diff --git a/ql/src/Security/CWE-349/CachePoisoning.ql b/ql/src/Security/CWE-349/CachePoisoning.ql index 2a9952ce07f..f202b1fcecf 100644 --- a/ql/src/Security/CWE-349/CachePoisoning.ql +++ b/ql/src/Security/CWE-349/CachePoisoning.ql @@ -41,7 +41,8 @@ where // the job writes to the cache // (No need to follow the checkout step as the cache writing is normally done after the job completes) j.getAStep() = s and - s instanceof CacheWritingStep + s instanceof CacheWritingStep and + not s instanceof PoisonableStep or // the job executes checked-out code // (The cache specific token can be leaked even for non-privileged workflows) diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml new file mode 100644 index 00000000000..6900c3bc23f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages preview environment +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write +# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: false +jobs: + # Build job + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + # For PRs make sure to checkout the PR branch + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + # Deployment job + deploy: + environment: + name: 'Pages Preview' + url: ${{ steps.deployment.outputs.page_url }} + # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages + permissions: + contents: read + pages: write + id-token: write + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 + with: + preview: 'true' diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml new file mode 100644 index 00000000000..5501beb9ea2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc2.yml @@ -0,0 +1,58 @@ +name: branch-deploy + +on: + issue_comment: + types: [created] + +# Permissions needed for reacting and adding comments for IssueOps commands +permissions: + pull-requests: write + deployments: write + contents: write + checks: read + +jobs: + branch-deploy: + name: branch-deploy + if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings + ${{ github.event.issue.pull_request && + (startsWith(github.event.comment.body, '.deploy') || + startsWith(github.event.comment.body, '.noop') || + startsWith(github.event.comment.body, '.lock') || + startsWith(github.event.comment.body, '.help') || + startsWith(github.event.comment.body, '.wcid') || + startsWith(github.event.comment.body, '.unlock')) }} + runs-on: ubuntu-latest + + steps: + - name: branch-deploy + id: branch-deploy + uses: github/branch-deploy@v9 + with: + trigger: ".deploy" + environment: "production" + sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md + + # Check out the ref from the output of the IssueOps command + - uses: actions/checkout@v4 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + ref: ${{ steps.branch-deploy.outputs.ref }} + + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + bundler-cache: true + + - name: bootstrap + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + run: script/bootstrap + + # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue + - name: deploy + if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} + run: | + set -o pipefail + script/deploy | tee deploy.out + bundle exec ruby script/ci/render_deploy_message.rb + rm deploy.out diff --git a/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml new file mode 100644 index 00000000000..4d5ae1f528c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-349/.github/workflows/poc3.yml @@ -0,0 +1,64 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' + + deploy: + runs-on: ubuntu-latest + needs: build-and-upload + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + permissions: + pages: write + id-token: write + outputs: + deployment_url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 + with: + preview: ${{ github.event_name == 'pull_request_target' }} diff --git a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected index 6a91d49c0ca..2580531afd3 100644 --- a/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected +++ b/ql/test/query-tests/Security/CWE-349/CachePoisoning.expected @@ -1,4 +1,56 @@ edges +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:13:9:18:6 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:18:9:22:6 | Uses Step | | .github/workflows/test1.yml:10:9:13:6 | Uses Step: comment-branch | .github/workflows/test1.yml:22:9:23:21 | Run Step | @@ -104,6 +156,11 @@ edges | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step | #select +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test1.yml:18:9:22:6 | Uses Step | .github/workflows/test1.yml:13:9:18:6 | Uses Step | .github/workflows/test1.yml:18:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test2.yml:14:9:18:6 | Uses Step | .github/workflows/test2.yml:11:9:14:6 | Uses Step | .github/workflows/test2.yml:14:9:18:6 | Uses Step | Potential cache poisoning in the context of the default branch | | .github/workflows/test3.yml:14:9:22:6 | Uses Step | .github/workflows/test3.yml:11:9:14:6 | Uses Step | .github/workflows/test3.yml:14:9:22:6 | Uses Step | Potential cache poisoning in the context of the default branch | diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml new file mode 100644 index 00000000000..6900c3bc23f --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages preview environment +on: + # Runs on pull requests targeting the default branch + pull_request_target: + branches: ["main"] +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write +# Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: false +jobs: + # Build job + build: + # Limit permissions of the GITHUB_TOKEN for untrusted code + permissions: + contents: read + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + with: + # For PRs make sure to checkout the PR branch + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - name: Setup Pages + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@b178f9334b208360999a0a57b523613563698c66 # v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3 + # Deployment job + deploy: + environment: + name: 'Pages Preview' + url: ${{ steps.deployment.outputs.page_url }} + # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages + permissions: + contents: read + pages: write + id-token: write + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 + with: + preview: 'true' diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml new file mode 100644 index 00000000000..5501beb9ea2 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc2.yml @@ -0,0 +1,58 @@ +name: branch-deploy + +on: + issue_comment: + types: [created] + +# Permissions needed for reacting and adding comments for IssueOps commands +permissions: + pull-requests: write + deployments: write + contents: write + checks: read + +jobs: + branch-deploy: + name: branch-deploy + if: # only run on pull request comments and very specific comment body string as defined in our branch-deploy settings + ${{ github.event.issue.pull_request && + (startsWith(github.event.comment.body, '.deploy') || + startsWith(github.event.comment.body, '.noop') || + startsWith(github.event.comment.body, '.lock') || + startsWith(github.event.comment.body, '.help') || + startsWith(github.event.comment.body, '.wcid') || + startsWith(github.event.comment.body, '.unlock')) }} + runs-on: ubuntu-latest + + steps: + - name: branch-deploy + id: branch-deploy + uses: github/branch-deploy@v9 + with: + trigger: ".deploy" + environment: "production" + sticky_locks: "true" # https://github.com/github/branch-deploy/blob/1f6516ef5092890ce75d9e97ca7cbdb628e38bdd/docs/hubot-style-deployment-locks.md + + # Check out the ref from the output of the IssueOps command + - uses: actions/checkout@v4 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + ref: ${{ steps.branch-deploy.outputs.ref }} + + - uses: ruby/setup-ruby@d4526a55538b775af234ba4af27118ed6f8f6677 # pin@v1.172.0 + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + with: + bundler-cache: true + + - name: bootstrap + if: ${{ steps.branch-deploy.outputs.continue == 'true' }} + run: script/bootstrap + + # Here we run a deploy. It is "gated" by the IssueOps logic and will only run if the outputs from our branch-deploy step indicate that the workflow should continue + - name: deploy + if: ${{ steps.branch-deploy.outputs.continue == 'true' && steps.branch-deploy.outputs.noop != 'true' }} + run: | + set -o pipefail + script/deploy | tee deploy.out + bundle exec ruby script/ci/render_deploy_message.rb + rm deploy.out diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml new file mode 100644 index 00000000000..4d5ae1f528c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/poc3.yml @@ -0,0 +1,64 @@ +name: Publish + +on: + push: + branches: + - main + pull_request_target: + workflow_dispatch: + workflow_call: + +jobs: + build-and-upload: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + + - name: Checkout PR + if: ${{ github.event_name == 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Checkout + if: ${{ github.event_name != 'pull_request_target' }} + uses: actions/checkout@v3 + with: + ref: main + + - name: Setup Pages + uses: actions/configure-pages@v1 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: npm + - name: Update npm to latest + run: npm i --prefer-online --no-fund --no-audit -g npm@latest + - run: npm -v + - run: npm i --ignore-scripts --no-audit --no-fund --package-lock + - run: npm run build -w www + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + path: './workspaces/www/build' + + deploy: + runs-on: ubuntu-latest + needs: build-and-upload + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + permissions: + pages: write + id-token: write + outputs: + deployment_url: ${{ steps.deployment.outputs.page_url }} + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 + with: + preview: ${{ github.event_name == 'pull_request_target' }} diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml new file mode 100644 index 00000000000..96fd8bdd1a4 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/test.yml @@ -0,0 +1,37 @@ +name: Tests +on: + push: + branches: + - master + pull_request: + workflow_dispatch: + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Fetch CodeQL + shell: bash + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh extension install github/gh-codeql + gh codeql set-channel "nightly" + gh codeql version + printf "CODEQL_FETCHED_CODEQL_PATH=" >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_ENV}" + gh codeql version --format=json | jq -r .unpackedLocation >> "${GITHUB_PATH}" + - name: Install Packs + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + gh repo clone github/codeql + codeql pack install "ql/lib" + codeql pack install "ql/src" + codeql pack install "ql/test" + - name: Run Tests + env: + GITHUB_TOKEN: ${{ github.token }} + run: | + codeql test run ql/test diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected index 29b311435dd..57efc8af35d 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected @@ -198,6 +198,58 @@ edges | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:22:9:29:6 | Uses Step | | .github/workflows/mend.yml:13:9:22:6 | Run Step: set_ref | .github/workflows/mend.yml:29:9:33:28 | Uses Step | | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:28:9:37:6 | Uses Step: branch-deploy | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:47:9:52:6 | Run Step | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc2.yml:47:9:52:6 | Run Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:25:7:31:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:31:7:33:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:25:7:31:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:31:7:33:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:40:7:41:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:41:7:42:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:40:7:41:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:42:7:43:4 | Run Step | +| .github/workflows/poc3.yml:41:7:42:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc3.yml:42:7:43:4 | Run Step | .github/workflows/poc3.yml:43:7:48:2 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:36:9:38:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:38:9:43:6 | Uses Step | +| .github/workflows/poc.yml:36:9:38:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | +| .github/workflows/poc.yml:38:9:43:6 | Uses Step | .github/workflows/poc.yml:43:9:47:2 | Uses Step | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | .github/workflows/priv_pull_request_checkout.yml:20:9:23:52 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:21:9:24:6 | Run Step | | .github/workflows/test1.yml:18:9:21:6 | Uses Step | .github/workflows/test1.yml:24:9:25:39 | Run Step | @@ -242,6 +294,12 @@ edges | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:42:7:43:4 | Run Step | | .github/workflows/test4.yml:41:7:42:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | | .github/workflows/test4.yml:42:7:43:4 | Run Step | .github/workflows/test4.yml:43:7:46:39 | Uses Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step | +| .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step | +| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step | +| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | +| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step | | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step | @@ -261,5 +319,7 @@ edges | .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/mend.yml:29:9:33:28 | Uses Step | .github/workflows/mend.yml:22:9:29:6 | Uses Step | .github/workflows/mend.yml:29:9:33:28 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential unsafe checkout of untrusted code on a privileged workflow. | +| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | .github/workflows/untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/untrusted_checkout.yml:20:9:22:23 | Run Step | Potential unsafe checkout of untrusted code on a privileged workflow. | diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected index 5bf0e56e1b7..61c328b7011 100644 --- a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected +++ b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected @@ -1,5 +1,7 @@ | .github/workflows/dependabot1.yml:15:9:19:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/dependabot1.yml:39:9:43:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | +| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. | | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |