hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-09 04:30:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move ControlChecks to its own file

Browse Source
This commit is contained in:
Alvaro Muñoz
2024-06-27 22:53:20 +02:00
parent b64f53e03e
commit effa1e1356
8 changed files with 71 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
ql/lib/codeql/actions/security/ControlChecks.qll Normal file
View File

@@ -0,0 +1,65 @@
import actions
/** An If node that contains an actor, user or label check */
abstract class ControlCheck extends If {
predicate dominates(Step step) {
step.getIf() = this or
step.getEnclosingJob().getIf() = this or
step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
}
}
class LabelControlCheck extends ControlCheck {
LabelControlCheck() {
// eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
// eg: github.event.label.name == 'safe to test'
exists(
normalizeExpr(this.getCondition())
.regexpFind([
"\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b"
], _, _)
)
}
}
class ActorControlCheck extends ControlCheck {
ActorControlCheck() {
// eg: github.actor == 'dependabot[bot]'
// eg: github.triggering_actor == 'CI Agent'
// eg: github.event.pull_request.user.login == 'mybot'
exists(
normalizeExpr(this.getCondition())
.regexpFind([
"\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b",
"\\bgithub\\.event\\.comment\\.user\\.login\\b",
"\\bgithub\\.event\\.pull_request\\.user\\.login\\b",
], _, _)
)
}
}
class RepositoryControlCheck extends ControlCheck {
RepositoryControlCheck() {
// eg: github.repository == 'test/foo'
exists(
normalizeExpr(this.getCondition())
.regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _)
)
}
}
class AssociationControlCheck extends ControlCheck {
AssociationControlCheck() {
// eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association)
exists(
normalizeExpr(this.getCondition())
.regexpFind([
"\\bgithub\\.event\\.comment\\.author_association\\b",
"\\bgithub\\.event\\.issue\\.author_association\\b",
"\\bgithub\\.event\\.pull_request\\.author_association\\b",
], _, _)
)
}
}

63
ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
View File

@@ -233,66 +233,3 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run {
)
}
}
/** An If node that contains an actor, user or label check */
abstract class ControlCheck extends If {
predicate dominates(Step step) {
step.getIf() = this or
step.getEnclosingJob().getIf() = this or
step.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
step.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
}
}
class LabelControlCheck extends ControlCheck {
LabelControlCheck() {
// eg: contains(github.event.pull_request.labels.*.name, 'safe to test')
// eg: github.event.label.name == 'safe to test'
exists(
normalizeExpr(this.getCondition())
.regexpFind([
"\\bgithub\\.event\\.pull_request\\.labels\\b", "\\bgithub\\.event\\.label\\.name\\b"
], _, _)
)
}
}
class ActorControlCheck extends ControlCheck {
ActorControlCheck() {
// eg: github.actor == 'dependabot[bot]'
// eg: github.triggering_actor == 'CI Agent'
// eg: github.event.pull_request.user.login == 'mybot'
exists(
normalizeExpr(this.getCondition())
.regexpFind([
"\\bgithub\\.actor\\b", "\\bgithub\\.triggering_actor\\b",
"\\bgithub\\.event\\.comment\\.user\\.login\\b",
"\\bgithub\\.event\\.pull_request\\.user\\.login\\b",
], _, _)
)
}
}
class RepositoryControlCheck extends ControlCheck {
RepositoryControlCheck() {
// eg: github.repository == 'test/foo'
exists(
normalizeExpr(this.getCondition())
.regexpFind(["\\bgithub\\.repository\\b", "\\bgithub\\.repository_owner\\b",], _, _)
)
}
}
class AssociationControlCheck extends ControlCheck {
AssociationControlCheck() {
// eg: contains(fromJson('["MEMBER", "OWNER"]'), github.event.comment.author_association)
exists(
normalizeExpr(this.getCondition())
.regexpFind([
"\\bgithub\\.event\\.comment\\.author_association\\b",
"\\bgithub\\.event\\.issue\\.author_association\\b",
"\\bgithub\\.event\\.pull_request\\.author_association\\b",
], _, _)
)
}
}

1
ql/src/Security/CWE-285/ImproperAccessControl.ql
View File

@@ -12,6 +12,7 @@
*/
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.ControlChecks
from LocalJob job, LabelControlCheck check, MutableRefCheckoutStep checkout, Event event
where

1
ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
View File

@@ -14,6 +14,7 @@
import actions
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.ControlChecks
from ControlCheck check, MutableRefCheckoutStep checkout
where

1
ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
View File

@@ -14,6 +14,7 @@
import actions
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.ControlChecks
from ControlCheck check, MutableRefCheckoutStep checkout
where

1
ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
View File

@@ -16,6 +16,7 @@
import actions
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.ControlChecks
query predicate edges(Step a, Step b) { a.getAFollowingStep() = b }

1
ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
View File

@@ -16,6 +16,7 @@
import actions
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.ControlChecks
from LocalJob j, PRHeadCheckoutStep checkout
where

1
ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
View File

@@ -16,6 +16,7 @@
import actions
import codeql.actions.security.UntrustedCheckoutQuery
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.ControlChecks
from LocalJob j, PRHeadCheckoutStep checkout
where