Merge pull request #104 from github/new_gh_sources

Alvaro Muñoz · web-flow · commit 8f350d90683f · 2024-10-22T21:36:19.000+02:00
New gh CLI sources
diff --git a/ql/lib/codeql/actions/config/Config.qll b/ql/lib/codeql/actions/config/Config.qll
@@ -125,6 +125,16 @@ predicate vulnerableActionsDataModel(
  *    - cmd_regex: Regular expression for matching untrusted git commands
  *    - flag: Flag for the command
  */
-predicate untrustedGitCommandsDataModel(string cmd_regex, string flag) {
-  Extensions::untrustedGitCommandsDataModel(cmd_regex, flag)
+predicate untrustedGitCommandDataModel(string cmd_regex, string flag) {
+  Extensions::untrustedGitCommandDataModel(cmd_regex, flag)
+}
+
+/**
+ * MaD models for untrusted gh commands
+ * Fields:
+ *    - cmd_regex: Regular expression for matching untrusted gh commands
+ *    - flag: Flag for the command
+ */
+predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
+  Extensions::untrustedGhCommandDataModel(cmd_regex, flag)
 }
diff --git a/ql/lib/codeql/actions/config/ConfigExtensions.qll b/ql/lib/codeql/actions/config/ConfigExtensions.qll
@@ -61,4 +61,9 @@ extensible predicate vulnerableActionsDataModel(
 /**
  * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
  */
-extensible predicate untrustedGitCommandsDataModel(string cmd_regex, string flag);
+extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag);
+
+/**
+ * Holds for gh commands that may introduce untrusted data
+ */
+extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -80,7 +80,7 @@ class GitCommandSource extends RemoteFlowSource, CommandSource {
 
   GitCommandSource() {
     exists(Step checkout, string cmd_regex |
-      // This shoould be:
+      // This should be:
       // source instanceof PRHeadCheckoutStep
       // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error
       // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround
@@ -105,8 +105,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource {
       checkout.getAFollowingStep() = run and
       run.getScript().getAStmt() = cmd and
       cmd.indexOf("git") = 0 and
-      untrustedGitCommandsDataModel(cmd_regex, flag) and
-      cmd.regexpMatch(".*" + cmd_regex + ".*")
+      untrustedGitCommandDataModel(cmd_regex, flag) and
+      cmd.regexpMatch(cmd_regex + ".*")
     )
   }
 
@@ -117,6 +117,28 @@ class GitCommandSource extends RemoteFlowSource, CommandSource {
   override Run getEnclosingRun() { result = run }
 }
 
