From f325d40a2274d883986bef4c2ab8dff2a1943538 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alvaro=20Mu=C3=B1oz?= Date: Thu, 16 May 2024 15:55:12 +0200 Subject: [PATCH] Ensure event sources are available for triggering events --- .../codeql/actions/dataflow/ExternalFlow.qll | 33 ++++++++-- .../codeql/actions/dataflow/FlowSources.qll | 63 ++++++++++++++++--- .../internal/ExternalFlowExtensions.qll | 18 ++++-- .../ext/workflow-models/workflow-models.yml | 48 ++++++++++++++ .../.github/workflows/pull_request_target.yml | 5 +- .../CWE-094/.github/workflows/self_needs.yml | 2 +- .../Security/CWE-094/CodeInjection.expected | 8 +-- .../CWE-094/PrivilegedCodeInjection.expected | 13 ++-- .../Security/CWE-094/action1/action.yml | 14 ----- 9 files changed, 154 insertions(+), 50 deletions(-) delete mode 100644 ql/test/query-tests/Security/CWE-094/action1/action.yml diff --git a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll index f10a90ee6ee2..a52cc427d359 100644 --- a/ql/lib/codeql/actions/dataflow/ExternalFlow.qll +++ b/ql/lib/codeql/actions/dataflow/ExternalFlow.qll @@ -2,19 +2,42 @@ private import internal.ExternalFlowExtensions as Extensions private import codeql.actions.DataFlow private import actions +/** + * MaD models for workflow details + * Fields: + * - path: Path to the workflow file + * - trigger: Trigger for the workflow + * - job: Job name + * - secrets_source: Source of secrets + * - permissions: Permissions for the workflow + * - runner: Runner info for the workflow + */ predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, - string runner + string path, string trigger, string job, string secrets_source, string permissions, string runner ) { Extensions::workflowDataModel(path, trigger, job, secrets_source, permissions, runner) } -predicate repositoryDataModel( - string visibility, string default_branch_name -) { +/** + * MaD models for repository details + * Fields: + * - visibility: Visibility of the repository + * - default_branch_name: Default branch name + */ +predicate repositoryDataModel(string visibility, string default_branch_name) { Extensions::repositoryDataModel(visibility, default_branch_name) } +/** + * MaD models for context/trigger mapping + * Fields: + * - trigger: Trigger for the workflow + * - context_prefix: Prefix for the context + */ +predicate contextTriggerDataModel(string trigger, string context_prefix) { + Extensions::contextTriggerDataModel(trigger, context_prefix) +} + /** * MaD sources * Fields: diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll index 08717c337875..063a3f671a32 100644 --- a/ql/lib/codeql/actions/dataflow/FlowSources.qll +++ b/ql/lib/codeql/actions/dataflow/FlowSources.qll @@ -95,8 +95,7 @@ private predicate branchEvent(string context) { // - They cannot contain a \ // eg: zzz";echo${IFS}"hello";# would be a valid branch name "github\\.event\\.pull_request\\.head\\.repo\\.default_branch", - "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref", - "github\\.event\\.workflow_run\\.head_branch", + "github\\.event\\.pull_request\\.head\\.ref", "github\\.event\\.workflow_run\\.head_branch", "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref", "github\\.event\\.merge_group\\.head_ref", ] @@ -165,7 +164,8 @@ private predicate pathEvent(string context) { reg = [ // filename - "github\\.event\\.workflow\\.path", + "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.path", + "github\\.event\\.workflow_run\\.referenced_workflows\\.path", ] | Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg)) @@ -197,11 +197,33 @@ private predicate jsonEvent(string context) { ) } -class EventSource extends RemoteFlowSource { +class GitHubSource extends RemoteFlowSource { string flag; - EventSource() { - exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() | + GitHubSource() { + exists(Expression e, string context, string context_prefix | + this.asExpr() = e and + context = e.getExpression() and + Utils::normalizeExpr(context) = "github.head_ref" and + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and + Utils::normalizeExpr(context).matches("%" + context_prefix + "%") and + flag = "branch" + ) + } + + override string getSourceType() { result = flag } +} + +class GitHubEventSource extends RemoteFlowSource { + string flag; + + GitHubEventSource() { + exists(Expression e, string context, string context_prefix | + this.asExpr() = e and + context = e.getExpression() and + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and + Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + | titleEvent(context) and flag = "title" or urlEvent(context) and flag = "url" @@ -217,8 +239,33 @@ class EventSource extends RemoteFlowSource { usernameEvent(context) and flag = "username" or pathEvent(context) and flag = "filename" - or - jsonEvent(context) and flag = "json" + ) + } + + override string getSourceType() { result = flag } +} + +class GitHubEventJsonSource extends RemoteFlowSource { + string flag; + + GitHubEventJsonSource() { + exists(Expression e, string context | + this.asExpr() = e and + context = e.getExpression() and + ( + jsonEvent(context) and + ( + exists(string context_prefix | + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), + context_prefix) and + Utils::normalizeExpr(context).matches("%" + context_prefix + "%") + ) + or + contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), _) and + Utils::normalizeExpr(context).regexpMatch(".*\\bgithub.event\\b.