Encapsulate github-script

2025-12-20 18:56:32 +01:00 · 2023-04-14 10:23:49 +02:00
parent d80c541da6
commit ac1c20673d
2 changed files with 31 additions and 17 deletions
--- a/javascript/ql/lib/semmle/javascript/Actions.qll
+++ b/javascript/ql/lib/semmle/javascript/Actions.qll
@@ -368,13 +368,32 @@ module Actions {
   *   script: console.log('${{ github.event.pull_request.head.sha }}')
   * ```
   */
-  class Script extends YamlNode, YamlString {
-    With with;
+  class GitHubScript extends YamlNode, YamlString {
+    GitHubScriptWith with;

-    Script() { with.lookup("script") = this }
+    GitHubScript() { with.lookup("script") = this }

    /** Gets the `with` field this field belongs to. */
-    With getWith() { result = with }
+    GitHubScriptWith getWith() { result = with }
+  }
+
+  /**
+   * A step that uses `actions/github-script` action.
+   */
+  class GitHubScriptStep extends Step {
+    GitHubScriptStep() { this.getUses().getGitHubRepository() = "actions/github-script" }
+  }
+
+  /**
+   * A `with:` field sibling to `uses: actions/github-script`.
+   */
+  class GitHubScriptWith extends YamlNode, YamlMapping {
+    GitHubScriptStep step;
+
+    GitHubScriptWith() { step.lookup("with") = this }
+
+    /** Gets the step this field belongs to. */
+    GitHubScriptStep getStep() { result = step }
  }

  /**
--- a/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
+++ b/javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
@@ -133,18 +133,13 @@ predicate isRunInjectable(Actions::Run run, string injection, string context) {
 * Holds if the `actions/github-script` contains any expression interpolation `${{ e }}`.
 * Sets `context` to the initial untrusted value assignment in case of `${{ env... }}` interpolation
 */
-predicate isScriptInjectable(Actions::Script script, string injection, string context) {
-  exists(Actions::Step step, Actions::Uses uses |
-    script.getWith().getStep() = step and
-    uses.getStep() = step and
-    uses.getGitHubRepository() = "actions/github-script" and
+predicate isScriptInjectable(Actions::GitHubScript script, string injection, string context) {
  Actions::getASimpleReferenceExpression(script) = injection and
  (
    injection = context
    or
    isEnvInterpolationTainted(injection, context)
  )
-  )
 }

 from YamlNode node, string injection, string context
@@ -158,7 +153,7 @@ where
        run.getStep().getRuns() = runs
      )
      or
-      exists(Actions::Script script |
+      exists(Actions::GitHubScript script |
        node = script and
        script.getWith().getStep().getRuns() = runs and
        isScriptInjectable(script, injection, context)
@@ -184,7 +179,7 @@ where
        run.getStep().getJob().getWorkflow().getOn() = on
      )
      or
-      exists(Actions::Script script |
+      exists(Actions::GitHubScript script |
        node = script and
        script.getWith().getStep().getJob().getWorkflow().getOn() = on and
        isScriptInjectable(script, injection, context)