Merge pull request #105 from github/immutable-actions

Add CodeQL rule for Immutable actions, do not detect immutable actions in unpinned tag rule

Author: KyFaSt

ql/lib/codeql/actions/config/Config.qll

@@ -119,6 +119,17 @@ predicate vulnerableActionsDataModel(
   Extensions::vulnerableActionsDataModel(action, vulnerable_version, vulnerable_sha, fixed_version)
 }
 
+/**
+ * MaD models for immutable actions
+ * Fields:
+ *    - action: action name
+ */
+predicate immutableActionsDataModel(
+  string action
+) {
+  Extensions::immutableActionsDataModel(action)
+}
+
 /**
  * MaD models for untrusted git commands
  * Fields:

ql/lib/codeql/actions/config/ConfigExtensions.qll

@@ -58,6 +58,13 @@ extensible predicate vulnerableActionsDataModel(
   string action, string vulnerable_version, string vulnerable_sha, string fixed_version
 );
 
+/**
+ * Holds for actions that are known to be immutable.
+ */
+extensible predicate immutableActionsDataModel(
+  string action
+);
+
 /**
  * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
  */

ql/lib/codeql/actions/security/UseOfUnversionedImmutableAction.qll

@@ -0,0 +1,29 @@
+import actions
+
+class UnversionedImmutableAction extends UsesStep {
+  string immutable_action;
+
+  UnversionedImmutableAction() {
+    isImmutableAction(this, immutable_action) and
+    not isSemVer(this.getVersion())
+  }
+}
+
+bindingset[version]
+predicate isSemVer(string version) {
+  // https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string with optional v prefix
+  version.regexpMatch("^v?(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$")
+
+  // or N or N.x or N.N.x with optional v prefix
+  or version.regexpMatch("^v?[1-9]\\d*$")
+  or version.regexpMatch("^v?[1-9]\\d*\\.(x|0|([1-9]\\d*))$")
+  or version.regexpMatch("^v?[1-9]\\d*\\.(0|([1-9]\\d*))\\.(x|0|([1-9]\\d*))$")
+
+  // or latest which will work
+  or version = "latest"
+}
+
+predicate isImmutableAction(UsesStep actionStep, string actionName) {
+  immutableActionsDataModel(actionName) and
+  actionStep.getCallee() = actionName
+}

ql/lib/ext/config/immutable_actions.yml

@@ -0,0 +1,22 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: immutableActionsDataModel
+    data:
+      - ["actions/checkout"]
+      - ["actions/cache"]
+      - ["actions/setup-node"]
+      - ["actions/upload-artifact"]
+      - ["actions/setup-python"]
+      - ["actions/download-artifact"]
+      - ["actions/github-script"]
+      - ["actions/setup-java"]
+      - ["actions/setup-go"]
+      - ["actions/upload-pages-artifact"]
+      - ["actions/deploy-pages"]
+      - ["actions/setup-dotnet"]
+      - ["actions/stale"]
+      - ["actions/labeler"]
+      - ["actions/create-github-app-token"]
+      - ["actions/configure-pages"]
+      - ["octokit/request-action"]

ql/src/Security/CWE-829/UnpinnedActionsTag.md

@@ -6,7 +6,7 @@ Using a tag for a 3rd party Action that is not pinned to a commit can lead to ex
 
 ## Recommendations
 
-Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
+Pinning an action to a full length commit SHA is currently the only way to use a non-immutable action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
 
 ## Examples
 

ql/src/Security/CWE-829/UnpinnedActionsTag.ql

@@ -1,6 +1,6 @@
 /**
- * @name Unpinned tag for 3rd party Action in workflow
- * @description Using a tag for a 3rd party Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
+ * @name Unpinned tag for a non-immutable Action in workflow
+ * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
  * @kind problem
  * @security-severity 5.0
  * @problem.severity recommendation
@@ -12,13 +12,14 @@
  */
 
 import actions
+import codeql.actions.security.UseOfUnversionedImmutableAction
 
 bindingset[version]
 private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
 
 bindingset[repo]
 private predicate isTrustedOrg(string repo) {
-  exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%"))
+  repo.matches(["actions", "github", "advanced-security"] + "/%")
 }
 
 from UsesStep uses, string repo, string version, Workflow workflow, string name
@@ -32,7 +33,8 @@ where
   ) and
   uses.getVersion() = version and
   not isTrustedOrg(repo) and
-  not isPinnedCommit(version)
+  not isPinnedCommit(version) and
+  not isImmutableAction(uses, repo)
 select uses.getCalleeNode(),
   "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
     "', not a pinned commit hash", uses, uses.toString()

ql/src/Security/CWE-829/UnversionedImmutableAction.md

@@ -0,0 +1,29 @@
+# Unversioned Immutable Action
+
+## Description
+
+Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable. This means the action code can between runs and without the user's knowledge. Using an immutable action with proper semantic versioning will resolve to the exact version
+of the action stored in the GitHub package registry. The action code will not change between runs.
+
+## Recommendations
+
+When using [immutable actions](https://github.com/github/package-registry-team/blob/main/docs/immutable-actions/immutable-actions-howto.md) use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs.
+
+## Examples
+
+### Incorrect Usage
+
+```yaml
+- uses: actions/checkout@some-tag
+- uses: actions/[email protected]
+```
+
+### Correct Usage
+
+```yaml
+- uses: actions/[email protected]
+```
+
+## References
+
+- [Consuming immutable actions]()

ql/src/Security/CWE-829/UnversionedImmutableAction.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Unversioned Immutable Action
+ * @description Using an Immutable Action without a semantic version tag opts out of the protections of Immutable Action
+ * @kind problem
+ * @problem.severity recommendation
+ * @precision high
+ * @id actions/unversioned-immutable-action
+ * @tags security
+ *       actions
+ *       external/cwe/cwe-829
+ */
+
+import actions
+import codeql.actions.security.UseOfUnversionedImmutableAction
+
+from UnversionedImmutableAction step
+select step,
+  "The workflow is using an eligible immutable action ($@) without semantic versioning", step,
+   step.getCallee()

ql/test/query-tests/Security/CWE-829/.github/actions/dangerous-git-checkout/action.yml

