hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

Encapsulate github-script

Browse Source
This commit is contained in:
jarlob
2023-04-14 10:23:49 +02:00
parent d80c541da6
commit ac1c20673d
2 changed files with 31 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
javascript/ql/lib/semmle/javascript/Actions.qll
View File

@@ -368,13 +368,32 @@ module Actions {
* script: console.log('${{ github.event.pull_request.head.sha }}') * script: console.log('${{ github.event.pull_request.head.sha }}')
* ``` * ```
*/ */
class Script extends YamlNode, YamlString { class GitHubScript extends YamlNode, YamlString {
With with; GitHubScriptWith with;
Script() { with.lookup("script") = this } GitHubScript() { with.lookup("script") = this }
/** Gets the `with` field this field belongs to. */ /** Gets the `with` field this field belongs to. */
With getWith() { result = with } GitHubScriptWith getWith() { result = with }
}
/**
* A step that uses `actions/github-script` action.
*/
class GitHubScriptStep extends Step {
GitHubScriptStep() { this.getUses().getGitHubRepository() = "actions/github-script" }
}
/**
* A `with:` field sibling to `uses: actions/github-script`.
*/
class GitHubScriptWith extends YamlNode, YamlMapping {
GitHubScriptStep step;
GitHubScriptWith() { step.lookup("with") = this }
/** Gets the step this field belongs to. */
GitHubScriptStep getStep() { result = step }
} }
/** /**

11
javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
View File

@@ -133,18 +133,13 @@ predicate isRunInjectable(Actions::Run run, string injection, string context) {
* Holds if the `actions/github-script` contains any expression interpolation `${{ e }}`. * Holds if the `actions/github-script` contains any expression interpolation `${{ e }}`.
* Sets `context` to the initial untrusted value assignment in case of `${{ env... }}` interpolation * Sets `context` to the initial untrusted value assignment in case of `${{ env... }}` interpolation
*/ */
predicate isScriptInjectable(Actions::Script script, string injection, string context) { predicate isScriptInjectable(Actions::GitHubScript script, string injection, string context) {
exists(Actions::Step step, Actions::Uses uses |
script.getWith().getStep() = step and
uses.getStep() = step and
uses.getGitHubRepository() = "actions/github-script" and
Actions::getASimpleReferenceExpression(script) = injection and Actions::getASimpleReferenceExpression(script) = injection and
( (
injection = context injection = context
or or
isEnvInterpolationTainted(injection, context) isEnvInterpolationTainted(injection, context)
) )
)
} }
from YamlNode node, string injection, string context from YamlNode node, string injection, string context
@@ -158,7 +153,7 @@ where
run.getStep().getRuns() = runs run.getStep().getRuns() = runs
) )
or or
exists(Actions::Script script | exists(Actions::GitHubScript script |
node = script and node = script and
script.getWith().getStep().getRuns() = runs and script.getWith().getStep().getRuns() = runs and
isScriptInjectable(script, injection, context) isScriptInjectable(script, injection, context)
@@ -184,7 +179,7 @@ where
run.getStep().getJob().getWorkflow().getOn() = on run.getStep().getJob().getWorkflow().getOn() = on
) )
or or
exists(Actions::Script script | exists(Actions::GitHubScript script |
node = script and node = script and
script.getWith().getStep().getJob().getWorkflow().getOn() = on and script.getWith().getStep().getJob().getWorkflow().getOn() = on and
isScriptInjectable(script, injection, context) isScriptInjectable(script, injection, context)