml vendored
View File

@@ -1,21 +0,0 @@
name: Cache Poisoning
on: pull_request_target
permissions:
contents: read
jobs:
poison:
runs-on: ubuntu-latest
permissions: read-all
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-java@v2
with:
distribution: 'zulu'
java-version: '21'
- run: |
java HelloWorldApp.java

19
ql/test/query-tests/Security/CWE-349/.github/workflows/test5.yml vendored
View File

@@ -1,19 +0,0 @@
name: Cache Poisoning
on: pull_request_target
jobs:
poison:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-go@v2
with:
go-version-file: 'go.mod'
cache: false
- run: do some go stuff

18
ql/test/query-tests/Security/CWE-349/.github/workflows/test6.yml vendored
View File

@@ -1,18 +0,0 @@
name: Cache Poisoning
on: pull_request_target
jobs:
poison:
runs-on: ubuntu-latest
permissions: read-all
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-go@v2
with:
go-version-file: 'go.mod'
cache: true
- run: do some go stuff

17
ql/test/query-tests/Security/CWE-349/.github/workflows/test7.yml vendored
View File

@@ -1,17 +0,0 @@
name: Cache Poisoning
on: pull_request_target
jobs:
poison:
runs-on: ubuntu-latest
permissions: read-all
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- uses: actions/setup-go@v2
with:
go-version-file: 'go.mod'
- run: do some go stuff

89
ql/test/query-tests/Security/CWE-349/CachePoisoning.expected
View File

@@ -1,89 +0,0 @@
edges
| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step |
| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step |
| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step |
| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step |
| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step |
| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step |
| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step |
| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step |
| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step |
| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step |
| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step |
| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step |
| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step |
| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step |
| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step |
| .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step |
| .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step |
| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:22:9:23:21 | Run Step |
| .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step |
| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:18:9:19:21 | Run Step |
| .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step |
| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:22:9:23:34 | Run Step |
| .github/workflows/test4.yml:13:9:16:6 | Uses Step | .github/workflows/test4.yml:16:9:20:6 | Uses Step |
| .github/workflows/test4.yml:16:9:20:6 | Uses Step | .github/workflows/test4.yml:20:9:21:34 | Run Step |
| .github/workflows/test5.yml:11:9:14:6 | Uses Step | .github/workflows/test5.yml:14:9:18:6 | Uses Step |
| .github/workflows/test5.yml:14:9:18:6 | Uses Step | .github/workflows/test5.yml:18:9:19:11 | Run Step |
| .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step |
| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:17:9:18:11 | Run Step |
| .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step |
| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:16:9:17:11 | Run Step |
| .github/workflows/test8.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/test8.yml:12:9:15:6 | Uses Step |
| .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step |
| .github/workflows/test8.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/test8.yml:23:9:26:6 | Uses Step |
| .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step |
| .github/workflows/test8.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/test8.yml:34:9:37:6 | Uses Step |
| .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step |
| .github/workflows/test11.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test11.yml:14:9:19:6 | Uses Step |
| .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step |
| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:23:9:24:21 | Run Step |
| .github/workflows/test12.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/test12.yml:14:9:19:6 | Uses Step |
| .github/workflows/test12.yml:14:9:19:6 | Uses Step | .github/workflows/test12.yml:19:9:20:30 | Run Step |
| .github/workflows/test13.yml:14:9:17:6 | Uses Step | .github/workflows/test13.yml:17:9:21:6 | Uses Step |
| .github/workflows/test13.yml:17:9:21:6 | Uses Step | .github/workflows/test13.yml:21:9:22:21 | Run Step |
| .github/workflows/test14.yml:14:9:17:6 | Uses Step | .github/workflows/test14.yml:17:9:21:6 | Uses Step |
| .github/workflows/test14.yml:17:9:21:6 | Uses Step | .github/workflows/test14.yml:21:9:22:21 | Run Step |
| .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step |
| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:21:9:22:21 | Run Step |
| .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step |
| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:21:9:22:21 | Run Step |
| .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:20:9:22:6 | Uses Step |
| .github/workflows/test17.yml:20:9:22:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step |
| .github/workflows/test18.yml:15:9:19:6 | Uses Step | .github/workflows/test18.yml:19:9:24:6 | Uses Step |
| .github/workflows/test18.yml:19:9:24:6 | Uses Step | .github/workflows/test18.yml:24:9:27:6 | Run Step |
| .github/workflows/test18.yml:24:9:27:6 | Run Step | .github/workflows/test18.yml:27:9:30:6 | Run Step |
| .github/workflows/test18.yml:27:9:30:6 | Run Step | .github/workflows/test18.yml:30:9:31:54 | Run Step |
| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:21:9:41:49 | Run Step: check |
| .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:25:7:31:4 | Uses Step |
| .github/workflows/test20.yml:25:7:31:4 | Uses Step | .github/workflows/test20.yml:31:7:33:4 | Uses Step |
| .github/workflows/test20.yml:31:7:33:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step |
| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step |
| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:40:7:41:4 | Run Step |
| .github/workflows/test20.yml:40:7:41:4 | Run Step | .github/workflows/test20.yml:41:7:42:4 | Run Step |
| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step |
| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
| .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step |
#select
| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test6.yml:13:9:17:6 | Uses Step | .github/workflows/test6.yml:10:9:13:6 | Uses Step | .github/workflows/test6.yml:13:9:17:6 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test7.yml:13:9:16:6 | Uses Step | .github/workflows/test7.yml:10:9:13:6 | Uses Step | .github/workflows/test7.yml:13:9:16:6 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test8.yml:15:9:17:2 | Run Step | .github/workflows/test8.yml:12:9:15:6 | Uses Step | .github/workflows/test8.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test8.yml:26:9:28:2 | Uses Step | .github/workflows/test8.yml:23:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test8.yml:37:9:37:75 | Run Step | .github/workflows/test8.yml:34:9:37:6 | Uses Step | .github/workflows/test8.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test11.yml:19:9:23:6 | Uses Step | .github/workflows/test11.yml:14:9:19:6 | Uses Step | .github/workflows/test11.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test15.yml:17:9:21:6 | Uses Step | .github/workflows/test15.yml:14:9:17:6 | Uses Step | .github/workflows/test15.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test16.yml:17:9:21:6 | Uses Step | .github/workflows/test16.yml:14:9:17:6 | Uses Step | .github/workflows/test16.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test17.yml:22:9:26:31 | Uses Step | .github/workflows/test17.yml:15:9:20:6 | Uses Step | .github/workflows/test17.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test20.yml:33:7:38:4 | Uses Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch |
| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch |

