Merge pull request #48 from GitHubSecurityLab/new_untrusted_checkout_step

Alvaro Muñoz · web-flow · commit 1cdcb3271b01 · 2024-04-17T11:56:10.000+02:00
new untrusted checkout step
diff --git a/ql/lib/ext/sergeysova_jq-action.model.yml b/ql/lib/ext/sergeysova_jq-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: githubsecuritylab/actions-all
+      extensible: sinkModel
+    data:
+      - ["sergeysova/jq-action", "*", "input.cmd", "code-injection", "manual"]
+
diff --git a/ql/src/Security/CWE-829/UntrustedCheckout.ql b/ql/src/Security/CWE-829/UntrustedCheckout.ql
@@ -66,7 +66,8 @@ predicate containsHeadRef(string s) {
             "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.head\\.sha\\b",
             "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.id\\b",
             "\\bgithub\\.event\\.check_run\\.pull_requests\\[\\d+\\]\\.number\\b",
-            "\\bhead\\.sha\\b", "\\bhead\\.ref\\b"
+            // heuristics
+            "\\bhead\\.sha\\b", "\\bhead\\.ref\\b", "\\bpr_number\\b", "\\bpr_head_sha\\b"
           ], _, _)
   )
 }
@@ -121,6 +122,24 @@ class GitCheckout extends PRHeadCheckoutStep instanceof Run {
   }
 }
 
+/** Checkout of a Pull Request HEAD ref using gh within a Run step */
+class GhCheckout extends PRHeadCheckoutStep instanceof Run {
+  GhCheckout() {
+    exists(string line |
+      this.getScript().splitAt("\n") = line and
+      line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and
+      (
+        containsHeadRef(line)
+        or
+        exists(string varname |
+          containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) and
+          exists(line.regexpFind(varname, _, _))
+        )
+      )
+    )
+  }
+}
+
 from Workflow w, PRHeadCheckoutStep checkout
 where
   w.isPrivileged() and
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout2.yml
@@ -0,0 +1,19 @@
+on: issue_comment
+  
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get PR number
+        id: pr_number
+        if: ${{ github.event_name == 'issue_comment'}}
+        run: |
+          PR_URL="${{ github.event.issue.pull_request.url }}"
+          PR_NUMBER=${PR_URL##*/}
+          echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
+      - name: Checkout Pull Request
+        if: github.event_name == 'issue_comment'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+            gh pr checkout ${{ needs.should_run_it.outputs.pr_number }}
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckout.expected
@@ -18,6 +18,7 @@
 | .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/untrusted_checkout.yml:10:9:13:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/untrusted_checkout.yml:13:9:15:31 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