+class GhCLICommandSource extends RemoteFlowSource, CommandSource {
+  Run run;
+  string cmd;
+  string flag;
+
+  GhCLICommandSource() {
+    exists(string cmd_regex |
+      this.asExpr() = run.getScript() and
+      run.getScript().getAStmt() = cmd and
+      cmd.indexOf("gh ") = 0 and
+      untrustedGhCommandDataModel(cmd_regex, flag) and
+      cmd.regexpMatch(cmd_regex + ".*")
+    )
+  }
+
+  override string getSourceType() { result = flag }
+
+  override Run getEnclosingRun() { result = run }
+
+  override string getCommand() { result = cmd }
+}
+
 class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
   string cmd;
   string flag;
@@ -206,7 +228,7 @@ class ArtifactSource extends RemoteFlowSource, FileSource {
  */
 private class CheckoutSource extends RemoteFlowSource, FileSource {
   CheckoutSource() {
-    // This shoould be:
+    // This should be:
     // source instanceof PRHeadCheckoutStep
     // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error
     // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround
diff --git a/ql/lib/codeql/actions/security/OutputClobberingQuery.qll b/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
@@ -20,7 +20,7 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink {
       (
         step instanceof UntrustedArtifactDownloadStep
         or
-        // This shoould be:
+        // This should be:
         // artifact instanceof PRHeadCheckoutStep
         // but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error
         // so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround
diff --git a/ql/lib/ext/config/untrusted_gh_command.yml b/ql/lib/ext/config/untrusted_gh_command.yml
@@ -0,0 +1,56 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: untrustedGhCommandDataModel 
+    data:
+      #
+      # PULL REQUESTS
+      #
+      # HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\.headRefName.*", "branch,oneline"]
+      # TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\.title.*", "title,oneline"]
+      # BODY=$(gh pr view $PR_NUMBER --json body --jq .body)
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\.body.*", "text,multiline"]
+      # COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\.comments.*", "text,multiline"]
+      # CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\.files.*", "filename,multiline"]
+      # AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') 
+      - ["gh\\s+pr\\b.*\\bview\\b.*\\.author.*", "username,oneline"]
+      #
+      # ISSUES
+      #
+      # TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\.title.*", "title,oneline"]
+      # BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body,assignees --jq .body)
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\.body.*", "text,multiline"]
+      # COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')
+      - ["gh\\s+issue\\b.*\\bview\\b.*\\.comments.*", "text,multiline"]
+      #
+      # API
+      #
+      # PR="$(gh api /repos/test/test/pulls/${PR_NUMBER})"
+      #
+      # HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1)
+      - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.head.ref.*", "branch,oneline"]
+      # TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")
+      - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.title.*", "title,oneline"]
+      # BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")
+      - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.body.*", "text,multiline"]
+      # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')
+      - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/comments\\b.*\\.body.*", "text,multiline"]
+      # CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')
+      - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*/files\\b.*\\.filename.*", "filename,oneline"]
+      # AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")
+      - ["gh\\s+api\\b.*\\b(/)?repos/.*/pulls.*\\b.*\\.user\\.login.*", "username,oneline"]
+      #
+      # ISSUES
+      #
+      # TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")
+      - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.title.*", "title,oneline"]
+      # BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")
+      - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*\\b.*\\.body.*", "text,multiline"]
+      # COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')
+      - ["gh\\s+api\\b.*\\b(/)?repos/.*/issues.*/comments\\b.*\\.body.*", "text,multiline"]
+
diff --git a/ql/lib/ext/config/untrusted_git_command.yml b/ql/lib/ext/config/untrusted_git_command.yml
@@ -1,7 +1,7 @@
 extensions:
   - addsTo:
       pack: github/actions-all
-      extensible: untrustedGitCommandsDataModel 
+      extensible: untrustedGitCommandDataModel 
     data:
       # FILES=$(git diff-tree --no-commit-id --name-only HEAD -r)
       - ["git\\b.*\\bdiff-tree\\b", "filename,multiline"]
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test19.yml
@@ -0,0 +1,112 @@
+name: Pull Request Open
+
+on:
+  pull_request_target:
+
+jobs:
+  pulls1:
+    runs-on: ubuntu-latest
+    steps:
+      - id: head_ref 
+        run: |
+          HEAD_REF=$(gh pr view "${{ github.event.issue.number }}" --json headRefName -q '.headRefName')
+          echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.head_ref.outputs.head_ref}}"
+      - id: title
+        run: |
+          TITLE=$(gh pr view $PR_NUMBER --json title --jq .title)
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title.outputs.title}}"
+      - id: body
+        run: |
+          BODY=$(gh pr view $PR_NUMBER --json body --jq .body)
+          echo "body=$BODY" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.body.outputs.body}}"
+      - id: comments
+        run: |
+          COMMENTS="$(gh pr view --repo ${{ github.repository }} "$PR_NUMBER" --json "body,comments" -q '.body, .comments[].body')"
+          echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.comments.outputs.comments}}"
+      - id: files 
+        run: |
+          CHANGED_FILES="$(gh pr view --repo ${{ github.repository }} ${{ needs.check-comment.outputs.pull_number }} --json files --jq '.files.[].path')"
+          echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.files.outputs.files}}"
+      - id: author 
+        run: |
+          AUTHOR=$(gh pr view ${ORI_PR} -R ${REPO} --json author -q '.author.login') 
+          echo "author=$AUTHOR" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.author.outputs.author}}"
+  pulls2:
+    runs-on: ubuntu-latest
+    steps:
+      - id: head_ref 
+        run: |
+          HEAD_REF=$(gh api -H 'Accept: application/vnd.github+json' /repos/test/test/commits/${{ env.sui_sha }}/pulls --jq '.[].head.ref' | head -n 1)
+          echo "head_ref=$HEAD_REF" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.head_ref.outputs.head_ref}}"
+      - id: title
+        run: |
+          TITLE=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".title")
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title.outputs.title}}"
+      - id: body
+        run: |
+          BODY=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".body")
+          echo "body=$BODY" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.body.outputs.body}}"
+      - id: comments
+        run: |
+          COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')
+          echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.comments.outputs.comments}}"
+      - id: files 
+        run: |
+          CHANGED_FILES=$(gh api /repos/test/test/pulls/${{PR_NUMBER}}/files --jq '.[].filename')
+          echo "files=$CHANGED_FILES" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.files.outputs.files}}"
+      - id: author 
+        run: |
+          AUTHOR=$(gh api /repos/test/test/pulls/${{PR_NUMBER}} --jq ".user.login")
+          echo "author=$AUTHOR" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.author.outputs.author}}"
+  issues1:
+    runs-on: ubuntu-latest
+    steps:
+      - id: title
+        run: |
+          TITLE=$(gh issue view "$ISSUE_NUMBER" --json title --jq '.title')
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title.outputs.title}}"
+      - id: body
+        run: |
+          BODY=$(gh issue view -R ${GITHUB_REPOSITORY} ${ORIGINAL_ISSUE_NUMBER} --json title,body --jq '.body')
+          echo "body=$BODY" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.body.outputs.body}}"
+      - id: comments
+        run: |
+          COMMENTS=$(gh issue view "$ISSUE_NUMBER" --json comments --jq '.comments[].body')
+          echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.comments.outputs.comments}}"
+  issues2:
+    runs-on: ubuntu-latest
+    steps:
+      - id: title
+        run: |
+          TITLE=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".title")
+          echo "title=$TITLE" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.title.outputs.title}}"
+      - id: body
+        run: |
+          BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")
+          echo "body=$BODY" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.body.outputs.body}}"
+      - id: comments
+        run: |
+          COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')
+          echo "comments=$COMMENTS" >> "$GITHUB_OUTPUT"
+      - run: echo "${{ steps.comments.outputs.comments}}"
+
+
+
+
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink {`
`20`	`20`	`(`
`21`	`21`	`step instanceof UntrustedArtifactDownloadStep`
`22`	`22`	`or`
`23`		`- // This shoould be:`
	`23`	`+ // This should be:`
`24`	`24`	`// artifact instanceof PRHeadCheckoutStep`
`25`	`25`	`// but PRHeadCheckoutStep uses Taint Tracking anc causes a non-Monolitic Recursion error`
`26`	`26`	`// so we list all the subclasses of PRHeadCheckoutStep here and use actions/checkout as a workaround`