2
ql/test/query-tests/Security/CWE-349/CachePoisoning.qlref
View File

@@ -1,2 +0,0 @@
Security/CWE-349/CachePoisoning.ql

20
ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.expected
View File

@@ -1,20 +0,0 @@
edges
| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | provenance | |
| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | provenance | |
| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | provenance | |
| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | provenance | |
nodes
| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body |
| .github/workflows/test10.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body |
| .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | semmle.label | Uses Step: modified_files |
| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified |
| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified |
| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | semmle.label | steps.modified_files.outputs.files_added |
| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | semmle.label | steps.modified_files.outputs.files_removed |
subpaths
#select
| .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test9.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:25:18:25:67 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} |
| .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:28:20:28:69 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} |
| .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:31:20:31:66 | steps.modified_files.outputs.files_added | ${{ steps.modified_files.outputs.files_added }} |
| .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | .github/workflows/test19.yml:15:9:21:6 | Uses Step: modified_files | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/test19.yml:34:20:34:68 | steps.modified_files.outputs.files_removed | ${{ steps.modified_files.outputs.files_removed }} |

2
ql/test/query-tests/Security/CWE-349/CachePoisoningByCodeInjection.qlref
View File

@@ -1,2 +0,0 @@
Security/CWE-349/CachePoisoningByCodeInjection.ql

11
ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.expected Normal file
View File

@@ -0,0 +1,11 @@
edges
| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | provenance | |
nodes
| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body |
| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | semmle.label | Uses Step: modified_files |
| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | semmle.label | steps.modified_files.outputs.files_modified |
| .github/workflows/neg_code_injection1.yml:11:17:11:48 | github.event.comment.body | semmle.label | github.event.comment.body |
subpaths
#select
| .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection1.yml:11:17:11:48 | github.event.comment.body | ${{ github.event.comment.body }} |
| .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | Unprivileged code injection in $@, which may lead to cache poisoning. | .github/workflows/code_injection2.yml:16:21:16:70 | steps.modified_files.outputs.files_modified | ${{ steps.modified_files.outputs.files_modified }} |

2
ql/test/query-tests/Security/CWE-349/CachePoisoningViaCodeInjection.qlref Normal file
View File

@@ -0,0 +1,2 @@
Security/CWE-349/CachePoisoningViaCodeInjection.ql

48
ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.expected Normal file
View File

@@ -0,0 +1,48 @@
edges
| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step |
| .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step |
| .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step |
| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:22:9:23:21 | Run Step |
| .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step |
| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:18:9:19:21 | Run Step |
| .github/workflows/direct_cache3.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step |
| .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step |
| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:23:9:24:21 | Run Step |
| .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step |
| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step |
| .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step |
| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step |
| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step |
| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip |
| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step |
| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step |
| .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step |
| .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step |
| .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step |
| .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:21:9:22:21 | Run Step |
| .github/workflows/neg_direct_cache3.yml:13:9:14:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step |
| .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip |
| .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step |
| .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step |
| .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step |
| .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step |
| .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step |
| .github/workflows/poisonable_step1.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step |
| .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step |
| .github/workflows/poisonable_step1.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step |
| .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step |
| .github/workflows/poisonable_step1.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step |
| .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step |
| .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step |
| .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step |
| .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step |
| .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step |
| .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step |
| .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step |
#select
| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | Potential cache poisoning in the context of the default branch due to downloading an untrusted artifact. |

2
ql/test/query-tests/Security/CWE-349/CachePoisoningViaDirectCache.qlref Normal file
View File

@@ -0,0 +1,2 @@
Security/CWE-349/CachePoisoningViaDirectCache.ql

49
ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.expected Normal file
View File

