Merge pull request #93 from github/ppe_from_rfs

Alvaro Muñoz · web-flow · commit 05d4b3c9f4f0 · 2024-09-27T21:39:16.000+02:00
Add remote flow sources as a mutable ref source for untrusted checkouts
diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -1,5 +1,6 @@
 import actions
 private import codeql.actions.DataFlow
+private import codeql.actions.dataflow.FlowSources
 private import codeql.actions.TaintTracking
 
 /**
@@ -8,6 +9,17 @@ private import codeql.actions.TaintTracking
  */
 private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
+    // remote flow sources
+    source instanceof ArtifactSource
+    or
+    source instanceof GitHubCtxSource
+    or
+    source instanceof GitHubEventCtxSource
+    or
+    source instanceof GitHubEventJsonSource
+    or
+    source instanceof MaDSource
+    or
     // `ref` argument contains the PR id/number or head ref
     exists(Expression e |
       source.asExpr() = e and
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -266,6 +266,10 @@ edges
 #select
 | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/reusable_workflows/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | .github/workflows/reusable_caller1.yaml |
 | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/actor_trusted_checkout.yml:2:3:2:21 | pull_request_target | .github/workflows/actor_trusted_checkout.yml |
+| .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml |
+| .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning91.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning91.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning91.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning91.yml |
+| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml |
+| .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:9:29:27 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | .github/workflows/artifactpoisoning92.yml |
 | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
 | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
 | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Execution of untrusted code on a privileged workflow. $@ | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | .github/workflows/auto_ci.yml |
