From fefeae44690ce1cbe9b3caba8fbbf4a00878a47e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Fri, 6 Sep 2024 17:00:15 +0200 Subject: [PATCH] feat: New query to report GITHUB_TOKEN exposed in artifacts --- ql/src/Security/CWE-312/SecretsInArtifacts.ql | 40 +++++++++++++++++++ .../workflows/secrets-in-artifacts.yml | 23 +++++++++++ .../CWE-312/SecretsInArtifacts.expected | 1 + .../Security/CWE-312/SecretsInArtifacts.qlref | 2 + 4 files changed, 66 insertions(+) create mode 100644 ql/src/Security/CWE-312/SecretsInArtifacts.ql create mode 100644 ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml create mode 100644 ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected create mode 100644 ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref diff --git a/ql/src/Security/CWE-312/SecretsInArtifacts.ql b/ql/src/Security/CWE-312/SecretsInArtifacts.ql new file mode 100644 index 00000000000..07e498706d8 --- /dev/null +++ b/ql/src/Security/CWE-312/SecretsInArtifacts.ql @@ -0,0 +1,40 @@ +/** + * @name Secret In Artifacts + * @description Secrets are exposed in GitHub Artifacts + * @kind problem + * @problem.severity error + * @security-severity 9.0 + * @precision high + * @id actions/secrets-in-artifacts + * @tags actions + * security + * experimental + * external/cwe/cwe-312 + */ + +import actions + +from UsesStep checkout, UsesStep upload +where + checkout.getCallee() = "actions/checkout" and + upload.getCallee() = "actions/upload-artifact" and + checkout.getAFollowingStep() = upload and + ( + not exists(checkout.getArgument("persist-credentials")) or + checkout.getArgument("persist-credentials") = "true" + ) and + upload.getVersion() = + [ + "v4.3.6", "834a144ee995460fba8ed112a2fc961b36a5ec5a", // + "v4.3.5", "89ef406dd8d7e03cfd12d9e0a4a378f454709029", // + "v4.3.4", "0b2256b8c012f0828dc542b3febcab082c67f72b", // + "v4.3.3", "65462800fd760344b1a7b4382951275a0abb4808", // + "v4.3.2", "1746f4ab65b179e0ea60a494b83293b640dd5bba", // + "v4.3.1", "5d5d22a31266ced268874388b861e4b58bb5c2f3", // + "v4.3.0", "26f96dfa697d77e81fd5907df203aa23a56210a8", // + "v4.2.0", "694cdabd8bdb0f10b2cea11669e1bf5453eed0a6", // + "v4.1.0", "1eb3cb2b3e0f29609092a73eb033bb759a334595", // + "v4.0.0", "c7d193f32edcb7bfad88892161225aeda64e9392", // + ] +select upload, "A secret is exposed in a public artifact uploaded by $@", upload, + "actions/upload-artifact" diff --git a/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml new file mode 100644 index 00000000000..611ac16dcfa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/.github/workflows/secrets-in-artifacts.yml @@ -0,0 +1,23 @@ +name: secrets-in-artifacts +on: + pull_request: +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: file + path: results + test2: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: "Upload artifact" + uses: actions/upload-artifact@v4 + with: + name: file + path: results + diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected new file mode 100644 index 00000000000..67c7fd6e8aa --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.expected @@ -0,0 +1 @@ +| .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | A secret is exposed in a public artifact uploaded by $@ | .github/workflows/secrets-in-artifacts.yml:9:9:14:2 | Uses Step | actions/upload-artifact | diff --git a/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref new file mode 100644 index 00000000000..c9bb538a12d --- /dev/null +++ b/ql/test/query-tests/Security/CWE-312/SecretsInArtifacts.qlref @@ -0,0 +1,2 @@ +Security/CWE-312/SecretsInArtifacts.ql +