@@ -0,0 +1,49 @@
edges
| .github/workflows/code_injection2.yml:12:9:16:6 | Uses Step: modified_files | .github/workflows/code_injection2.yml:16:9:16:71 | Run Step |
| .github/workflows/direct_cache1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step |
| .github/workflows/direct_cache1.yml:13:9:18:6 | Uses Step | .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step |
| .github/workflows/direct_cache1.yml:18:9:22:6 | Uses Step | .github/workflows/direct_cache1.yml:22:9:23:21 | Run Step |
| .github/workflows/direct_cache2.yml:11:9:14:6 | Uses Step | .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step |
| .github/workflows/direct_cache2.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache2.yml:18:9:19:21 | Run Step |
| .github/workflows/direct_cache3.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step |
| .github/workflows/direct_cache3.yml:14:9:19:6 | Uses Step | .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step |
| .github/workflows/direct_cache3.yml:19:9:23:6 | Uses Step | .github/workflows/direct_cache3.yml:23:9:24:21 | Run Step |
| .github/workflows/direct_cache4.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step |
| .github/workflows/direct_cache4.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache4.yml:21:9:22:21 | Run Step |
| .github/workflows/direct_cache5.yml:14:9:17:6 | Uses Step | .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step |
| .github/workflows/direct_cache5.yml:17:9:21:6 | Uses Step | .github/workflows/direct_cache5.yml:21:9:22:21 | Run Step |
| .github/workflows/direct_cache6.yml:13:9:14:6 | Uses Step | .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step |
| .github/workflows/direct_cache6.yml:14:9:18:6 | Uses Step | .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip |
| .github/workflows/direct_cache6.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step |
| .github/workflows/direct_cache6.yml:25:9:30:6 | Uses Step | .github/workflows/direct_cache6.yml:30:9:35:36 | Uses Step |
| .github/workflows/neg_direct_cache1.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step |
| .github/workflows/neg_direct_cache1.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache1.yml:21:9:22:21 | Run Step |
| .github/workflows/neg_direct_cache2.yml:14:9:17:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step |
| .github/workflows/neg_direct_cache2.yml:17:9:21:6 | Uses Step | .github/workflows/neg_direct_cache2.yml:21:9:22:21 | Run Step |
| .github/workflows/neg_direct_cache3.yml:13:9:14:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step |
| .github/workflows/neg_direct_cache3.yml:14:9:18:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip |
| .github/workflows/neg_direct_cache3.yml:18:9:25:6 | Uses Step: cache-pip | .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step |
| .github/workflows/neg_direct_cache3.yml:25:9:30:6 | Uses Step | .github/workflows/neg_direct_cache3.yml:30:9:35:36 | Uses Step |
| .github/workflows/neg_poisonable_step1.yml:11:9:14:6 | Uses Step: comment-branch | .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step |
| .github/workflows/neg_poisonable_step1.yml:14:9:19:6 | Uses Step | .github/workflows/neg_poisonable_step1.yml:19:9:20:30 | Run Step |
| .github/workflows/neg_poisonable_step2.yml:13:9:16:6 | Uses Step | .github/workflows/neg_poisonable_step2.yml:16:9:17:54 | Run Step |
| .github/workflows/poisonable_step1.yml:10:9:12:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step |
| .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step |
| .github/workflows/poisonable_step1.yml:21:9:23:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step |
| .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step |
| .github/workflows/poisonable_step1.yml:32:9:34:6 | Uses Step: comment-branch | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step |
| .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step |
| .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step |
| .github/workflows/poisonable_step2.yml:20:9:22:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step |
| .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step |
| .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step |
| .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step |
| .github/workflows/poisonable_step5.yml:22:9:24:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step |
#select
| .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | .github/workflows/poisonable_step1.yml:12:9:15:6 | Uses Step | .github/workflows/poisonable_step1.yml:15:9:17:2 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | .github/workflows/poisonable_step1.yml:23:9:26:6 | Uses Step | .github/workflows/poisonable_step1.yml:26:9:28:2 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | .github/workflows/poisonable_step1.yml:34:9:37:6 | Uses Step | .github/workflows/poisonable_step1.yml:37:9:37:75 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | .github/workflows/poisonable_step2.yml:15:9:20:6 | Uses Step | .github/workflows/poisonable_step2.yml:22:9:26:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | .github/workflows/poisonable_step3.yml:13:7:19:4 | Uses Step | .github/workflows/poisonable_step3.yml:19:7:19:32 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | .github/workflows/poisonable_step4.yml:13:9:18:6 | Uses Step | .github/workflows/poisonable_step4.yml:18:9:18:19 | Run Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |
| .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | .github/workflows/poisonable_step5.yml:17:9:22:6 | Uses Step | .github/workflows/poisonable_step5.yml:24:9:28:31 | Uses Step | Potential cache poisoning in the context of the default branch due to privilege checkout of untrusted code. |

2
ql/test/query-tests/Security/CWE-349/CachePoisoningViaPoisonableStep.qlref Normal file
View File

@@ -0,0 +1,2 @@
Security/CWE-349/CachePoisoningViaPoisonableStep.ql