new untrusted checkout step

2026-01-07 19:50:22 +01:00 · 2024-04-17 11:15:59 +02:00
parent d18c575cd4
commit bd9cd3eb86
3 changed files with 46 additions and 1 deletions
--- a/ql/lib/ext/sergeysova_jq-action.model.yml
+++ b/ql/lib/ext/sergeysova_jq-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"]
+
--- a/ql/src/Security/CWE-829/UntrustedCheckout.ql
+++ b/ql/src/Security/CWE-829/UntrustedCheckout.ql
@@ -66,7 +66,8 @@ predicate containsHeadRef(string s) {
            "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b",
            "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b",
            "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b",
-            "\\bhead\\.sha\\b", "\\bhead\\.ref\\b"
+            // heuristics
+            "\\bhead\\.sha\\b", "\\bhead\\.ref\\b", "\\bpr_number\\b", "\\bpr_head_sha\\b"
          ], _, _)
  )
 }
@@ -121,6 +122,24 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run {
  }
 }

+/** Checkout of a Pull Request HEAD ref using gh within a Run step */
+class GhCheckout extends PRHeadCheckoutStep instanceof Run {
+  GhCheckout() {
+    exists(string line |
+      this.getScript().splitAt("\n") = line and
+      line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and
+      (
+        containsHeadRef(line)
+        or
+        exists(string varname |
+          containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and
+          exists(line.regexpFind(varname, _, _))
+        )
+      )
+    )
+  }
+}
+
 from Workflow w, PRHeadCheckoutStep checkout
 where
  w.isPrivileged() and
--- a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml
+++ b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml
@@ -0,0 +1,19 @@
+on: issue_comment
+  
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get PR number
+        id: pr_number
+        if: ${{ github.event_name == 'issue_comment'}}
+        run: |
+          PR_URL="${{ github.event.issue.pull_request.url }}"
+          PR_NUMBER=${PR_URL##*/}
+          echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
+      - name: Checkout Pull Request
+        if: github.event_name == 'issue_comment'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+            gh pr checkout ${{ needs.should_run_it.outputs.pr_number }}