Skip to content

Commit 6430802

Browse files
committed
Add UntrustedCheckoutTOCTOUX ControlCheck model fix
1 parent a84332a commit 6430802

3 files changed

Lines changed: 5 additions & 4 deletions

File tree

actions/ql/lib/codeql/actions/security/ControlChecks.qll

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -144,9 +144,7 @@ class EnvironmentCheck extends ControlCheck instanceof Environment {
144144
// Environment checks are not effective against any mutable attacks
145145
// they do actually protect against untrusted code execution (sha)
146146
override predicate protectsCategoryAndEvent(string category, string event) {
147-
event = actor_is_attacker_event() and category = any_category()
148-
or
149-
event = actor_not_attacker_event() and category = non_toctou_category()
147+
event = [actor_is_attacker_event(), actor_not_attacker_event()] and category = non_toctou_category()
150148
}
151149
}
152150

actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,8 @@ where
2323
// the checked-out code may lead to arbitrary code execution
2424
checkout.getAFollowingStep() = step and
2525
// the checkout occurs in a privileged context
26-
inPrivilegedContext(checkout, event) and
26+
inPrivilegedContext(checkout, event)
27+
and
2728
// the mutable checkout step is protected by an Insufficient access check
2829
exists(ControlCheck check1 | check1.protects(checkout, event, "untrusted-checkout")) and
2930
not exists(ControlCheck check2 | check2.protects(checkout, event, "untrusted-checkout-toctou"))

actions/ql/test/query-tests/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,8 @@ edges
9999
#select
100100
| .github/workflows/comment.yml:58:9:60:2 | Run Step | .github/workflows/comment.yml:54:9:58:6 | Uses Step | .github/workflows/comment.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment |
101101
| .github/workflows/comment.yml:68:9:68:43 | Run Step | .github/workflows/comment.yml:64:9:68:6 | Uses Step | .github/workflows/comment.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/comment.yml:4:3:4:15 | issue_comment | issue_comment |
102+
| .github/workflows/deployment1.yml:27:10:30:7 | Run Step | .github/workflows/deployment1.yml:16:10:22:7 | Uses Step | .github/workflows/deployment1.yml:27:10:30:7 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/deployment1.yml:5:3:5:21 | pull_request_target | pull_request_target |
103+
| .github/workflows/deployment1.yml:30:10:31:53 | Run Step | .github/workflows/deployment1.yml:16:10:22:7 | Uses Step | .github/workflows/deployment1.yml:30:10:31:53 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/deployment1.yml:5:3:5:21 | pull_request_target | pull_request_target |
102104
| .github/workflows/test0.yml:58:9:60:2 | Run Step | .github/workflows/test0.yml:54:9:58:6 | Uses Step | .github/workflows/test0.yml:58:9:60:2 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment |
103105
| .github/workflows/test0.yml:68:9:68:43 | Run Step | .github/workflows/test0.yml:64:9:68:6 | Uses Step | .github/workflows/test0.yml:68:9:68:43 | Run Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test0.yml:4:3:4:15 | issue_comment | issue_comment |
104106
| .github/workflows/test4.yml:85:7:88:54 | Uses Step | .github/workflows/test4.yml:79:7:85:4 | Uses Step | .github/workflows/test4.yml:85:7:88:54 | Uses Step | Insufficient protection against execution of untrusted code on a privileged workflow ($@). | .github/workflows/test4.yml:5:3:5:15 | issue_comment | issue_comment |

0 commit comments

Comments
 (0)