fix(queries): Fix Missing Permissions query

If a job is only triggered by `workflow_call`, we dont report any issues since they should be reported on the calling workflows
2025-12-28 06:36:33 +01:00 · 2024-07-31 11:45:30 +02:00
parent 8ffac2935e
commit ab8dd599b7
7 changed files with 49 additions and 6 deletions
--- a/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+++ b/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -13,11 +13,13 @@

 import actions

-from Workflow workflow, Job job
+from Job job
 where
-  job = workflow.getAJob() and
-  (
-    not exists(workflow.getPermissions()) and
-    not exists(job.getPermissions())
+  not exists(job.getPermissions()) and
+  not exists(job.getEnclosingWorkflow().getPermissions()) and
+  // exists a trigger event that is not a workflow_call
+  exists(Event e |
+    e = job.getATriggerEvent() and
+    not e.getName() = "workflow_call"
  )
 select job, "Actions Job or Workflow does not set permissions"
--- a/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml
+++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/missing_perms.yml
--- a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml
+++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms2.yml
@@ -0,0 +1,16 @@
+on:
+  pull_request
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+  test:
+    name: Build and test
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+    - uses: actions/checkout@v2
+
--- a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml
+++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms3.yml
--- a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml
+++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms4.yml
@@ -0,0 +1,11 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+
--- a/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml
+++ b/ql/test/query-tests/Security/CWE-275/.github/workflows/perms5.yml
@@ -0,0 +1,12 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+
+
--- a/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
+++ b/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
@@ -1 +1,3 @@
-| .github/workflows/missing_perms.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions |