models: add models for zentered/issue-forms-parser

Alvaro Muñoz · Alvaro Muñoz · commit 0211902116d2 · 2024-10-31T13:38:17.000+01:00
diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -361,6 +361,20 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource {
   override Event getEvent() { result = this.asExpr().getATriggerEvent() }
 }
 
+class ZenteredIssueFormBodyParserSource extends RemoteFlowSource {
+  ZenteredIssueFormBodyParserSource() {
+    exists(UsesStep u |
+      u.getCallee() = "zentered/issue-forms-body-parser" and
+      not exists(u.getArgument("body")) and
+      this.asExpr() = u
+    )
+  }
+
+  override string getSourceType() { result = "text" }
+
+  override Event getEvent() { result = this.asExpr().getATriggerEvent() }
+}
+
 class OctokitRequestActionSource extends RemoteFlowSource {
   OctokitRequestActionSource() {
     exists(UsesStep u, string route |
diff --git a/ql/lib/codeql/actions/dataflow/TaintSteps.qll b/ql/lib/codeql/actions/dataflow/TaintSteps.qll
@@ -91,6 +91,25 @@ predicate xt0rtedSlashCommandActionTaintStep(DataFlow::Node pred, DataFlow::Node
   )
 }
 
+/**
+ * A read of user-controlled field of the zentered/issue-forms-body-parser action.
+ */
+predicate zenteredIssueFormBodyParserSource(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(StepsExpression o |
+    pred instanceof ZenteredIssueFormBodyParserSource and
+    o.getTarget() = pred.asExpr() and
+    o.getStepId() = pred.asExpr().(UsesStep).getId() and
+    (
+      not o instanceof JsonReferenceExpression and
+      o.getFieldName() = "data"
+      or
+      o instanceof JsonReferenceExpression and
+      o.(JsonReferenceExpression).getInnerExpression().matches("%.data")
+    ) and
+    succ.asExpr() = o
+  )
+}
+
 /**
  * A read of user-controlled field of the octokit/request-action action.
  */
@@ -130,6 +149,8 @@ class TaintSteps extends AdditionalTaintStep {
     tjActionsChangedFilesTaintStep(node1, node2) or
     tjActionsVerifyChangedFilesTaintStep(node1, node2) or
     xt0rtedSlashCommandActionTaintStep(node1, node2) or
+    xt0rtedSlashCommandActionTaintStep(node1, node2) or
+    zenteredIssueFormBodyParserSource(node1, node2) or
     octokitRequestActionTaintStep(node1, node2)
   }
 }
diff --git a/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml b/ql/lib/ext/manual/zentered_issue-forms-body-parser.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSummaryModel
+    data:
+      - ["zentered/issue-forms-body-parser", "*", "input.body", "output.data", "taint", "manual"]
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test25.yml
@@ -0,0 +1,13 @@
+name: Issue Forms Body Parser
+
+on: issues
+
+jobs:
+  process:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Issue Forms Body Parser
+        id: parse
+        uses: zentered/issue-forms-body-parser@v2.0.0
+      - run: echo ${{ steps.parse.outputs.data }}
+      - run: echo ${{ toJSON(steps.parse.outputs.data) }}
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/test26.yml
@@ -0,0 +1,29 @@
+name: Issue Forms Body Parser
+
+on:
+  workflow_dispatch:
+    inputs:
+      issue_number:
+        type: string
+        description: issue number
+        required: true
+env:
+  GH_TOKEN: ${{ github.token }}
+
+jobs:
+  process:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fetch the issue
+        id: read_issue_body
+        run:
+          echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT
+
+      - name: Issue Forms Body Parser
+        id: parse
+        uses: zentered/issue-forms-body-parser@v2.0.0
+        with:
+          body: ${{ steps.read_issue_body.outputs.body }}
+
+      - run: echo ${{ steps.parse.outputs.data }}
+      - run: echo ${{ toJSON(steps.parse.outputs.data) }}
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -199,6 +199,13 @@ edges
 | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance |  |
 | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance |  |
 | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance |  |
+| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance |  |
+| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance |  |
+| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | provenance |  |
+| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | provenance |  |
+| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance |  |
+| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance |  |
+| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance |  |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance |  |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance |  |
@@ -586,6 +593,15 @@ nodes
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse |
 | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload |
+| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | semmle.label | Uses Step: parse |
+| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
+| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
+| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] |
+| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT |
+| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] |
+| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body |
+| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
+| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
@@ -764,6 +780,10 @@ subpaths
 | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | .github/workflows/test19.yml:100:14:102:48 | BODY=$(gh api /repos/test/test/issues/${{PR_NUMBER}} --jq ".body")\necho "body=$BODY" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:103:21:103:49 | steps.body.outputs.body | ${{ steps.body.outputs.body}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | ${{ steps.comments.outputs.comments}} | .github/workflows/test19.yml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | ${{ steps.parse.outputs.payload }} | .github/workflows/test24.yml:2:3:2:8 | issues | issues |
+| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
+| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test25.yml:3:5:3:10 | issues | issues |
+| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | ${{ steps.parse.outputs.data }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch |
+| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | ${{ toJSON(steps.parse.outputs.data) }} | .github/workflows/test26.yml:4:3:4:19 | workflow_dispatch | workflow_dispatch |
 | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:20:20:20:62 | github.event['pull_request']['body'] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} | .github/workflows/test.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | .github/workflows/untrusted_checkout1.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/untrusted_checkout1.yml:15:20:15:58 | steps.artifact.outputs.pr_number | ${{ steps.artifact.outputs.pr_number }} | .github/workflows/untrusted_checkout1.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | Potential code injection in $@, which may be controlled by an external user ($@). | .github/workflows/workflow_run.yml:9:19:9:64 | github.event.workflow_run.display_title | ${{ github.event.workflow_run.display_title }} | .github/workflows/workflow_run.yml:2:3:2:14 | workflow_run | workflow_run |
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected b/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -199,6 +199,13 @@ edges
 | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | .github/workflows/test19.yml:108:21:108:57 | steps.comments.outputs.comments | provenance |  |
 | .github/workflows/test19.yml:105:14:107:56 | COMMENTS=$(gh api /repos/test/test/pulls/${PR_NUMBER}/comments --jq '.[].body')\necho "comments=$COMMENTS" >> "$GITHUB_OUTPUT"\n | .github/workflows/test19.yml:104:9:108:6 | Run Step: comments [comments] | provenance |  |
 | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | provenance |  |
+| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | provenance |  |
+| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | provenance |  |
+| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | provenance |  |
+| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | provenance |  |
+| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | provenance |  |
+| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | provenance |  |
+| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | provenance |  |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | .github/workflows/test.yml:52:20:52:56 | needs.job1.outputs['job_output'] | provenance |  |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | provenance |  |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | .github/workflows/test.yml:25:18:25:48 | steps.step0.outputs.value | provenance |  |
@@ -586,6 +593,15 @@ nodes
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test24.yml:8:9:17:6 | Uses Step: parse | semmle.label | Uses Step: parse |
 | .github/workflows/test24.yml:19:17:19:50 | steps.parse.outputs.payload | semmle.label | steps.parse.outputs.payload |
+| .github/workflows/test25.yml:9:9:12:6 | Uses Step: parse | semmle.label | Uses Step: parse |
+| .github/workflows/test25.yml:12:20:12:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
+| .github/workflows/test25.yml:13:20:13:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
+| .github/workflows/test26.yml:17:9:22:6 | Run Step: read_issue_body [body] | semmle.label | Run Step: read_issue_body [body] |
+| .github/workflows/test26.yml:20:11:20:140 | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT | semmle.label | echo "body=$(gh issue view ${{ inputs.issue_number }} --repo ${{ github.repository }} --json body --jq '.body')" >> $GITHUB_OUTPUT |
+| .github/workflows/test26.yml:22:9:28:6 | Uses Step: parse [data] | semmle.label | Uses Step: parse [data] |
+| .github/workflows/test26.yml:26:18:26:58 | steps.read_issue_body.outputs.body | semmle.label | steps.read_issue_body.outputs.body |
+| .github/workflows/test26.yml:28:20:28:50 | steps.parse.outputs.data | semmle.label | steps.parse.outputs.data |
+| .github/workflows/test26.yml:29:20:29:58 | toJSON(steps.parse.outputs.data) | semmle.label | toJSON(steps.parse.outputs.data) |
 | .github/workflows/test.yml:11:7:13:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
 | .github/workflows/test.yml:11:20:11:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |
 | .github/workflows/test.yml:17:9:23:6 | Uses Step: step0 [value] | semmle.label | Uses Step: step0 [value] |
