From ab8dd599b75f77aec1ca76c3f67a2a013d9aebcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= <pwntester@github.com>
Date: Wed, 31 Jul 2024 11:45:30 +0200
Subject: [PATCH] fix(queries): Fix Missing Permissions query

If a job is only triggered by `workflow_call`, we dont report any issues
since they should be reported on the calling workflows
---
 .../CWE-275/MissingActionsPermissions.ql         | 12 +++++++-----
 .../workflows/{missing_perms.yml => perms1.yml}  |  0
 .../CWE-275/.github/workflows/perms2.yml         | 16 ++++++++++++++++
 .../.github/workflows/{perms.yml => perms3.yml}  |  0
 .../CWE-275/.github/workflows/perms4.yml         | 11 +++++++++++
 .../CWE-275/.github/workflows/perms5.yml         | 12 ++++++++++++
 .../CWE-275/MissingActionsPermissions.expected   |  4 +++-
 7 files changed, 49 insertions(+), 6 deletions(-)
 rename ql/test/query-tests/Security/CWE-275/.github/workflows/{missing_perms.yml => perms1.yml} (100%)
 create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml
 rename ql/test/query-tests/Security/CWE-275/.github/workflows/{perms.yml => perms3.yml} (100%)
 create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml
 create mode 100644 ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml

diff --git a/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/ql/src/Security/CWE-275/MissingActionsPermissions.ql
index ffb217739c7..d2969b7d6e7 100644
--- a/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -13,11 +13,13 @@
 
 import actions
 
-from Workflow workflow, Job job
+from Job job
 where
-  job = workflow.getAJob() and
-  (
-    not exists(workflow.getPermissions()) and
-    not exists(job.getPermissions())
+  not exists(job.getPermissions()) and
+  not exists(job.getEnclosingWorkflow().getPermissions()) and
+  // exists a trigger event that is not a workflow_call
+  exists(Event e |
+    e = job.getATriggerEvent() and
+    not e.getName() = "workflow_call"
   )
 select job, "Actions Job or Workflow does not set permissions"
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml
similarity index 100%
rename from ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml
rename to ql/test/query-tests/Security/CWE-275/.github/workflows/perms1.yml
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml
new file mode 100644
index 00000000000..6f7844f17cb
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml
@@ -0,0 +1,16 @@
+on:
+  pull_request
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+  test:
+    name: Build and test
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+    - uses: actions/checkout@v2
+
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml
similarity index 100%
rename from ql/test/query-tests/Security/CWE-275/.github/workflows/perms.yml
rename to ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml
new file mode 100644
index 00000000000..16930cfb07c
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml
@@ -0,0 +1,11 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+
diff --git a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml
new file mode 100644
index 00000000000..4353c280497
--- /dev/null
+++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml
@@ -0,0 +1,12 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+
diff --git a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
index c26769a692e..8f94d0dc45a 100644
--- a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
+++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
@@ -1 +1,3 @@
-| .github/workflows/missing_perms.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions |