add PoC GitHub Actions inputs as untrusted sources

2026-05-16 04:09:27 +02:00 · 2022-04-11 09:31:00 +02:00
3 changed files with 36 additions and 0 deletions
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
@@ -51,4 +51,18 @@ module CommandInjection {
  class SystemCommandExecutionSink extends Sink, DataFlow::ValueNode {
    SystemCommandExecutionSink() { this = any(SystemCommandExecution sys).getACommandArgument() }
  }
+
+  class GitHubActionsInput extends Source {
+    GitHubActionsInput() {
+      this = API::moduleImport("@actions/core").getMember("getInput").getACall() or
+      this =
+        API::moduleImport("@actions/github")
+            .getMember("context")
+            .getMember("payload")
+            .getMember("inputs")
+            .getAnImmediateUse()
+    }
+
+    override string getSourceType() { result = "a GitHub Actions input" }
+  }
 }
--- a/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-078/CommandInjection.expected
@@ -134,6 +134,13 @@ nodes
 | form-parsers.js:59:10:59:33 | "touch  ... ilename |
 | form-parsers.js:59:21:59:24 | part |
 | form-parsers.js:59:21:59:33 | part.filename |
+| github-actions.js:6:11:6:37 | core.ge ... input") |
+| github-actions.js:6:11:6:37 | core.ge ... input") |
+| github-actions.js:6:11:6:37 | core.ge ... input") |
+| github-actions.js:7:11:7:39 | github. ... .inputs |
+| github-actions.js:7:11:7:39 | github. ... .inputs |
+| github-actions.js:7:11:7:53 | github. ... input"] |
+| github-actions.js:7:11:7:53 | github. ... input"] |
 | lib/subLib/index.js:7:32:7:35 | name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -306,6 +313,11 @@ edges
 | form-parsers.js:59:21:59:24 | part | form-parsers.js:59:21:59:33 | part.filename |
 | form-parsers.js:59:21:59:33 | part.filename | form-parsers.js:59:10:59:33 | "touch  ... ilename |
 | form-parsers.js:59:21:59:33 | part.filename | form-parsers.js:59:10:59:33 | "touch  ... ilename |
+| github-actions.js:6:11:6:37 | core.ge ... input") | github-actions.js:6:11:6:37 | core.ge ... input") |
+| github-actions.js:7:11:7:39 | github. ... .inputs | github-actions.js:7:11:7:53 | github. ... input"] |
+| github-actions.js:7:11:7:39 | github. ... .inputs | github-actions.js:7:11:7:53 | github. ... input"] |
+| github-actions.js:7:11:7:39 | github. ... .inputs | github-actions.js:7:11:7:53 | github. ... input"] |
+| github-actions.js:7:11:7:39 | github. ... .inputs | github-actions.js:7:11:7:53 | github. ... input"] |
 | lib/subLib/index.js:7:32:7:35 | name | lib/subLib/index.js:8:22:8:25 | name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
 | lib/subLib/index.js:8:22:8:25 | name | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name |
@@ -385,6 +397,8 @@ edges
 | form-parsers.js:41:10:41:31 | "touch  ... ds.name | form-parsers.js:40:26:40:31 | fields | form-parsers.js:41:10:41:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:40:26:40:31 | fields | a user-provided value |
 | form-parsers.js:53:10:53:31 | "touch  ... ds.name | form-parsers.js:52:34:52:39 | fields | form-parsers.js:53:10:53:31 | "touch  ... ds.name | This command depends on $@. | form-parsers.js:52:34:52:39 | fields | a user-provided value |
 | form-parsers.js:59:10:59:33 | "touch  ... ilename | form-parsers.js:58:30:58:33 | part | form-parsers.js:59:10:59:33 | "touch  ... ilename | This command depends on $@. | form-parsers.js:58:30:58:33 | part | a user-provided value |
+| github-actions.js:6:11:6:37 | core.ge ... input") | github-actions.js:6:11:6:37 | core.ge ... input") | github-actions.js:6:11:6:37 | core.ge ... input") | This command depends on $@. | github-actions.js:6:11:6:37 | core.ge ... input") | a GitHub Actions input |
+| github-actions.js:7:11:7:53 | github. ... input"] | github-actions.js:7:11:7:39 | github. ... .inputs | github-actions.js:7:11:7:53 | github. ... input"] | This command depends on $@. | github-actions.js:7:11:7:39 | github. ... .inputs | a GitHub Actions input |
 | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | child_process-test.js:85:37:85:54 | req.query.fileName | lib/subLib/index.js:8:10:8:25 | "rm -rf " + name | This command depends on $@. | child_process-test.js:85:37:85:54 | req.query.fileName | a user-provided value |
 | other.js:7:33:7:35 | cmd | other.js:5:25:5:31 | req.url | other.js:7:33:7:35 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
 | other.js:8:28:8:30 | cmd | other.js:5:25:5:31 | req.url | other.js:8:28:8:30 | cmd | This command depends on $@. | other.js:5:25:5:31 | req.url | a user-provided value |
--- a/javascript/ql/test/query-tests/Security/CWE-078/github-actions.js
+++ b/javascript/ql/test/query-tests/Security/CWE-078/github-actions.js
@@ -0,0 +1,8 @@
+const core = require("@actions/core"),
+  github = require("@actions/github"),
+  cp = require("child_process");
+
+function test() {
+  cp.exec(core.getInput("user-input")); // NOT OK
+  cp.exec(github.context.payload.inputs["user-input"]); // NOT OK
+}