*") + ) + ) and + flag = "json" ) } diff --git a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll index 34f0297d7998..415c02dc1ba1 100644 --- a/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll +++ b/ql/lib/codeql/actions/dataflow/internal/ExternalFlowExtensions.qll @@ -23,11 +23,19 @@ extensible predicate sinkModel( string action, string version, string input, string kind, string provenance ); +/** + * Holds if workflow data model exists for the given parameters. + */ extensible predicate workflowDataModel( - string path, string trigger, string job, string secrets_source, string permissions, - string runner + string path, string trigger, string job, string secrets_source, string permissions, string runner ); -extensible predicate repositoryDataModel( - string visibility, string default_branch_name -); +/** + * Holds if repository data model exists for the given parameters. + */ +extensible predicate repositoryDataModel(string visibility, string default_branch_name); + +/** + * Holds if context/trigger mapping exists for the given parameters. + */ +extensible predicate contextTriggerDataModel(string trigger, string context_prefix); diff --git a/ql/lib/ext/workflow-models/workflow-models.yml b/ql/lib/ext/workflow-models/workflow-models.yml index f71f2081c8fd..404e894a5f8a 100644 --- a/ql/lib/ext/workflow-models/workflow-models.yml +++ b/ql/lib/ext/workflow-models/workflow-models.yml @@ -7,3 +7,51 @@ extensions: pack: githubsecuritylab/actions-all extensible: workflowDataModel data: [] + - addsTo: + pack: githubsecuritylab/actions-all + extensible: contextTriggerDataModel + data: + # This predicate maps triggering events with the github event context available for that event + - ["commit_comment", "github.event.comment"] + - ["discussion", "github.event.discussion"] + - ["discussion_comment", "github.event.comment"] + - ["discussion_comment", "github.event.discussion"] + - ["issues", "github.event.issue"] + - ["issue_comment", "github.event.issue"] + - ["issue_comment", "github.event.comment"] + - ["gollum", "github.event.pages"] + - ["merge_group", "github.event.merge_group"] + - ["pull_request", "github.event.pull_request"] + - ["pull_request", "github.head_ref"] + - ["pull_request_comment", "github.event.comment"] + - ["pull_request_comment", "github.event.pull_request"] + - ["pull_request_comment", "github.head_ref"] + - ["pull_request_review", "github.event.pull_request"] + - ["pull_request_review", "github.event.review"] + - ["pull_request_review", "github.head_ref"] + - ["pull_request_review_comment", "github.event.comment"] + - ["pull_request_review_comment", "github.event.pull_request"] + - ["pull_request_review_comment", "github.event.review"] + - ["pull_request_review_comment", "github.head_ref"] + - ["pull_request_target", "github.event.pull_request"] + - ["pull_request_target", "github.head_ref"] + - ["push", "github.event.commits"] + - ["push", "github.event.head_commit"] + - ["repository_dispatch", "github.event.client_payload"] + - ["workflow_dispatch", "github.event.inputs"] + - ["workflow_run", "github.event.workflow"] + - ["workflow_run", "github.event.workflow_run"] + # workflow_call receives the same event payload as the calling workflow + - ["workflow_call", "github.event.client_payload"] + - ["workflow_call", "github.event.comment"] + - ["workflow_call", "github.event.commits"] + - ["workflow_call", "github.event.discussion"] + - ["workflow_call", "github.event.head_commit"] + - ["workflow_call", "github.event.inputs"] + - ["workflow_call", "github.event.issue"] + - ["workflow_call", "github.event.merge_group"] + - ["workflow_call", "github.event.pages"] + - ["workflow_call", "github.event.pull_request"] + - ["workflow_call", "github.event.review"] + - ["workflow_call", "github.event.workflow"] + - ["workflow_call", "github.event.workflow_run"] diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml index 995fefe4a15e..4ca3753f50cd 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_target.yml @@ -4,8 +4,8 @@ jobs: echo-chamber: runs-on: ubuntu-latest steps: - - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, but we will still report it - - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, but we will still report it + - run: echo '${{ github.event.issue.title }}' # not defined for this trigger, so we should not report it + - run: echo '${{ github.event.issue.body }}' # not defined for this trigger, so we should not report it - run: echo '${{ github.event.pull_request.title }}' - run: echo '${{ github.event.pull_request.body }}' - run: echo '${{ github.event.pull_request.head.label }}' @@ -14,3 +14,4 @@ jobs: - run: echo '${{ github.event.pull_request.head.repo.homepage }}' - run: echo '${{ github.event.pull_request.head.ref }}' - run: echo '${{ github.head_ref }}' + diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml index afd39605bb31..9992fd8e4cbd 100644 --- a/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml +++ b/ql/test/query-tests/Security/CWE-094/.github/workflows/self_needs.yml @@ -13,7 +13,7 @@ jobs: - id: source uses: mad9000/actions-find-and-replace-string@3 with: - source: ${{ github.event['head_commit']['message'] }} + source: ${{ github.event['comment']['body'] }} find: 'foo' replace: '' - run: ${{ steps.source.outputs.value }} diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected index 34e173a055b5..dc653a074e98 100644 --- a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected @@ -50,7 +50,7 @@ edges | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -183,8 +183,6 @@ nodes | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -206,7 +204,7 @@ nodes | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | semmle.label | github.event['comment']['body'] | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | @@ -254,7 +252,6 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | -| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | .github/workflows/changed-files.yml:15:9:18:6 | Uses Step: changed-files1 | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:20:24:20:76 | steps.changed-files1.outputs.all_changed_files | ${{ steps.changed-files1.outputs.all_changed_files }} | @@ -262,4 +259,3 @@ subpaths | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | .github/workflows/changed-files.yml:53:9:56:6 | Uses Step: changed-files5 | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changed-files.yml:58:24:58:76 | steps.changed-files5.outputs.all_changed_files | ${{ steps.changed-files5.outputs.all_changed_files }} | | .github/workflows/changelog.yml:58:26:58:39 | env.log | .github/workflows/changelog.