Merge pull request #25 from GitHubSecurityLab/add_tests

test: Add tests

.gitignore

@@ -2,3 +2,4 @@
 **/*.testproj
 ql/lib/.codeql/
 ql/src/.codeql/
+ql/test/.codeql/

codeql-workspace.yml

@@ -1,3 +1,4 @@
 provide:
   - "**/ql/src/qlpack.yml"
-  - "**/ql/lib/qlpack.yml"
+  - "**/ql/lib/qlpack.yml"
+  - "**/ql/test/qlpack.yml"

ql/lib/codeql/actions/Ast.qll

@@ -270,7 +270,12 @@ class StepUsesExpr extends StepStmt, UsesExpr {
 
   override string getCallee() { result = uses.getGitHubRepository() }
 
-  override string getVersion() { result = uses.getVersion() }
+  override string getVersion() {
+    result = uses.getVersion()
+    or
+    not exists(uses.getVersion()) and
+    result = "main"
+  }
 
   override Expression getArgumentExpr(string key) {
     exists(Actions::With with |

ql/lib/codeql/actions/ast/internal/Actions.qll

@@ -6,7 +6,6 @@
 import codeql.actions.ast.internal.Yaml
 import codeql.files.FileSystem
 
-// ALVARO: Make it private
 /**
  * Libraries for modeling GitHub Actions workflow files written in YAML.
  * See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions.
@@ -376,7 +375,6 @@ module Actions {
   }
 
   /**
-   * ALVARO
    * https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idneeds
    */
   class Needs extends YamlNode {

ql/lib/qlpack.yml

@@ -10,7 +10,6 @@ dependencies:
   codeql/dataflow: ^0.1.7
 dbscheme: yaml.dbscheme
 extractor: yaml
-tests: test
 groups:
   - yaml
 dataExtensions:

ql/src/Security/CWE-829/UnpinnedActionsTag.ql

@@ -24,15 +24,15 @@ private predicate isTrustedOrg(string repo) {
 from StepUsesExpr uses, string repo, string version, WorkflowStmt workflow, string name
 where
   uses.getCallee() = repo and
-  uses.getVersion() = version and
   uses.getEnclosingWorkflowStmt() = workflow and
   (
     workflow.getName() = name
     or
     not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
   ) and
-  not isPinnedCommit(version) and
-  not isTrustedOrg(repo)
+  uses.getVersion() = version and
+  not isTrustedOrg(repo) and
+  not isPinnedCommit(version)
 select uses,
   "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
     "', not a pinned commit hash", uses, uses.toString()

ql/src/Security/CWE-094/UntrustedCheckout.ql → ql/src/Security/CWE-829/UntrustedCheckout.ql

@@ -10,7 +10,7 @@
  * @id actions/untrusted-checkout
  * @tags actions
  *       security
- *       external/cwe/cwe-094
+ *       external/cwe/cwe-829
  */
 
 import actions

ql/src/qlpack.yml

@@ -11,4 +11,3 @@ defaultSuiteFile: codeql-suites/actions-code-scanning.qls
 dependencies:
   githubsecuritylab/actions-all: ${workspace}
 warnOnImplicitThis: true
-tests: test

ql/test/codeql-pack.lock.yml

@@ -0,0 +1,16 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/controlflow:
+    version: 0.1.8
+  codeql/dataflow:
+    version: 0.1.8
+  codeql/ssa:
+    version: 0.2.8
+  codeql/typetracking:
+    version: 0.2.8
+  codeql/util:
+    version: 0.2.8
+  codeql/yaml:
+    version: 0.2.9
+compiled: false

ql/test/qlpack.yml

@@ -0,0 +1,12 @@
+---
+name: githubsecuritylab/actions-tests
+groups:
+  - actions
+  - test
+dependencies:
+  githubsecuritylab/actions-all: ${workspace}
+  githubsecuritylab/actions-queries: ${workspace}
+extractor: yaml
+tests: .
+warnOnImplicitThis: true
+

ql/src/test/.github/workflows/calling_composite.yml → ql/test/query-tests/Security/CWE-020/.github/workflows/calling_composite.yml

@@ -12,3 +12,4 @@ jobs:
           who-to-greet: ${{ github.event.pull_request.head.ref }} 
       - run: echo ${{ steps.foo.outputs.reflected}}
       - run: echo ${{ steps.foo.outputs.tainted}}
+

ql/src/test/.github/workflows/calling_workflow.yml → ql/test/query-tests/Security/CWE-020/.github/workflows/calling_workflow.yml

@@ -44,3 +44,4 @@ jobs:
     needs: call4
     steps:
       - run: echo ${{ needs.call4.outputs.workflow-output }}
+

ql/src/test/.github/workflows/reusable_workflow.yml → ql/test/query-tests/Security/CWE-020/.github/workflows/reusable_workflow.yml

@@ -31,3 +31,4 @@ jobs:
       - name: Get changed files
         id: step2
         uses: tj-actions/changed-files@v40
+

ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.expected

@@ -0,0 +1,15 @@
+edges
+| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:28:17:28:42 | ${{ inp ... reet }} |
+| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." |
+| action1/action.yml:24:7:31:4 | name: Remove foo [value] | action1/action.yml:32:12:32:50 | echo ${ ... alue }} |
+| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | action1/action.yml:24:7:31:4 | name: Remove foo [value] |
+nodes
+| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
+| action1/action.yml:24:7:31:4 | name: Remove foo [value] | semmle.label | name: Remove foo [value] |
+| action1/action.yml:28:17:28:42 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} |
+| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | semmle.label | echo ${ ... alue }} |
+| action1/action.yml:35:12:35:51 | echo "H ... et }}." | semmle.label | echo "H ... et }}." |
+subpaths
+#select
+| action1/action.yml:32:12:32:50 | echo ${ ... alue }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:32:12:32:50 | echo ${ ... alue }} | Sink |
+| action1/action.yml:35:12:35:51 | echo "H ... et }}." | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:35:12:35:51 | echo "H ... et }}." | Sink |

ql/test/query-tests/Security/CWE-020/CompositeActionsSinks.qlref

@@ -0,0 +1 @@
+Security/CWE-020/CompositeActionsSinks.ql

ql/test/query-tests/Security/CWE-020/CompositeActionsSources.expected

@@ -0,0 +1,12 @@
+edges
+| action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:48:18:48:69 | ${{ ste ... iles }} |
+| action1/action.yml:44:7:48:70 | id: source [tainted] | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} |
+| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | action1/action.yml:44:7:48:70 | id: source [tainted] |
+nodes
+| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | semmle.label | ${{ ste ... inted}} |
+| action1/action.yml:42:7:44:4 | id: changed-files | semmle.label | id: changed-files |
+| action1/action.yml:44:7:48:70 | id: source [tainted] | semmle.label | id: source [tainted] |
+| action1/action.yml:48:18:48:69 | ${{ ste ... iles }} | semmle.label | ${{ ste ... iles }} |
+subpaths
+#select
+| action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | action1/action.yml:42:7:44:4 | id: changed-files | action1/action.yml:14:12:14:45 | ${{ ste ... inted}} | Source |

ql/test/query-tests/Security/CWE-020/CompositeActionsSources.qlref

@@ -0,0 +1,2 @@
+Security/CWE-020/CompositeActionsSources.ql
+

ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.expected

@@ -0,0 +1,12 @@
+edges
+| action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:41:29:41:54 | ${{ inp ... reet }} |
+| action1/action.yml:37:7:42:4 | id: reflector  [reflected] | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} |
+| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | action1/action.yml:37:7:42:4 | id: reflector  [reflected] |
+nodes
+| action1/action.yml:4:3:4:14 | input who-to-greet | semmle.label | input who-to-greet |
+| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | semmle.label | ${{ ste ... cted }} |
+| action1/action.yml:37:7:42:4 | id: reflector  [reflected] | semmle.label | id: reflector  [reflected] |
+| action1/action.yml:41:29:41:54 | ${{ inp ... reet }} | semmle.label | ${{ inp ... reet }} |
+subpaths
+#select
+| action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | action1/action.yml:4:3:4:14 | input who-to-greet | action1/action.yml:11:12:11:51 | ${{ ste ... cted }} | Summary |

ql/test/query-tests/Security/CWE-020/CompositeActionsSummaries.qlref

@@ -0,0 +1,2 @@
+Security/CWE-020/CompositeActionsSummaries.ql
+

ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.expected

@@ -0,0 +1,8 @@
+edges
+| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| |
+nodes
+| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
+| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | semmle.label | \| |
+subpaths
+#select
+| .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:28:14:30:62 | \| | Sink |

ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSinks.qlref

@@ -0,0 +1,2 @@
+Security/CWE-020/ReusableWorkflowsSinks.ql
+

ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.expected

@@ -0,0 +1,12 @@
+edges
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} |
+| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] |
+| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} |
+nodes
+| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | semmle.label | ${{ job ... put2 }} |
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output2] | semmle.label | job-out ... utput}} [job-output2] |
+| .github/workflows/reusable_workflow.yml:23:20:23:62 | ${{ ste ... files}} | semmle.label | ${{ ste ... files}} |
+| .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | semmle.label | name: G ... d files |
+subpaths
+#select
+| .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | .github/workflows/reusable_workflow.yml:31:9:33:43 | name: G ... d files | .github/workflows/reusable_workflow.yml:13:16:13:51 | ${{ job ... put2 }} | Source |

ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSources.qlref

@@ -0,0 +1,2 @@
+Security/CWE-020/ReusableWorkflowsSources.ql
+

ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.expected

@@ -0,0 +1,16 @@
+edges
+| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} |
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} |
+| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] |
+| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} |
+| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] |
+nodes
+| .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | semmle.label | input config-path |
+| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | semmle.label | ${{ job ... put1 }} |
+| .github/workflows/reusable_workflow.yml:22:7:24:4 | job-out ... utput}} [job-output1] | semmle.label | job-out ... utput}} [job-output1] |
+| .github/workflows/reusable_workflow.yml:22:20:22:56 | ${{ ste ... utput}} | semmle.label | ${{ ste ... utput}} |
+| .github/workflows/reusable_workflow.yml:25:9:31:6 | id: step1 [step-output] | semmle.label | id: step1 [step-output] |
+| .github/workflows/reusable_workflow.yml:27:24:27:48 | ${{ inp ... path }} | semmle.label | ${{ inp ... path }} |
+subpaths
+#select
+| .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | .github/workflows/reusable_workflow.yml:6:7:6:17 | input config-path | .github/workflows/reusable_workflow.yml:11:16:11:51 | ${{ job ... put1 }} | Summary |

ql/test/query-tests/Security/CWE-020/ReusableWorkflowsSummaries.qlref

@@ -0,0 +1,2 @@
+Security/CWE-020/ReusableWorkflowsSummaries.ql
+

ql/src/test/composite-actions/action.yml → ql/test/query-tests/Security/CWE-020/action1/action.yml

@@ -48,3 +48,4 @@ runs:
         TAINTED: ${{ steps.changed-files.outputs.all_changed_files }}
 
 
+

ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue.yml

@@ -0,0 +1,28 @@
+on: issue_comment
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: |
+        echo '${{ github.event.comment.body }}'
+
+  echo-chamber2:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.comment.body }}'
+    - run: echo '${{ github.event.issue.body }}'
+    - run: echo '${{ github.event.issue.title }}'
+
+  echo-chamber3:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/github-script@v3
+      with:
+        script: console.log('${{ github.event.comment.body }}')
+    - uses: actions/github-script@v3
+      with:
+        script: console.log('${{ github.event.issue.body }}')
+    - uses: actions/github-script@v3
+      with:
+        script: console.log('${{ github.event.issue.title }}')

ql/test/query-tests/Security/CWE-094/.github/workflows/comment_issue_newline.yml

@@ -0,0 +1,10 @@
+on: issue_comment
+
+# same as comment_issue but this file ends with a line break
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo '${{ github.event.comment.body }}'

ql/test/query-tests/Security/CWE-094/.github/workflows/discussion.yml

@@ -0,0 +1,8 @@
+on: discussion
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.discussion.title }}'
+    - run: echo '${{ github.event.discussion.body }}'

ql/test/query-tests/Security/CWE-094/.github/workflows/discussion_comment.yml

@@ -0,0 +1,9 @@
+on: discussion_comment
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.discussion.title }}'
+    - run: echo '${{ github.event.discussion.body }}'
+    - run: echo '${{ github.event.comment.body }}'

ql/test/query-tests/Security/CWE-094/.github/workflows/gollum.yml

@@ -0,0 +1,11 @@
+on: gollum
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.pages[1].title }}'
+    - run: echo '${{ github.event.pages[11].title }}'
+    - run: echo '${{ github.event.pages[0].page_name }}'
+    - run: echo '${{ github.event.pages[2222].page_name }}'
+    - run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe

ql/test/query-tests/Security/CWE-094/.github/workflows/issues.yaml

@@ -0,0 +1,20 @@
+on: issues
+
+env:
+  global_env: ${{ github.event.issue.title }}
+  test: test
+
+jobs:
+  echo-chamber:
+    env:
+      job_env: ${{ github.event.issue.title }}
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.issue.title }}'
+    - run: echo '${{ github.event.issue.body }}'
+    - run: echo '${{ env.global_env }}'
+    - run: echo '${{ env.test }}'
+    - run: echo '${{ env.job_env }}'
+    - run: echo '${{ env.step_env }}'
+      env:
+        step_env: ${{ github.event.issue.title }}

ql/test/query-tests/Security/CWE-094/.github/workflows/pull_request_review.yml

@@ -0,0 +1,14 @@
+on: pull_request_review
+
+jobs:
+  echo-chamber:
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo '${{ github.event.pull_request.title }}'
+    - run: echo '${{ github.event.pull_request.body }}'
+    - run: echo '${{ github.event.pull_request.head.label }}'
+    - run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
+    - run: echo '${{ github.event.pull_request.head.repo.description }}'
+    - run: echo '${{ github.event.pull_request.head.repo.homepage }}'
+    - run: echo '${{ github.event.pull_request.head.ref }}'
+    - run: echo '${{ github.event.review.body }}'