Fix FPs in EnvVarInjection

Alvaro Muñoz · Alvaro Muñoz · commit ab7196ac5249 · 2024-04-22T09:53:30.000+02:00
diff --git a/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll b/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
@@ -24,28 +24,10 @@ predicate envVarInjectionFromFileSink(DataFlow::Node sink) {
   )
 }
 
-/**
- * Holds if a Run step declares an environment variable, uses it to declare a new env var.
- * e.g.
- *    env:
- *      BODY: ${{ github.event.comment.body }}
- *    run: |
- *      echo "foo=$(echo $BODY)" >> $GITHUB_ENV
- */
-predicate envVarInjectionFromEnvSink(DataFlow::Node sink) {
-  exists(Run run, Expression expr, string varName, string value |
-    sink.asExpr().getInScopeEnvVarExpr(varName) = expr and
-    run = sink.asExpr() and
-    Utils::writeToGitHubEnv(run, _, value) and
-    value.indexOf("$" + ["", "{", "ENV{"] + varName) > 0
-  )
-}
-
 private class EnvVarInjectionSink extends DataFlow::Node {
   EnvVarInjectionSink() {
     envVarInjectionFromExprSink(this) or
     envVarInjectionFromFileSink(this) or
-    envVarInjectionFromEnvSink(this) or
     externallyDefinedSink(this, "envvar-injection")
   }
 }
diff --git a/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/EnvVarInjection.expected
@@ -3,10 +3,6 @@ edges
 | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step |
 | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step |
 | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step |
-| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step |
-| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step |
-| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step |
-| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step |
 nodes
 | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step |
@@ -16,13 +12,5 @@ nodes
 | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
-| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
-| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
-| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 subpaths
 #select
diff --git a/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected b/ql/test/query-tests/Security/CWE-077/PrivilegedEnvVarInjection.expected
@@ -3,10 +3,6 @@ edges
 | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step |
 | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step |
 | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step |
-| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step |
-| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step |
-| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step |
-| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step |
 nodes
 | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | semmle.label | Run Step |
@@ -16,22 +12,10 @@ nodes
 | .github/workflows/test3.yml:17:7:24:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test3.yml:24:7:31:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test3.yml:39:7:44:4 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:21:9:25:6 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
-| .github/workflows/test4.yml:25:9:31:6 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
-| .github/workflows/test4.yml:31:9:37:6 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
-| .github/workflows/test4.yml:37:9:45:6 | Run Step | semmle.label | Run Step |
-| .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 subpaths
 #select
 | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | .github/workflows/sonar-source.yml:17:9:37:6 | Uses Step | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/sonar-source.yml:39:9:45:6 | Run Step | Run Step |
 | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test1.yml:22:38:22:75 | github.event.pull_request.title | github.event.pull_request.title |
 | .github/workflows/test2.yml:47:9:52:6 | Run Step | .github/workflows/test2.yml:17:9:47:6 | Uses Step | .github/workflows/test2.yml:47:9:52:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test2.yml:47:9:52:6 | Run Step | Run Step |
 | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:17:7:24:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step |
 | .github/workflows/test3.yml:39:7:44:4 | Run Step | .github/workflows/test3.yml:24:7:31:4 | Uses Step | .github/workflows/test3.yml:39:7:44:4 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test3.yml:39:7:44:4 | Run Step | Run Step |
-| .github/workflows/test4.yml:21:9:25:6 | Run Step | .github/workflows/test4.yml:22:19:22:56 | github.event.pull_request.title | .github/workflows/test4.yml:21:9:25:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:21:9:25:6 | Run Step | Run Step |
-| .github/workflows/test4.yml:25:9:31:6 | Run Step | .github/workflows/test4.yml:26:19:26:56 | github.event.pull_request.title | .github/workflows/test4.yml:25:9:31:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:25:9:31:6 | Run Step | Run Step |
-| .github/workflows/test4.yml:31:9:37:6 | Run Step | .github/workflows/test4.yml:32:19:32:56 | github.event.pull_request.title | .github/workflows/test4.yml:31:9:37:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:31:9:37:6 | Run Step | Run Step |
-| .github/workflows/test4.yml:37:9:45:6 | Run Step | .github/workflows/test4.yml:38:19:38:56 | github.event.pull_request.title | .github/workflows/test4.yml:37:9:45:6 | Run Step | Potential privileged environment variable injection in $@, which may be controlled by an external user. | .github/workflows/test4.yml:37:9:45:6 | Run Step | Run Step |
