github
diff --git a/‎ql/lib/codeql/actions/Ast.qll
Lines changed: 109 additions & 5 deletions b/‎ql/lib/codeql/actions/Ast.qll
Lines changed: 109 additions & 5 deletions
diff --git a/‎ql/lib/codeql/actions/controlflow/internal/Cfg.qll
Lines changed: 44 additions & 4 deletions b/‎ql/lib/codeql/actions/controlflow/internal/Cfg.qll
Lines changed: 44 additions & 4 deletions
diff --git a/‎ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
Lines changed: 43 additions & 33 deletions b/‎ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll
Lines changed: 43 additions & 33 deletions
@@ -34,8 +34,51 @@ class WorkflowStmt extends Statement instanceof Actions::Workflow {
   JobStmt getAJob() { result = super.getJob(_) }
 
   JobStmt getJob(string id) { result = super.getJob(id) }
+
+  predicate isReusable() { this instanceof ReusableWorkflowStmt }
 }
 
+class ReusableWorkflowStmt extends WorkflowStmt {
+  YamlMapping parameters;
+
+  ReusableWorkflowStmt() {
+    exists(Actions::On on |
+      on.getWorkflow() = this and
+      on.getNode("workflow_call").(YamlMapping).lookup("inputs") = parameters
+    )
+  }
+
+  ParamsStmt getParams() { result = parameters }
+
+  // TODO: implemnt callable name
+  string getName() { result = this.getLocation().getFile().getRelativePath() }
+}
+
+class ParamsStmt extends Statement instanceof YamlMapping {
+  ParamsStmt() {
+    exists(Actions::On on | on.getNode("workflow_call").(YamlMapping).lookup("inputs") = this)
+  }
+
+  /**
+   * Gets a specific parameter expression (YamlMapping) by name.
+   * eg:
+   * on:
+   *   workflow_call:
+   *     inputs:
+   *       config-path:
+   *         required: true
+   *         type: string
+   *     secrets:
+   *       token:
+   *         required: true
+   */
+  ParamExpr getParamExpr(string name) {
+    this.(YamlMapping).maps(any(YamlScalar s | s.getValue() = name), result)
+  }
+}
+
+class ParamExpr extends Expression instanceof YamlValue { }
+
 /**
  * A Job is a collection of steps that run in an execution environment.
  */
@@ -71,6 +114,11 @@ class JobStmt extends Statement instanceof Actions::Job {
    *   out2: ${steps.foo.baz}
    */
   JobOutputStmt getOutputStmt() { result = this.(Actions::Job).lookup("outputs") }
+
+  /**
+   * Reusable workflow jobs may have Uses children
+   */
+  JobUsesExpr getUsesExpr() { result = this.(Actions::Job).lookup("uses") }
 }
 
 /**
@@ -104,26 +152,82 @@ class StepStmt extends Statement instanceof Actions::Step {
   JobStmt getJob() { result = super.getJob() }
 }
 
+abstract class UsesExpr extends Expression {
+  abstract string getTarget();
+
+  abstract string getVersion();
+
+  abstract Expression getArgument(string key);
+}
+
 /**
  * A Uses step represents a call to an action that is defined in a GitHub repository.
  */
-class UsesExpr extends StepStmt, Expression {
+class StepUsesExpr extends StepStmt, UsesExpr {
   Actions::Uses uses;
 
-  UsesExpr() { uses.getStep() = this }
+  StepUsesExpr() { uses.getStep() = this }
 
-  string getTarget() { result = uses.getGitHubRepository() }
+  override string getTarget() { result = uses.getGitHubRepository() }
 
-  string getVersion() { result = uses.getVersion() }
+  override string getVersion() { result = uses.getVersion() }
 
-  Expression getArgument(string key) {
+  override Expression getArgument(string key) {
     exists(Actions::With with |
       with.getStep() = this and
       result = with.lookup(key)
     )
   }
 }
 
+/**
+ * A Uses step represents a call to an action that is defined in a GitHub repository.
+ */
+class JobUsesExpr extends UsesExpr instanceof YamlScalar {
+  JobStmt job;
+
+  JobUsesExpr() { job.(YamlMapping).lookup("uses") = this }
+
+  JobStmt getJob() { result = job }
+
+  /**
+   * Gets a regular expression that parses an `owner/repo@version` reference within a `uses` field in an Actions job step.
+   * local repo: octo-org/this-repo/.github/workflows/workflow-1.yml@172239021f7ba04fe7327647b213799853a9eb89
+   * local repo: ./.github/workflows/workflow-2.yml
+   * remote repo: octo-org/another-repo/.github/workflows/workflow.yml@v1
+   */
+  private string repoUsesParser() { result = "([^/]+)/([^/]+)/([^@]+)@(.+)" }
+
+  private string pathUsesParser() { result = "\\./(.+)" }
+
+  override string getTarget() {
+    exists(string name |
+      this.(YamlScalar).getValue() = name and
+      if name.matches("./%")
+      then result = name.regexpCapture(this.pathUsesParser(), 1)
+      else
+        result =
+          name.regexpCapture(this.repoUsesParser(), 1) + "/" +
+            name.regexpCapture(this.repoUsesParser(), 2) + "/" +
+            name.regexpCapture(this.repoUsesParser(), 3)
+    )
+  }
+
+  /** Gets the version reference used when checking out the Action, e.g. `v2` in `actions/checkout@v2`. */
+  override string getVersion() {
+    exists(string name |
+      this.(YamlScalar).getValue() = name and
+      if not name.matches("\\.%")
+      then result = this.(YamlScalar).getValue().regexpCapture(this.repoUsesParser(), 4)
+      else none()
+    )
+  }
+
+  override Expression getArgument(string key) {
+    job.(YamlMapping).lookup("with").(YamlMapping).lookup(key) = result
+  }
+}
+
 /**
  * A Run step represents the evaluation of a provided script
  */
 
@@ -87,6 +87,8 @@ module Completion {
 module CfgScope {
   abstract class CfgScope extends AstNode { }
 
+  private class ReusableWorkflowScope extends CfgScope instanceof ReusableWorkflowStmt { }
+
   private class JobScope extends CfgScope instanceof JobStmt { }
 }
 
@@ -120,9 +122,15 @@ private module Implementation implements CfgShared::InputSig<Location> {
 
   int maxSplits() { result = 0 }
 
-  predicate scopeFirst(CfgScope scope, AstNode e) { first(scope.(JobStmt), e) }
+  predicate scopeFirst(CfgScope scope, AstNode e) {
+    first(scope.(ReusableWorkflowStmt).getParams(), e) or
+    first(scope.(JobStmt), e)
+  }
 
-  predicate scopeLast(CfgScope scope, AstNode e, Completion c) { last(scope.(JobStmt), e, c) }
+  predicate scopeLast(CfgScope scope, AstNode e, Completion c) {
+    last(scope.(ReusableWorkflowStmt), e, c) or
+    last(scope.(JobStmt), e, c)
+  }
 
   predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
 
@@ -139,11 +147,30 @@ private import CfgImpl
 private import Completion
 private import CfgScope
 
+private class ReusableWorkflowTree extends StandardPreOrderTree instanceof ReusableWorkflowStmt {
+  override ControlFlowTree getChildNode(int i) { result = super.getParams() and i = 0 }
+}
+
+private class ReusableWorkflowParamsTree extends StandardPreOrderTree instanceof ParamsStmt {
+  override ControlFlowTree getChildNode(int i) {
+    result =
+      rank[i](Expression child, Location l |
+        child = super.getParamExpr(_) and l = child.getLocation()
+      |
+        child
+        order by
+          l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString()
+      )
+  }
+}
+
+private class ParamExprTree extends LeafTree instanceof ParamExpr { }
+
 private class JobTree extends StandardPreOrderTree instanceof JobStmt {
   override ControlFlowTree getChildNode(int i) {
     result =
       rank[i](Expression child, Location l |
-        (child = super.getAStep() or child = super.getOutputStmt()) and
+        (child = super.getAStep() or child = super.getOutputStmt() or child = super.getUsesExpr()) and
         l = child.getLocation()
       |
         child
@@ -157,7 +184,20 @@ private class JobOutputTree extends StandardPreOrderTree instanceof JobOutputStm
   override ControlFlowTree getChildNode(int i) { result = super.asYamlMapping().getValueNode(i) }
 }
 
-private class UsesTree extends StandardPreOrderTree instanceof UsesExpr {
+private class StepUsesTree extends StandardPreOrderTree instanceof StepUsesExpr {
+  override ControlFlowTree getChildNode(int i) {
+    result =
+      rank[i](Expression child, Location l |
+        child = super.getArgument(_) and l = child.getLocation()
+      |
+        child
+        order by
+          l.getStartLine(), l.getStartColumn(), l.getEndColumn(), l.getEndLine(), child.toString()
+      )
+  }
+}
+
+private class JobUsesTree extends StandardPreOrderTree instanceof JobUsesExpr {
   override ControlFlowTree getChildNode(int i) {
     result =
       rank[i](Expression child, Location l |
 
@@ -6,17 +6,32 @@ private import codeql.actions.controlflow.BasicBlocks
 private import DataFlowPublic
 
 cached
-newtype TNode = TExprNode(DataFlowExpr e)
+newtype TNode =
+  TExprNode(DataFlowExpr e) or
+  TParameterNode(ParamExpr p) { p = any(ReusableWorkflowStmt w).getParams().getParamExpr(_) } or
+  TReturningNode(Cfg::Node n) { n.getAstNode() = any(JobStmt j).getOutputStmt().getOutputExpr(_) }
 
 /**
- * Not used
+ * Reusable workflow input nodes
  */
-class ParameterNode extends Node {
-  ParameterNode() { none() }
+class ParameterNode extends Node, TParameterNode {
+  private ParamExpr parameter;
+
+  ParameterNode() { this = TParameterNode(parameter) }
+
+  predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
+    parameter = c.(ReusableWorkflowStmt).getParams().getParamExpr(pos)
+  }
+
+  override string toString() { result = parameter.toString() }
+
+  override Location getLocation() { result = parameter.getLocation() }
+
+  ParamExpr getParameter() { result = parameter }
 }
 
 /**
- * Not used
+ * Reusable workflow output nodes
  */
 class ReturnNode extends Node {
   ReturnNode() { none() }
@@ -35,17 +50,25 @@ class OutNode extends ExprNode {
   }
 }
 
+/**
+ * Not used
+ */
 class CastNode extends Node {
   CastNode() { none() }
 }
 
+/**
+ * Not used
+ */
 class PostUpdateNode extends Node {
   PostUpdateNode() { none() }
 
   Node getPreUpdateNode() { none() }
 }
 
-predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) { none() }
+predicate isParameterNode(ParameterNode p, DataFlowCallable c, ParameterPosition pos) {
+  p.isParameterOf(c, pos)
+}
 
 predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition pos) {
   arg.argumentOf(call, pos)
@@ -64,7 +87,7 @@ class DataFlowExpr extends Cfg::Node {
 }
 
 /**
- * A call corresponds to a Uses steps where a 3rd party action gets called
+ * A call corresponds to a Uses steps where a 3rd party action or a reusable workflow gets called
  */
 class DataFlowCall instanceof Cfg::Node {
   DataFlowCall() { super.getAstNode() instanceof UsesExpr }
@@ -79,27 +102,16 @@ class DataFlowCall instanceof Cfg::Node {
   DataFlowCallable getEnclosingCallable() { result = super.getScope() }
 }
 
-// class DataFlowCallable instanceof Cfg::CfgScope {
-//   DataFlowCallable() { none() }
-//
-//   string toString() { result = super.toString() }
-//
-//   string getName() { result = "none" }
-// }
 /**
  * A Cfg scope that can be called
- * There are no callables in Actions, at least not in the AST
+ * ReusableWorkflowStmt
  */
-class DataFlowCallable instanceof Cfg::CfgScope {
+class DataFlowCallable instanceof ReusableWorkflowStmt {
   string toString() { result = super.toString() }
 
   Location getLocation() { result = super.getLocation() }
 
-  string getName() {
-    if this instanceof StepStmt
-    then result = this.(StepStmt).getId()
-    else result = this.(JobStmt).getId()
-  }
+  string getName() { result = super.getName() }
 }
 
 newtype TReturnKind = TNormalReturn()
@@ -114,7 +126,7 @@ class NormalReturn extends ReturnKind, TNormalReturn {
 }
 
 /** Gets a viable implementation of the target of the given `Call`. */
-DataFlowCallable viableCallable(DataFlowCall c) { none() }
+DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() }
 
 // /**
 //  * Holds if the set of viable implementations that can be called by `call`
@@ -173,11 +185,10 @@ class ContentApprox extends TContentApprox {
 ContentApprox getContentApprox(Content c) { none() }
 
 /**
- * Not used since we dont have Callables in the AST
  * Made a string to match the ArgumentPosition type
  */
 class ParameterPosition extends string {
-  ParameterPosition() { none() }
+  ParameterPosition() { exists(any(ReusableWorkflowStmt w).getParams().getParamExpr(this)) }
 }
 
 /**
@@ -188,18 +199,12 @@ class ArgumentPosition extends string {
 }
 
 /**
- * Not really used since we dont have Callables in the AST but needed for the InputSig signature
  */
 predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) { ppos = apos }
 
-/**
- * a simple local flow step
- */
-predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) }
-
-predicate usesOutputDefToUse(Node nodeFrom, Node nodeTo) {
+predicate stepUsesOutputDefToUse(Node nodeFrom, Node nodeTo) {
   // nodeTo is an OutputVarAccessExpr scoped with the namespace of the nodeFrom Step output
-  exists(UsesExpr uses, StepOutputAccessExpr outputRead |
+  exists(StepUsesExpr uses, StepOutputAccessExpr outputRead |
     uses = nodeFrom.asExpr() and
     outputRead = nodeTo.asExpr() and
     outputRead.getStepId() = uses.getId() and
@@ -233,11 +238,16 @@ predicate jobOutputDefToUse(Node nodeFrom, Node nodeTo) {
  */
 pragma[nomagic]
 predicate localFlowStep(Node nodeFrom, Node nodeTo) {
-  usesOutputDefToUse(nodeFrom, nodeTo) or
+  stepUsesOutputDefToUse(nodeFrom, nodeTo) or
   runOutputDefToUse(nodeFrom, nodeTo) or
   jobOutputDefToUse(nodeFrom, nodeTo)
 }
 
+/**
+ * a simple local flow step
+ */
+predicate simpleLocalFlowStep(Node nodeFrom, Node nodeTo) { localFlowStep(nodeFrom, nodeTo) }
+
 /**
  * Holds if data can flow from `node1` to `node2` through a non-local step
  * that does not follow a call edge. For example, a step through a global