feat(models): Add support for artifact to step output

2025-12-28 06:36:33 +01:00 · 2024-07-12 11:10:01 +02:00
parent 29d2b287c9
commit 8289bf97b9
5 changed files with 53 additions and 2 deletions
--- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
+++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll
@@ -1,6 +1,7 @@
+private import actions
 private import internal.ExternalFlowExtensions as Extensions
 private import codeql.actions.DataFlow
-private import actions
+private import codeql.actions.security.ArtifactPoisoningQuery

 /**
 * MaD sources
@@ -91,6 +92,12 @@ predicate madStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::Conte
      or
      input.trim().matches("input.%") and
      pred.asExpr() = uses.getArgumentExpr(input.trim().replaceAll("input.", ""))
+      or
+      input.trim() = "artifact" and
+      exists(UntrustedArtifactDownloadStep download |
+        pred.asExpr() = download and
+        download.getAFollowingStep() = uses
+      )
    ) and
    succ.asExpr() = uses
  )
--- a/ql/lib/ext/manual/read-file-actions.model.yml
+++ b/ql/lib/ext/manual/read-file-actions.model.yml
@@ -0,0 +1,33 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSummaryModel
+    data:
+      - ["juliangruber/read-file-action", "*", "artifact", "output.content", "taint", "manual"]
+      - ["bfren/read-file", "*", "artifact", "output.contents", "taint", "manual"]
+      - ["igorskyflyer/action-readfile", "*", "artifact", "output.content", "taint", "manual"]
+      - ["komorebitech/read-files-action", "*", "artifact", "output.content", "taint", "manual"]
+      - ["jaywcjlove/github-action-read-file", "*", "artifact", "output.content", "taint", "manual"]
+      - ["andstor/file-reader-action", "*", "artifact", "output.contents", "taint", "manual"]
+      - ["Reedyuk/read-properties", "*", "artifact", "output.value", "taint", "manual"]
+      - ["browniebroke/read-nvmrc-action", "*", "artifact", "output.node_version", "taint", "manual"]
+      - ["jbutcher5/read-yaml", "*", "artifact", "output.data", "taint", "manual"]
+      - ["christian-draeger/read-properties", "*", "artifact", "output.*", "taint", "manual"]
+      - ["traversals-analytics-and-intelligence/file-reader-action", "*", "artifact", "output.content", "taint", "manual"]
+      - ["pietrobolcato/action-read-yaml", "*", "artifact", "output.*", "taint", "manual"]
+      - ["satya-500/read-file-github-action", "*", "artifact", "output.contents", "taint", "manual"]
+      - ["guibranco/github-file-reader-action-v2", "*", "artifact", "output.contents", "taint", "manual"]
+      - ["gagle/package-version", "*", "artifact", "output.version", "taint", "manual"]
+      - ["ActionsTools/read-json-action", "*", "artifact", "output.*", "taint", "manual"]
+      - ["madhead/read-java-properties", "*", "artifact", "output.*", "taint", "manual"]
+      - ["pietrobolcato/action-read-yaml", "*", "artifact", "output.*", "taint", "manual"]
+      - ["rexdefuror/read-package-json", "*", "artifact", "env.*", "taint", "manual"]
+      - ["BrycensRanch/read-properties-action", "*", "artifact", "output.*", "taint", "manual"]
+      - ["kurt-code/gha-properties", "*", "artifact", "output.*", "taint", "manual"]
+      - ["SebRollen/toml-action", "*", "artifact", "output.value", "taint", "manual"]
+      - ["simonblund/version-reader", "*", "artifact", "output.version", "taint", "manual"]
+      - ["mindsers/changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"]
+      - ["nichmor/minimal-read-yaml", "*", "artifact", "output.*", "taint", "manual"]
+      - ["miraai/read-helm-chart-yaml", "*", "artifact", "output.*", "taint", "manual"]
+      - ["dangdennis/toml-action", "*", "artifact", "output.value", "taint", "manual"]
+      - ["artlaman/conventional-changelog-reader-action", "*", "artifact", "output.*", "taint", "manual"]
--- a/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/artifactpoisoning5.yml
@@ -19,5 +19,5 @@ jobs:
        with:
          path: ./artifact.txt
      - name: Use artifact
-        run: echo ${{ steps.artifact.outputs.contents }} 
+        run: echo ${{ steps.artifact.outputs.content }} 