@@ -4,7 +4,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout repo
-      uses: actions/checkout@v4
+      uses: actions/checkout@4
       with:
         ref: ${{ github.event.pull_request.head.sha }}
         fetch-depth: 2

ql/test/query-tests/Security/CWE-829/.github/workflows/issue_comment_octokit2.yml

@@ -0,0 +1,38 @@
+name: Octokit (heuristics)
+
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  test1:
+    if: github.event.comment.body == '@metabase-bot run visual tests'
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Fetch issue
+        uses: octokit/[email protected]
+        id: fetch_issue
+        with:
+          route: GET ${{ github.event.issue.url }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Fetch PR minor and patch wildcard
+        uses: octokit/[email protected]
+        id: fetch_pr
+        with:
+          route: GET ${{ fromJson(steps.fetch_issue.outputs.data).pull_request.url }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout PR minor patch wildcard
+      - uses: actions/[email protected]
+        with:
+          ref: ${{ fromJson(steps.fetch_pr.outputs.data).head.ref }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Checkout PR minor wildcard incomplete patch
+        uses: actions/[email protected].
+      - name: Run latest action
+        uses: some-action/some-repo@latest
+        with:
+          some-input: some-value
+      - name: run the latest checkout action
+        uses: actions/checkout@latest

ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected

@@ -10,9 +10,7 @@
 | .github/workflows/issue_comment_3rd_party_action.yml:14:15:14:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:12:9:16:6 | Uses Step: comment-branch | Uses Step: comment-branch |
 | .github/workflows/issue_comment_3rd_party_action.yml:27:15:27:52 | xt0rted/pull-request-comment-branch@v2 | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'xt0rted/pull-request-comment-branch' with ref 'v2', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:25:9:30:6 | Uses Step: comment-branch | Uses Step: comment-branch |
 | .github/workflows/issue_comment_3rd_party_action.yml:41:15:41:42 | eficode/resolve-pr-refs@main | Unpinned 3rd party Action 'PR head from 3rd party action' step $@ uses 'eficode/resolve-pr-refs' with ref 'main', not a pinned commit hash | .github/workflows/issue_comment_3rd_party_action.yml:39:9:45:6 | Uses Step: refs | Uses Step: refs |
-| .github/workflows/issue_comment_octokit.yml:13:15:13:41 | octokit/[email protected] | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | Uses Step: fetch_issue |
-| .github/workflows/issue_comment_octokit.yml:20:15:20:41 | octokit/[email protected] | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.x', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | Uses Step: fetch_pr |
-| .github/workflows/issue_comment_octokit.yml:104:15:104:43 | octokit/[email protected] | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'octokit/request-action' with ref 'v2.0.2', not a pinned commit hash | .github/workflows/issue_comment_octokit.yml:103:9:109:6 | Uses Step: request | Uses Step: request |
+| .github/workflows/issue_comment_octokit2.yml:34:15:34:42 | some-action/some-repo@latest | Unpinned 3rd party Action 'Octokit (heuristics)' step $@ uses 'some-action/some-repo' with ref 'latest', not a pinned commit hash | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | Uses Step |
 | .github/workflows/label_trusted_checkout1.yml:20:13:20:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:20:7:24:4 | Uses Step | Uses Step |
 | .github/workflows/label_trusted_checkout1.yml:24:13:24:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'label_trusted_checkout1.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/label_trusted_checkout1.yml:24:7:27:21 | Uses Step | Uses Step |
 | .github/workflows/label_trusted_checkout2.yml:21:13:21:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'label_trusted_checkout2.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/label_trusted_checkout2.yml:21:7:25:4 | Uses Step | Uses Step |

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -94,6 +94,12 @@ edges
 | .github/workflows/issue_comment_heuristic.yml:11:9:24:6 | Uses Step: get-pr-info | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha |
 | .github/workflows/issue_comment_heuristic.yml:24:9:28:6 | Run Step: get-sha | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step |
 | .github/workflows/issue_comment_heuristic.yml:37:7:48:4 | Run Step: vars | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step |
+| .github/workflows/issue_comment_octokit2.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr |
+| .github/workflows/issue_comment_octokit2.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard |
+| .github/workflows/issue_comment_octokit2.yml:26:9:27:6 | name: C ... ildcard | .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step |
+| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step |
+| .github/workflows/issue_comment_octokit2.yml:31:9:33:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step |
+| .github/workflows/issue_comment_octokit2.yml:33:9:37:6 | Uses Step | .github/workflows/issue_comment_octokit2.yml:37:9:38:37 | Uses Step |
 | .github/workflows/issue_comment_octokit.yml:12:9:19:6 | Uses Step: fetch_issue | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr |
 | .github/workflows/issue_comment_octokit.yml:19:9:26:6 | Uses Step: fetch_pr | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step |
 | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step |

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected

@@ -5,6 +5,7 @@
 | .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
 | .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |