Better identification of checkout of untrusted code depending on the triggering events

Author: Alvaro Muñoz

ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -90,7 +90,8 @@ class GitCommandSource extends RemoteFlowSource, CommandSource {
           checkout = uses and
           uses.getCallee() = "actions/checkout" and
           exists(uses.getArgument("ref")) and
-          not uses.getArgument("ref").matches("%base%")
+          not uses.getArgument("ref").matches("%base%") and
+          uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers()
         )
         or
         checkout instanceof GitMutableRefCheckout
@@ -237,7 +238,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource {
       this.asExpr() = uses and
       uses.getCallee() = "actions/checkout" and
       exists(uses.getArgument("ref")) and
-      not uses.getArgument("ref").matches("%base%")
+      not uses.getArgument("ref").matches("%base%") and
+      uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers()
     )
     or
     this.asExpr() instanceof GitMutableRefCheckout

ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -29,7 +29,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink {
           step = uses and
           uses.getCallee() = "actions/checkout" and
           exists(uses.getArgument("ref")) and
-          not uses.getArgument("ref").matches("%base%")
+          not uses.getArgument("ref").matches("%base%") and
+          uses.getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers()
         )
         or
         step instanceof GitMutableRefCheckout

ql/lib/codeql/actions/security/PoisonableSteps.qll

@@ -17,12 +17,13 @@ class PoisonableCommandStep extends PoisonableStep, Run {
 
 class JavascriptImportUsesStep extends PoisonableStep, UsesStep {
   JavascriptImportUsesStep() {
-    exists(string script, string line, string import_stmt |
+    exists(string script, string line |
       this.getCallee() = "actions/github-script" and
       script = this.getArgument("script") and
       line = script.splitAt("\n").trim() and
-      import_stmt = line.regexpCapture(".*await\\s+import\\((.*)\\).*", 1) and
-      import_stmt.regexpMatch(".*\\bgithub.workspace\\b.*")
+      // const script = require('${{ github.workspace }}/scripts/test.js');
+      // await script({ github, context, core });
+      line.regexpMatch(".*(import|require)\\b.*github.workspace\\b.*")
     )
   }
 }

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

@@ -3,49 +3,57 @@ private import codeql.actions.DataFlow
 private import codeql.actions.dataflow.FlowSources
 private import codeql.actions.TaintTracking
 
+string checkoutTriggers() {
+  result = ["pull_request_target", "workflow_run", "workflow_call", "issue_comment"]
+}
+
 /**
  * A taint-tracking configuration for PR HEAD references flowing
  * into actions/checkout's ref argument.
  */
 private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    // remote flow sources
-    source instanceof ArtifactSource
-    or
-    source instanceof GitHubCtxSource
-    or
-    source instanceof GitHubEventCtxSource
-    or
-    source instanceof GitHubEventJsonSource
-    or
-    source instanceof MaDSource
-    or
-    // `ref` argument contains the PR id/number or head ref
-    exists(Expression e |
-      source.asExpr() = e and
-      (
-        containsHeadRef(e.getExpression()) or
-        containsPullRequestNumber(e.getExpression())
+    source.asExpr().getEnclosingJob().getATriggerEvent().getName() = checkoutTriggers() and
+    (
+      // remote flow sources
+      source instanceof ArtifactSource
+      or
+      source instanceof GitHubCtxSource
+      or
+      source instanceof GitHubEventCtxSource
+      or
+      source instanceof GitHubEventJsonSource
+      or
+      source instanceof MaDSource
+      or
+      // `ref` argument contains the PR id/number or head ref
+      exists(Expression e |
+        source.asExpr() = e and
+        (
+          containsHeadRef(e.getExpression()) or
+          containsPullRequestNumber(e.getExpression())
+        )
       )
-    )
-    or
-    // 3rd party actions returning the PR head ref
-    exists(StepsExpression e, UsesStep step |
-      source.asExpr() = e and
-      e.getStepId() = step.getId() and
-      (
-        step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_ref"
-        or
-        step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_ref"
-        or
-        step.getCallee() = "alessbell/pull-request-comment-branch" and e.getFieldName() = "head_ref"
-        or
-        step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_ref"
-        or
-        step.getCallee() = "potiuk/get-workflow-origin" and
-        e.getFieldName() = ["sourceHeadBranch", "pullRequestNumber"]
-        or
-        step.getCallee() = "github/branch-deploy" and e.getFieldName() = ["ref", "fork_ref"]
+      or
+      // 3rd party actions returning the PR head ref
+      exists(StepsExpression e, UsesStep step |
+        source.asExpr() = e and
+        e.getStepId() = step.getId() and
+        (
+          step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_ref"
+          or
+          step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_ref"
+          or
+          step.getCallee() = "alessbell/pull-request-comment-branch" and
+          e.getFieldName() = "head_ref"
+          or
+          step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_ref"
+          or
+          step.getCallee() = "potiuk/get-workflow-origin" and
+          e.getFieldName() = ["sourceHeadBranch", "pullRequestNumber"]
+          or
+          step.getCallee() = "github/branch-deploy" and e.getFieldName() = ["ref", "fork_ref"]
+        )
       )
     )
   }
@@ -71,27 +79,32 @@ module ActionsMutableRefCheckoutFlow = TaintTracking::Global<ActionsMutableRefCh
 
