Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 99d634c

Browse files
JarLobJarLob
committed
Add more sources, more unit tests, fixes to the GitHub Actions injection query
1 parent 69619f1 commit 99d634c

13 files changed

Lines changed: 220 additions & 19 deletions

File tree

javascript/ql/lib/semmle/javascript/Actions.qll

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -267,8 +267,8 @@ module Actions {
267267
// not just the last (greedy match) or first (reluctant match).
268268
result =
269269
this.getValue()
270-
.regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\.\\-]+\\s*\\}\\}", _, _)
271-
.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\.\\-]+)\\s*\\}\\}", 1)
270+
.regexpFind("\\$\\{\\{\\s*[A-Za-z0-9_\\[\\]\\*\\(\\)\\.\\-]+\\s*\\}\\}", _, _)
271+
.regexpCapture("\\$\\{\\{\\s*([A-Za-z0-9_\\[\\]\\*\\((\\)\\.\\-]+)\\s*\\}\\}", 1)
272272
}
273273
}
274274
}

javascript/ql/src/Security/CWE-094/ExpressionInjection.ql

Lines changed: 47 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,10 @@ private predicate isExternalUserControlledPullRequest(string context) {
3030
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*body\\b",
3131
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*label\\b",
3232
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*default_branch\\b",
33+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*description\\b",
34+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*repo\\s*\\.\\s*homepage\\b",
3335
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pull_request\\s*\\.\\s*head\\s*\\.\\s*ref\\b",
36+
"\\bgithub\\s*\\.\\s*head_ref\\b"
3437
]
3538
|
3639
context.regexpMatch(reg)
@@ -39,8 +42,7 @@ private predicate isExternalUserControlledPullRequest(string context) {
3942

4043
bindingset[context]
4144
private predicate isExternalUserControlledReview(string context) {
42-
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review\\s*\\.\\s*body\\b") or
43-
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review_comment\\s*\\.\\s*body\\b")
45+
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*review\\s*\\.\\s*body\\b")
4446
}
4547

4648
bindingset[context]
@@ -50,22 +52,25 @@ private predicate isExternalUserControlledComment(string context) {
5052

5153
bindingset[context]
5254
private predicate isExternalUserControlledGollum(string context) {
53-
context
54-
.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*page_name\\b")
55+
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*page_name\\b") or
56+
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*pages\\[[0-9]+\\]\\s*\\.\\s*title\\b")
5557
}
5658

5759
bindingset[context]
5860
private predicate isExternalUserControlledCommit(string context) {
5961
exists(string reg |
6062
reg =
6163
[
62-
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*message\\b",
64+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*message\\b",
6365
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*message\\b",
6466
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*email\\b",
6567
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*author\\s*\\.\\s*name\\b",
66-
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*author\\s*\\.\\s*email\\b",
67-
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits(?:\\[[0-9]\\]|\\s*\\.\\s*\\*)+\\s*\\.\\s*author\\s*\\.\\s*name\\b",
68-
"\\bgithub\\s*\\.\\s*head_ref\\b"
68+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*email\\b",
69+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*head_commit\\s*\\.\\s*committer\\s*\\.\\s*name\\b",
70+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*email\\b",
71+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*author\\s*\\.\\s*name\\b",
72+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*email\\b",
73+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*commits\\[[0-9]+\\]\\s*\\.\\s*committer\\s*\\.\\s*name\\b",
6974
]
7075
|
7176
context.regexpMatch(reg)
@@ -78,6 +83,25 @@ private predicate isExternalUserControlledDiscussion(string context) {
7883
context.regexpMatch("\\bgithub\\s*\\.\\s*event\\s*\\.\\s*discussion\\s*\\.\\s*body\\b")
7984
}
8085

86+
bindingset[context]
87+
private predicate isExternalUserControlledWorkflowRun(string context) {
88+
exists(string reg |
89+
reg =
90+
[
91+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_branch\\b",
92+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*display_title\\b",
93+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_repository\\b\\s*\\.\\s*description\\b",
94+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*message\\b",
95+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*email\\b",
96+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*author\\b\\s*\\.\\s*name\\b",
97+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*email\\b",
98+
"\\bgithub\\s*\\.\\s*event\\s*\\.\\s*workflow_run\\s*\\.\\s*head_commit\\b\\s*\\.\\s*committer\\b\\s*\\.\\s*name\\b",
99+
]
100+
|
101+
context.regexpMatch(reg)
102+
)
103+
}
104+
81105
from Actions::Run run, string context, Actions::On on
82106
where
83107
run.getASimpleReferenceExpression() = context and
@@ -89,20 +113,29 @@ where
89113
exists(on.getNode("pull_request_target")) and
90114
isExternalUserControlledPullRequest(context)
91115
or
92-
(exists(on.getNode("pull_request_review_comment")) or exists(on.getNode("pull_request_review"))) and
93-
isExternalUserControlledReview(context)
116+
exists(on.getNode("pull_request_review")) and
117+
(isExternalUserControlledReview(context) or isExternalUserControlledPullRequest(context))
94118
or
95-
(exists(on.getNode("issue_comment")) or exists(on.getNode("pull_request_target"))) and
96-
isExternalUserControlledComment(context)
119+
exists(on.getNode("pull_request_review_comment")) and
120+
(isExternalUserControlledComment(context) or isExternalUserControlledPullRequest(context))
121+
or
122+
exists(on.getNode("issue_comment")) and
123+
(isExternalUserControlledComment(context) or isExternalUserControlledIssue(context))
97124
or
98125
exists(on.getNode("gollum")) and
99126
isExternalUserControlledGollum(context)
100127
or
101-
exists(on.getNode("pull_request_target")) and
128+
exists(on.getNode("push")) and
102129
isExternalUserControlledCommit(context)
103130
or
104-
(exists(on.getNode("discussion")) or exists(on.getNode("discussion_comment"))) and
131+
exists(on.getNode("discussion")) and
105132
isExternalUserControlledDiscussion(context)
133+
or
134+
exists(on.getNode("discussion_comment")) and
135+
(isExternalUserControlledDiscussion(context) or isExternalUserControlledComment(context))
136+
or
137+
exists(on.getNode("workflow_run")) and
138+
isExternalUserControlledWorkflowRun(context)
106139
)
107140
select run,
108141
"Potential injection from the " + context +

javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/comment_issue.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,6 @@ jobs:
1010
echo-chamber2:
1111
runs-on: ubuntu-latest
1212
steps:
13-
- run: |
14-
echo '${{ github.event.comment.body }}'
13+
- run: echo '${{ github.event.comment.body }}'
14+
- run: echo '${{ github.event.issue.body }}'
15+
- run: echo '${{ github.event.issue.title }}'

javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
on: discussion
2+
3+
jobs:
4+
echo-chamber:
5+
runs-on: ubuntu-latest
6+
steps:
7+
- run: echo '${{ github.event.discussion.title }}'
8+
- run: echo '${{ github.event.discussion.body }}'

javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/discussion_comment.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
on: discussion_comment
2+
3+
jobs:
4+
echo-chamber:
5+
runs-on: ubuntu-latest
6+
steps:
7+
- run: echo '${{ github.event.discussion.title }}'
8+
- run: echo '${{ github.event.discussion.body }}'
9+
- run: echo '${{ github.event.comment.body }}'

javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/gollum.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
on: gollum
2+
3+
jobs:
4+
echo-chamber:
5+
runs-on: ubuntu-latest
6+
steps:
7+
- run: echo '${{ github.event.pages[1].title }}'
8+
- run: echo '${{ github.event.pages[11].title }}'
9+
- run: echo '${{ github.event.pages[0].page_name }}'
10+
- run: echo '${{ github.event.pages[2222].page_name }}'
11+
- run: echo '${{ toJSON(github.event.pages.*.title) }}' # safe

javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/issues.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
on: issues
2+
3+
jobs:
4+
echo-chamber:
5+
runs-on: ubuntu-latest
6+
steps:
7+
- run: echo '${{ github.event.issue.title }}'
8+
- run: echo '${{ github.event.issue.body }}'

javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
on: pull_request_review
2+
3+
jobs:
4+
echo-chamber:
5+
runs-on: ubuntu-latest
6+
steps:
7+
- run: echo '${{ github.event.pull_request.title }}'
8+
- run: echo '${{ github.event.pull_request.body }}'
9+
- run: echo '${{ github.event.pull_request.head.label }}'
10+
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
11+
- run: echo '${{ github.event.pull_request.head.repo.description }}'
12+
- run: echo '${{ github.event.pull_request.head.repo.homepage }}'
13+
- run: echo '${{ github.event.pull_request.head.ref }}'
14+
- run: echo '${{ github.event.review.body }}'

javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_review_comment.yml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
on: pull_request_review_comment
2+
3+
jobs:
4+
echo-chamber:
5+
runs-on: ubuntu-latest
6+
steps:
7+
- run: echo '${{ github.event.pull_request.title }}'
8+
- run: echo '${{ github.event.pull_request.body }}'
9+
- run: echo '${{ github.event.pull_request.head.label }}'
10+
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
11+
- run: echo '${{ github.event.pull_request.head.repo.description }}'
12+
- run: echo '${{ github.event.pull_request.head.repo.homepage }}'
13+
- run: echo '${{ github.event.pull_request.head.ref }}'
14+
- run: echo '${{ github.event.comment.body }}'

javascript/ql/test/query-tests/Security/CWE-094/ExpressionInjection/.github/workflows/pull_request_target.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
on: pull_request_target
2+
3+
jobs:
4+
echo-chamber:
5+
runs-on: ubuntu-latest
6+
steps:
7+
- run: echo '${{ github.event.issue.title }}' # not defined
8+
- run: echo '${{ github.event.issue.body }}' # not defined
9+
- run: echo '${{ github.event.pull_request.title }}'
10+
- run: echo '${{ github.event.pull_request.body }}'
11+
- run: echo '${{ github.event.pull_request.head.label }}'
12+
- run: echo '${{ github.event.pull_request.head.repo.default_branch }}'
13+
- run: echo '${{ github.event.pull_request.head.repo.description }}'
14+
- run: echo '${{ github.event.pull_request.head.repo.homepage }}'
15+
- run: echo '${{ github.event.pull_request.head.ref }}'
16+
- run: echo '${{ github.head_ref }}'

0 commit comments

Comments
 (0)