Update Priv workflow definition

2026-05-01 03:35:13 +02:00 · 2024-04-16 11:41:53 +02:00
parent 25eace71bf
commit 9ecda65e32
8 changed files with 102 additions and 23 deletions
--- a/ql/lib/codeql-pack.lock.yml
+++ b/ql/lib/codeql-pack.lock.yml
@@ -1,16 +0,0 @@
---
-lockVersion: 1.0.0
-dependencies:
-  codeql/controlflow:
-    version: 0.1.7
-  codeql/dataflow:
-    version: 0.1.7
-  codeql/ssa:
-    version: 0.2.7
-  codeql/typetracking:
-    version: 0.2.7
-  codeql/util:
-    version: 0.2.7
-  codeql/yaml:
-    version: 0.2.7
-compiled: false
--- a/ql/lib/codeql/actions/Ast.qll
+++ b/ql/lib/codeql/actions/Ast.qll
@@ -208,19 +208,21 @@ class Workflow extends AstNode instanceof WorkflowImpl {

  predicate hasSingleTrigger(string trigger) {
    this.getATriggerEvent() = trigger and
-    count(string t | this.getATriggerEvent() = t | t) = 1
+    count(this.getATriggerEvent()) = 1
  }

  predicate isPrivileged() {
    // The Workflow has a permission to write to some scope
-    this.getPermissions().getAPermission() = "write" and
+    this.getPermissions().getAPermission() = "write"
+    or
    // The Workflow accesses a secret
    exists(SecretsExpression expr |
      expr.getEnclosingWorkflow() = this and not expr.getFieldName() = "GITHUB_TOKEN"
    )
    or
    // The Workflow is triggered by an event other than `pull_request`
-    not this.hasSingleTrigger("pull_request")
+    count(this.getATriggerEvent()) = 1 and
+    not this.getATriggerEvent() = ["pull_request", "workflow_call"]
    or
    // The Workflow is only triggered by `workflow_call` and there is
    // a caller workflow triggered by an event other than `pull_request`
@@ -228,8 +230,11 @@ class Workflow extends AstNode instanceof WorkflowImpl {
    exists(ExternalJob call, Workflow caller |
      call.getCallee() = this.getLocation().getFile().getRelativePath() and
      caller = call.getWorkflow() and
-      not caller.hasSingleTrigger("pull_request")
+      caller.isPrivileged()
    )
+    or
+    // The Workflow has multiple triggers so at least one is ont "pull_request"
+    count(this.getATriggerEvent()) > 1
  }
 }

--- a/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml
+++ b/ql/test/query-tests/Security/CWE-078/.github/workflows/documentation.yml
@@ -0,0 +1,87 @@
+name: Documentation
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  parse_commit_info:
+    runs-on: ubuntu-latest
+    outputs:
+      can_deploy: ${{ steps.decide.outputs.can_deploy }}
+      deploy_to: ${{ steps.decide.outputs.deploy_to }}
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Copy build utils
+        run: |
+          cp -r .github/utils ../utils
+
+      - name: Decide Whether to Build and/or Release
+        id: decide
+        run: |
+          set -xe
+          CAN_DEPLOY=$(python ../utils/please.py can_i_deploy_documentation)
+          DEPLOY_TO=$(python ../utils/please.py where_can_i_deploy_documentation)
+
+          echo "can_deploy=$CAN_DEPLOY" >> $GITHUB_OUTPUT
+          echo "deploy_to=$DEPLOY_TO" >> $GITHUB_OUTPUT
+          echo github.ref ${{ github.ref }}
+
+  build-documentation:
+    runs-on: ubuntu-latest
+    needs: parse_commit_info
+
+    strategy:
+      matrix:
+        python-version: [3.11]
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install Quarto
+        uses: quarto-dev/quarto-actions/setup@v2
+        with:
+          version: pre-release
+
+      - name: Install Package
+        shell: bash
+        run: |
+          make doc-deps
+
+      - name: Environment Information
+        shell: bash
+        run: |
+          ls -la
+          ls -la doc
+          pip list
+
+      - name: Build docs
+        shell: bash
+        run: |
+          pushd doc; make doc; popd
+
+      - name: Environment Information
+        shell: bash
+        run: |
+          ls -la doc
+          cat doc/_variables.yml
+          ls -la doc/reference
+
+      - name: Deploy to Documentation to a Branch
+        uses: JamesIves/github-pages-deploy-action@v4
+        if: contains(needs.parse_commit_info.outputs.can_deploy, 'true')
+        with:
+          folder: doc/_site
+          branch: ${{ needs.parse_commit_info.outputs.deploy_to }}
+          commit-message: ${{ github.event.head_commit.message }}
--- a/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -1,5 +1,6 @@
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 subpaths
 #select
--- a/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected
+++ b/ql/test/query-tests/Security/CWE-078/PrivilegedCommandInjection.expected
@@ -1,6 +1,8 @@
 edges
 nodes
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 subpaths
 #select
 | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:26:9:57 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | Potential privileged command injection in $@, which may be controlled by an external user. | .github/workflows/documentation.yml:87:28:87:66 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
--- a/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml
+++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/inter-job4.yml
@@ -1,4 +1,4 @@
-jn: push
+on: push

 jobs:
  job0:
--- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
+++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
@@ -234,4 +234,6 @@ nodes
 subpaths
 #select
 | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | .github/workflows/changed-files.yml:16:9:20:6 | Uses Step: changed-files | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:22:24:22:75 | steps.changed-files.outputs.all_changed_files | ${{ steps.changed-files.outputs.all_changed_files }} |
+| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} |
+| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} |
 | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} |
--- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected
+++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected
@@ -236,8 +236,6 @@ subpaths
 | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} |
 | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | .github/workflows/artifactpoisoning1.yml:14:9:20:6 | Uses Step | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning1.yml:34:67:34:92 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} |
 | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | .github/workflows/artifactpoisoning2.yml:13:9:19:6 | Uses Step: pr | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning2.yml:22:17:22:42 | steps.pr.outputs.id | ${{ steps.pr.outputs.id }} |
-| .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} |
-| .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} |
 | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:9:15:9:46 | github.event.comment.body | ${{ github.event.comment.body }} |
 | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:15:19:15:50 | github.event.comment.body | ${{ github.event.comment.body }} |
 | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/comment_issue.yml:16:19:16:48 | github.event.issue.body | ${{ github.event.issue.body }} |