feat: New query to report GITHUB_TOKEN exposed in artifacts

2025-12-28 06:36:33 +01:00 · 2024-09-06 17:00:15 +02:00
parent ac7b7b7162
commit fefeae4469
4 changed files with 66 additions and 0 deletions
--- a/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql
@@ -0,0 +1,40 @@
+/**
+ * @name Secret In Artifacts
+ * @description Secrets are exposed in GitHub Artifacts
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 9.0
+ * @precision high
+ * @id actions/secrets-in-artifacts
+ * @tags actions
+ *       security
+ *       experimental
+ *       external/cwe/cwe-312
+ */
+
+import actions
+
+from UsesStep checkout, UsesStep upload
+where
+  checkout.getCallee() = "actions/checkout" and
+  upload.getCallee() = "actions/upload-artifact" and
+  checkout.getAFollowingStep() = upload and
+  (
+    not exists(checkout.getArgument("persist-credentials")) or
+    checkout.getArgument("persist-credentials") = "true"
+  ) and
+  upload.getVersion() =
+    [
+      "v4.3.6", "834a144ee995460fba8ed112a2fc961b36a5ec5a", //
+      "v4.3.5", "89ef406dd8d7e03cfd12d9e0a4a378f454709029", //
+      "v4.3.4", "0b2256b8c012f0828dc542b3febcab082c67f72b", //
+      "v4.3.3", "65462800fd760344b1a7b4382951275a0abb4808", //
+      "v4.3.2", "1746f4ab65b179e0ea60a494b83293b640dd5bba", //
+      "v4.3.1", "5d5d22a31266ced268874388b861e4b58bb5c2f3", //
+      "v4.3.0", "26f96dfa697d77e81fd5907df203aa23a56210a8", //
+      "v4.2.0", "694cdabd8bdb0f10b2cea11669e1bf5453eed0a6", //
+      "v4.1.0", "1eb3cb2b3e0f29609092a73eb033bb759a334595", //
+      "v4.0.0", "c7d193f32edcb7bfad88892161225aeda64e9392", //
+    ]
+select upload, "A secret is exposed in a public artifact uploaded by $@", upload,
+  "actions/upload-artifact"
--- a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml
+++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml
@@ -0,0 +1,23 @@
+name: secrets-in-artifacts
+on:
+  pull_request:
+jobs:
+  test1:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2
+        with:
+          name: file
+          path: results
+  test2:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: file
+          path: results
+
--- a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected
+++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected
@@ -0,0 +1 @@
+| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact |
--- a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref
+++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref
@@ -0,0 +1,2 @@
+Security/CWE-312/SecretsInArtifacts.ql
+
				`@@ -0,0 +1 @@`
				`\| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 \| Uses Step \| A secret is exposed in a public artifact uploaded by $@ \| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 \| Uses Step \| actions/upload-artifact \|`