diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql index ffb217739c7..d2969b7d6e7 100644 --- a/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -13,11 +13,13 @@ import actions -from Workflow workflow, Job job +from Job job where - job = workflow.getAJob() and - ( - not exists(workflow.getPermissions()) and - not exists(job.getPermissions()) + not exists(job.getPermissions()) and + not exists(job.getEnclosingWorkflow().getPermissions()) and + // exists a trigger event that is not a workflow_call + exists(Event e | + e = job.getATriggerEvent() and + not e.getName() = "workflow_call" ) select job, "Actions Job or Workflow does not set permissions" diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml rename to ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml new file mode 100644 index 00000000000..6f7844f17cb --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml @@ -0,0 +1,16 @@ +on: + pull_request + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + test: + name: Build and test + runs-on: ubuntu-latest + permissions: {} + steps: + - uses: actions/checkout@v2 + diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml similarity index 100% rename from ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml rename to ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml new file mode 100644 index 00000000000..16930cfb07c --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml @@ -0,0 +1,11 @@ +on: + workflow_call: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml new file mode 100644 index 00000000000..4353c280497 --- /dev/null +++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml @@ -0,0 +1,12 @@ +on: + workflow_call: + workflow_dispatch: + +jobs: + build: + name: Build and test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected index c26769a692e..8f94d0dc45a 100644 --- a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected +++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected @@ -1 +1,3 @@ -| .github/workflows/missing_perms.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions | +| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions |