New ExpressionIdAlwaysTrue query

2026-05-02 20:25:13 +02:00 · 2024-04-19 16:19:10 +02:00
parent e084cef23d
commit cb1e19a317
5 changed files with 90 additions and 0 deletions
--- a/ql/lib/codeql/actions/Ast.qll
+++ b/ql/lib/codeql/actions/Ast.qll
@@ -332,6 +332,8 @@ class If extends AstNode instanceof IfImpl {
  string getCondition() { result = super.getCondition() }

  Expression getConditionExpr() { result = super.getConditionExpr() }
+
+  string getConditionStyle() { result = super.getConditionStyle() }
 }

 abstract class Uses extends AstNode instanceof UsesImpl {
--- a/ql/lib/codeql/actions/ast/internal/Ast.qll
+++ b/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -666,6 +666,9 @@ class IfImpl extends AstNodeImpl, TIfNode {

  /** Gets the condition that must be satisfied for this job to run. */
  ExpressionImpl getConditionExpr() { result.getParentNode().getNode() = n }
+
+  /** Get condition scalar style. */
+  string getConditionStyle() { result = n.(YamlScalar).getStyle() }
 }

 class EnvImpl extends AstNodeImpl, TEnvNode {
--- a/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql
+++ b/ql/src/Security/CWE-571/ExpressionIsAlwaysTrue.ql
@@ -0,0 +1,24 @@
+/**
+ * @name If expression always true
+ * @description Expressions used in If conditions with extra spaces are always true.
+ * @kind problem
+ * @security-severity 9.0
+ * @problem.severity error
+ * @precision high
+ * @id actions/if-expression-always-true
+ * @tags actions
+ *       maintainability
+ *       external/cwe/cwe-275
+ */
+
+import actions
+
+from If i
+where
+  i.getConditionStyle() = ["|", ">"]
+  or
+  i.getCondition().matches("%${{%") and
+  not i.getCondition().matches("${{%")
+  or
+  count(i.getCondition().splitAt("${{")) > 2
+select i, "Expression always evaluates to true"
--- a/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml
+++ b/ql/test/query-tests/Security/CWE-571/.github/workflows/test.yml
@@ -0,0 +1,60 @@
+name: Conditionally process PR
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  process-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Test1 
+        if: 1 == 2
+        run: echo "Test 1 should not be printed"
+      - name: Test 2 
+        if: |
+          ${{ 
+              1 == 2 ||
+              3 == 4
+          }}
+        run: echo "Test 2 should not be printed"
+      - name: Test 3 
+        if: ${{ 1 == 2 }}
+        run: echo "Test 3 should not be printed"
+      - name: Test 4 
+        if:   ${{ 1 == 2 }}
+        run: echo "Test 4 should not be printed"
+      - name: Test 5 
+        if: ${{ 
+              1 == 2 ||
+              3 == 4
+          }}
+        run: echo "Test 5 should not be printed"
+      - name: Test 6
+        if: ${{ 1 == 1 }} ${{ 1 == 2 }}
+        run: echo "Test 6 should not be printed"
+      - name: Test 7
+        run: echo "Test 7 should not be printed"
+        if: ${{ 
+              1 == 2 ||
+              3 == 4
+          }}
+
+      - name: Test 8
+        run: echo "Test 8 should not be printed"
+        if: > 
+          ${{ 
+              1 == 2 ||
+              3 == 4 }}
+      - name: Test 9 
+        if:   '${{ 1 == 2  }}'
+        run: echo "Test 9 should not be printed"
+      - name: Test 10
+        if:   "${{1 == 2  }}"
+        run: echo "Test 10 should not be printed"
+      - name: Test 11
+        if:   " ${{ 1 == 2  }}"
+        run: echo "Test 11 should not be printed"
+      - name: Test 12
+        if:   " ${{ 1 == 2  }}"
+        run: echo "Test 12 should not be printed"
--- a/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref
+++ b/ql/test/query-tests/Security/CWE-571/ExpressionIsAlwaysTrue.qlref
@@ -0,0 +1 @@
+Security/CWE-571/ExpressionIsAlwaysTrue.ql