diff --git a/ql/lib/codeql/actions/dataflow/FlowSteps.qll b/ql/lib/codeql/actions/dataflow/FlowSteps.qll index b0d98d2e659..787a5f72084 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSteps.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSteps.qll @@ -49,8 +49,15 @@ predicate envToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow:: * echo "bar=${foo}" >> "$GITHUB_OUTPUT" */ predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(CommandSource source, Run run, string key, string cmd | - source.getCommand() = cmd and + exists(Run run, string key, string cmd | + ( + exists(CommandSource source | source.getCommand() = cmd) + or + exists(FileSource source | + source.asExpr().(Step).getAFollowingStep() = run and + Bash::outputsPartialFileContent(run, cmd) + ) + ) and Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_OUTPUT", key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getScriptScalar() and @@ -67,8 +74,15 @@ predicate commandToOutputStoreStep(DataFlow::Node pred, DataFlow::Node succ, Dat * echo "bar=${foo}" >> "$GITHUB_ENV" */ predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(CommandSource source, Run run, string key, string cmd | - source.getCommand() = cmd and + exists(Run run, string key, string cmd | + ( + exists(CommandSource source | source.getCommand() = cmd) + or + exists(FileSource source | + source.asExpr().(Step).getAFollowingStep() = run and + Bash::outputsPartialFileContent(run, cmd) + ) + ) and Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and c = any(DataFlow::FieldContent ct | ct.getName() = key) and pred.asExpr() = run.getScriptScalar() and @@ -76,41 +90,3 @@ predicate commandToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFl succ.asExpr() = run.getEnclosingJob() ) } - -/** - * A downloaded artifact that gets assigned to a Run step output. - * - uses: actions/download-artifact@v2 - * - run: echo "::set-output name=id::$(> "$GITHUB_ENV" - * - run: | - * foo=$(> "$GITHUB_ENV" - */ -predicate fileToEnvStoreStep(DataFlow::Node pred, DataFlow::Node succ, DataFlow::ContentSet c) { - exists(FileSource source, Run run, string key, string cmd | - source.asExpr().(Step).getAFollowingStep() = run and - Bash::cmdReachingGitHubFileWrite(run, cmd, "GITHUB_ENV", key) and - Bash::outputsPartialFileContent(run, cmd) and - c = any(DataFlow::FieldContent ct | ct.getName() = key) and - pred.asExpr() = run.getScriptScalar() and - // we store the taint on the enclosing job since there may not be an implicit env attribute - succ.asExpr() = run.getEnclosingJob() - ) -} diff --git a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll index d7c3dad9ee7..cf95292588c 100644 --- a/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll +++ b/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll @@ -351,8 +351,6 @@ predicate storeStep(Node node1, ContentSet c, Node node2) { madStoreStep(node1, node2, c) or envToOutputStoreStep(node1, node2, c) or envToEnvStoreStep(node1, node2, c) or - fileToOutputStoreStep(node1, node2, c) or - fileToEnvStoreStep(node1, node2, c) or commandToOutputStoreStep(node1, node2, c) or commandToEnvStoreStep(node1, node2, c) }