ruby: add MaD model for permissions needed by actions

Use this to suggest minimal set of nedded permissions
2026-04-30 11:15:13 +02:00 · 2025-03-28 12:57:58 +01:00
parent 279e9e2d70
commit e7bb47f335
8 changed files with 99 additions and 6 deletions
--- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -14,7 +14,28 @@

 import actions

-from Job job
+Step stepInJob(Job job) { result = job.(LocalJob).getAStep() }
+
+bindingset[fullActionSelector]
+string versionedAction(string fullActionSelector) {
+  result = fullActionSelector.substring(0, fullActionSelector.indexOf("@"))
+  or
+  not exists(fullActionSelector.indexOf("@")) and
+  result = fullActionSelector
+}
+
+string stepUses(Step step) { result = step.getUses().(ScalarValue).getValue() }
+
+string jobNeedsPersmission(Job job) {
+  actionsPermissionsDataModel(versionedAction(stepUses(stepInJob(job))), result)
+}
+
+string permissionsForJob(Job job) {
+  result =
+    "{" + concat(string permission | permission = jobNeedsPersmission(job) | permission, ", ") + "}"
+}
+
+from Job job, string permissions
 where
  not exists(job.getPermissions()) and
  not exists(job.getEnclosingWorkflow().getPermissions()) and
@@ -22,5 +43,7 @@ where
  exists(Event e |
    e = job.getATriggerEvent() and
    not e.getName() = "workflow_call"
-  )
-select job, "Actions Job or Workflow does not set permissions"
+  ) and
+  permissions = permissionsForJob(job)
+select job,
+  "Actions Job or Workflow does not set permissions. A minimal set might be " + permissions