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog.yml:58:26:58:39 | env.log | ${{ env.log }} | | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | .github/workflows/changelog_from_prt.yml:49:19:49:56 | github.event.pull_request.title | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/changelog_from_prt.yml:58:26:58:39 | env.log | ${{ env.log }} | -| action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | action1/action.yml:14:19:14:50 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | action1/action.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected index 4b2704043737..ab0a69a8fa8b 100644 --- a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected +++ b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected @@ -50,7 +50,7 @@ edges | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:22:20:22:64 | steps.source.outputs.all_changed_files | @@ -183,8 +183,6 @@ nodes | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | semmle.label | github.event.pull_request.head.repo.homepage | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | semmle.label | github.event.issue.title | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | semmle.label | github.event.issue.body | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label | @@ -206,7 +204,7 @@ nodes | .github/workflows/self_needs.yml:11:7:12:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] | | .github/workflows/self_needs.yml:11:20:11:52 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:13:9:19:6 | Uses Step: source [value] | semmle.label | Uses Step: source [value] | -| .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | semmle.label | github.event['head_commit']['message'] | +| .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | semmle.label | github.event['comment']['body'] | | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | semmle.label | steps.source.outputs.value | | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | semmle.label | needs.test1.outputs.job_output | | .github/workflows/simple1.yml:8:9:14:6 | Uses Step: summary [value] | semmle.label | Uses Step: summary [value] | @@ -254,7 +252,6 @@ nodes | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name | | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch | | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description | -| action1/action.yml:14:19:14:50 | github.event.comment.body | semmle.label | github.event.comment.body | subpaths #select | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | .github/workflows/argus_case_study.yml:17:25:17:53 | github.event.issue.title | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/argus_case_study.yml:27:33:27:77 | steps.remove_quotations.outputs.replaced | ${{steps.remove_quotations.outputs.replaced}} | @@ -312,8 +309,6 @@ subpaths | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:12:19:12:69 | github.event.pull_request.head.repo.homepage | ${{ github.event.pull_request.head.repo.homepage }} | | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:13:19:13:59 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} | | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review_comment.yml:14:19:14:50 | github.event.comment.body | ${{ github.event.comment.body }} | -| .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:7:19:7:49 | github.event.issue.title | ${{ github.event.issue.title }} | -| .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:8:19:8:48 | github.event.issue.body | ${{ github.event.issue.body }} | | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:9:19:9:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} | | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:10:19:10:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} | | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_target.yml:11:19:11:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} | @@ -332,8 +327,8 @@ subpaths | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} | | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} | | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} | -| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | -| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:64 | github.event['head_commit']['message'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | +| .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:19:15:19:47 | steps.source.outputs.value | ${{ steps.source.outputs.value }} | +| .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | .github/workflows/self_needs.yml:16:20:16:57 | github.event['comment']['body'] | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/self_needs.yml:20:15:20:51 | needs.test1.outputs.job_output | ${{ needs.test1.outputs.job_output }} | | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} | | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | .github/workflows/simple2.yml:14:9:18:6 | Uses Step: source | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple2.yml:29:24:29:54 | steps.step.outputs.value | ${{ steps.step.outputs.value }} | | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/simple3.yml:20:31:20:74 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} | diff --git a/ql/test/query-tests/Security/CWE-094/action1/action.yml b/ql/test/query-tests/Security/CWE-094/action1/action.yml deleted file mode 100644 index 8bfa15b405c5..000000000000 --- a/ql/test/query-tests/Security/CWE-094/action1/action.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: 'test' -description: 'test' -branding: - icon: 'test' - color: 'test' -inputs: - test: - description: test - required: false - default: 'test' -runs: - using: "composite" - steps: - - run: echo '${{ github.event.comment.body }}'