--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -9,6 +9,8 @@ edges
 | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
 | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | provenance |  |
 | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:16:9:21:6 | Uses Step: artifact [content] | provenance |  |
+| .github/workflows/artifactpoisoning5.yml:16:9:21:6 | Uses Step: artifact [content] | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | provenance |  |
 | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance |  |
 | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance |  |
 | .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | provenance |  |
@@ -117,6 +119,9 @@ nodes
 | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
 | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
 | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
+| .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning5.yml:16:9:21:6 | Uses Step: artifact [content] | semmle.label | Uses Step: artifact [content] |
+| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | semmle.label | steps.artifact.outputs.content |
 | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] |
 | .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | semmle.label | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n |
@@ -333,6 +338,7 @@ subpaths
 | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:27:67:27:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} |
 | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} |
+| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | ${{ steps.artifact.outputs.content }} |
 | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} |
 | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning6.yml:29:20:29:59 | steps.artifact2.outputs.pr_number | ${{ steps.artifact2.outputs.pr_number }} |
 | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | .github/workflows/artifactpoisoning8.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning8.yml:22:20:22:51 | steps.artifact.outputs.id | ${{ steps.artifact.outputs.id }} |
--- a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -9,6 +9,8 @@ edges
 | .github/workflows/artifactpoisoning4.yml:9:9:17:6 | Uses Step | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | provenance |  |
 | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | provenance |  |
 | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | provenance |  |
+| .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | .github/workflows/artifactpoisoning5.yml:16:9:21:6 | Uses Step: artifact [content] | provenance |  |
+| .github/workflows/artifactpoisoning5.yml:16:9:21:6 | Uses Step: artifact [content] | .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | provenance |  |
 | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance |  |
 | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | .github/workflows/artifactpoisoning6.yml:24:14:27:57 | echo "::set-output name=pr_number::$(cat -e artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | provenance |  |
 | .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | .github/workflows/artifactpoisoning6.yml:21:20:21:58 | steps.artifact.outputs.pr_number | provenance |  |
@@ -117,6 +119,9 @@ nodes
 | .github/workflows/artifactpoisoning4.yml:17:9:21:6 | Run Step: artifact [id] | semmle.label | Run Step: artifact [id] |
 | .github/workflows/artifactpoisoning4.yml:19:14:19:58 | echo "::set-output name=id::$(<artifact.txt)" | semmle.label | echo "::set-output name=id::$(<artifact.txt)" |
 | .github/workflows/artifactpoisoning4.yml:22:20:22:51 | steps.artifact.outputs.id | semmle.label | steps.artifact.outputs.id |
+| .github/workflows/artifactpoisoning5.yml:8:9:16:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning5.yml:16:9:21:6 | Uses Step: artifact [content] | semmle.label | Uses Step: artifact [content] |
+| .github/workflows/artifactpoisoning5.yml:22:20:22:56 | steps.artifact.outputs.content | semmle.label | steps.artifact.outputs.content |
 | .github/workflows/artifactpoisoning6.yml:8:9:15:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning6.yml:15:9:20:6 | Run Step: artifact [pr_number] | semmle.label | Run Step: artifact [pr_number] |
 | .github/workflows/artifactpoisoning6.yml:16:14:19:57 | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n | semmle.label | echo "::set-output name=pr_number::$(<artifact.txt)"\nmkdir firebase-android\nunzip firebase-android.zip -d firebase-android\n |