fix: improve JS require/import poisonable step to account for cwd

Alvaro Muñoz · Alvaro Muñoz · commit 0157bf3297d1 · 2024-10-30T22:12:17.000+01:00
diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll
@@ -21,9 +21,10 @@ class JavascriptImportUsesStep extends PoisonableStep, UsesStep {
       this.getCallee() = "actions/github-script" and
       script = this.getArgument("script") and
       line = script.splitAt("\n").trim() and
+      // const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')
       // const script = require('${{ github.workspace }}/scripts/test.js');
-      // await script({ github, context, core });
-      line.regexpMatch(".*(import|require)\\b.*github.workspace\\b.*")
+      // const script = require('./scripts');
+      line.regexpMatch(".*(import|require)\\(('|\")(\\./|.*github.workspace).*")
     )
   }
 }
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test29.yml
@@ -0,0 +1,21 @@
+on: pull_request_target
+
+jobs:
+  test:
+    permissions: write-all
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+        fetch-depth: 0
+      
+    - uses: actions/github-script@v5
+      with:
+        github-token: ${{secrets.GITHUB_TOKEN}}
+        script: |
+          const {
+            foo
+          } = require('./foo');
+          
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -285,6 +285,7 @@ edges
 | .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step |
 | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step |
 | .github/workflows/test28.yml:17:9:20:6 | Uses Step | .github/workflows/test28.yml:20:9:20:22 | Run Step |
+| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step |
 | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step |
 | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
 | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
@@ -346,6 +347,7 @@ edges
 | .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
 | .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
 | .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test29.yml:14:7:21:11 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target |
 | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run |
 | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
 | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |

Original file line number	Diff line number	Diff line change
`@@ -21,9 +21,10 @@ class JavascriptImportUsesStep extends PoisonableStep, UsesStep {`
`21`	`21`	`this.getCallee() = "actions/github-script" and`
`22`	`22`	`script = this.getArgument("script") and`
`23`	`23`	`line = script.splitAt("\n").trim() and`
	`24`	`+ // const { default: foo } = await import('${{ github.workspace }}/scripts/foo.mjs')`
`24`	`25`	`// const script = require('${{ github.workspace }}/scripts/test.js');`
`25`		`- // await script({ github, context, core });`
`26`		`- line.regexpMatch(".(import\|require)\\b.github.workspace\\b.*")`
	`26`	`+ // const script = require('./scripts');`
	`27`	`+ line.regexpMatch(".(import\|require)\\(('\|\")(\\./\|.github.workspace).*")`
`27`	`28`	`)`
`28`	`29`	`}`
`29`	`30`	`}`