hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Make predicates containing query logic more self-contained

Browse Source
This commit is contained in:
Owen Mansel-Chan
2025-12-03 11:27:35 +00:00
parent 8bac1dec83
commit fb841ea591
3 changed files with 20 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
View File

@@ -93,23 +93,29 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>; module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
/** /**
* Holds if the flow from `source` to `sink` has critical severity and they are * Holds if there is a code injection flow from `source` to `sink` with
* linked by `event`. * critical severity, linked by `event`.
*/ */
pragma[inline] predicate criticalSeverityCodeInjection(
predicate criticalSeverity(DataFlow::Node source, DataFlow::Node sink, Event event) { CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
event = getRelevantCriticalEventForSink(sink) and ) {
source.(RemoteFlowSource).getEventName() = event.getName() CodeInjectionFlow::flowPath(source, sink) and
event = getRelevantCriticalEventForSink(sink.getNode()) and
source.getNode().(RemoteFlowSource).getEventName() = event.getName()
} }
/** Holds if the flow from `source` to `sink` has medium severity. */ /**
pragma[inline] * Holds if there is a code injection flow from `source` to `sink` with medium severity.
predicate mediumSeverity(DataFlow::Node source, DataFlow::Node sink) { */
not criticalSeverity(source, sink, _) and predicate mediumSeverityCodeInjection(
CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
) {
CodeInjectionFlow::flowPath(source, sink) and
not criticalSeverityCodeInjection(source, sink, _) and
// exclude cases where the sink is a JS script and the expression uses toJson // exclude cases where the sink is a JS script and the expression uses toJson
not exists(UsesStep script | not exists(UsesStep script |
script.getCallee() = "actions/github-script" and script.getCallee() = "actions/github-script" and
script.getArgumentExpr("script") = sink.asExpr() and script.getArgumentExpr("script") = sink.getNode().asExpr() and
exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _)) exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
) )
} }

4
actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
View File

@@ -20,9 +20,7 @@ import CodeInjectionFlow::PathGraph
import codeql.actions.security.ControlChecks import codeql.actions.security.ControlChecks
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
where where criticalSeverityCodeInjection(source, sink, event)
CodeInjectionFlow::flowPath(source, sink) and
criticalSeverity(source.getNode(), sink.getNode(), event)
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"Potential code injection in $@, which may be controlled by an external user ($@).", sink, "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName() sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()

4
actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
View File

@@ -19,9 +19,7 @@ import codeql.actions.security.CodeInjectionQuery
import CodeInjectionFlow::PathGraph import CodeInjectionFlow::PathGraph
from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
where where mediumSeverityCodeInjection(source, sink)
CodeInjectionFlow::flowPath(source, sink) and
mediumSeverity(source.getNode(), sink.getNode())
select sink.getNode(), source, sink, select sink.getNode(), source, sink,
"Potential code injection in $@, which may be controlled by an external user.", sink, "Potential code injection in $@, which may be controlled by an external user.", sink,
sink.getNode().asExpr().(Expression).getRawExpression() sink.getNode().asExpr().(Expression).getRawExpression()