 private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    // `ref` argument contains the PR head/merge commit sha
-    exists(Expression e |
-      source.asExpr() = e and
-      containsHeadSHA(e.getExpression())
-    )
-    or
-    // 3rd party actions returning the PR head sha
-    exists(StepsExpression e, UsesStep step |
-      source.asExpr() = e and
-      e.getStepId() = step.getId() and
-      (
-        step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_sha"
-        or
-        step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_sha"
-        or
-        step.getCallee() = "alessbell/pull-request-comment-branch" and e.getFieldName() = "head_sha"
-        or
-        step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_sha"
-        or
-        step.getCallee() = "potiuk/get-workflow-origin" and
-        e.getFieldName() = ["sourceHeadSha", "mergeCommitSha"]
+    source.asExpr().getEnclosingJob().getATriggerEvent().getName() =
+      ["pull_request_target", "workflow_run", "workflow_call", "issue_comment"] and
+    (
+      // `ref` argument contains the PR head/merge commit sha
+      exists(Expression e |
+        source.asExpr() = e and
+        containsHeadSHA(e.getExpression())
+      )
+      or
+      // 3rd party actions returning the PR head sha
+      exists(StepsExpression e, UsesStep step |
+        source.asExpr() = e and
+        e.getStepId() = step.getId() and
+        (
+          step.getCallee() = "eficode/resolve-pr-refs" and e.getFieldName() = "head_sha"
+          or
+          step.getCallee() = "xt0rted/pull-request-comment-branch" and e.getFieldName() = "head_sha"
+          or
+          step.getCallee() = "alessbell/pull-request-comment-branch" and
+          e.getFieldName() = "head_sha"
+          or
+          step.getCallee() = "gotson/pull-request-comment-branch" and e.getFieldName() = "head_sha"
+          or
+          step.getCallee() = "potiuk/get-workflow-origin" and
+          e.getFieldName() = ["sourceHeadSha", "mergeCommitSha"]
+        )
       )
     )
   }
@@ -201,44 +214,24 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
         ActionsMutableRefCheckoutFlow::PathNode source, ActionsMutableRefCheckoutFlow::PathNode sink
       |
         ActionsMutableRefCheckoutFlow::flowPath(source, sink) and
-        sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) and
-        (
-          not source.getNode() instanceof GitHubEventCtxSource
-          or
-          source.getNode() instanceof GitHubEventCtxSource and
-          // the context is available for the job trigger events
-          exists(string context, string context_prefix |
-            contextTriggerDataModel(this.getEnclosingWorkflow().getATriggerEvent().getName(),
-              context_prefix) and
-            context = source.getNode().(GitHubEventCtxSource).getContext() and
-            normalizeExpr(context).matches("%" + context_prefix + "%")
-          )
-        )
+        sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"])
       )
       or
       // heuristic base on the step id and field name
-      exists(StepsExpression e |
-        this.getArgumentExpr("ref") = e and
-        (
-          e.getStepId().matches("%" + ["head", "branch", "ref"] + "%") or
-          e.getFieldName().matches("%" + ["head", "branch", "ref"] + "%")
-        )
-      )
-      or
-      exists(NeedsExpression e |
-        this.getArgumentExpr("ref") = e and
-        (
-          e.getNeededJobId().matches("%" + ["head", "branch", "ref"] + "%") or
-          e.getFieldName().matches("%" + ["head", "branch", "ref"] + "%")
-        )
-      )
-      or
-      exists(JsonReferenceExpression e |
-        this.getArgumentExpr("ref") = e and
-        (
-          e.getAccessPath().matches("%." + ["head", "branch", "ref"] + "%") or
-          e.getInnerExpression().matches("%." + ["head", "branch", "ref"] + "%")
-        )
+      exists(string value |
+        this.getArgumentExpr("ref")
+            .(SimpleReferenceExpression)
+            .getEnclosingJob()
+            .getATriggerEvent()
+            .getName() = checkoutTriggers() and
+        value.regexpMatch(".*(head|branch|ref).*")
+      |
+        this.getArgumentExpr("ref").(StepsExpression).getStepId() = value or
+        this.getArgumentExpr("ref").(StepsExpression).getFieldName() = value or
+        this.getArgumentExpr("ref").(NeedsExpression).getNeededJobId() = value or
+        this.getArgumentExpr("ref").(NeedsExpression).getFieldName() = value or
+        this.getArgumentExpr("ref").(JsonReferenceExpression).getAccessPath() = value or
+        this.getArgumentExpr("ref").(JsonReferenceExpression).getInnerExpression() = value
       )
     )
   }
@@ -257,44 +250,24 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
     (
       exists(ActionsSHACheckoutFlow::PathNode source, ActionsSHACheckoutFlow::PathNode sink |
         ActionsSHACheckoutFlow::flowPath(source, sink) and
-        sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"]) and
-        (
-          not source.getNode() instanceof GitHubEventCtxSource
-          or
-          source.getNode() instanceof GitHubEventCtxSource and
-          // the context is available for the job trigger events
-          exists(string context, string context_prefix |
-            contextTriggerDataModel(this.getEnclosingWorkflow().getATriggerEvent().getName(),
-              context_prefix) and
-            context = source.getNode().(GitHubEventCtxSource).getContext() and
-            normalizeExpr(context).matches("%" + context_prefix + "%")
-          )
-        )
+        sink.getNode().asExpr() = this.getArgumentExpr(["ref", "repository"])
       )
       or
       // heuristic base on the step id and field name
-      exists(StepsExpression e |
-        this.getArgumentExpr("ref") = e and
-        (
-          e.getStepId().matches("%" + ["head", "sha", "commit"] + "%") or
-          e.getFieldName().matches("%" + ["head", "sha", "commit"] + "%")
-        )
-      )
-      or
-      exists(NeedsExpression e |
-        this.getArgumentExpr("ref") = e and
-        (
-          e.getNeededJobId().matches("%" + ["head", "sha", "commit"] + "%") or
-          e.getFieldName().matches("%" + ["head", "sha", "commit"] + "%")
-        )
-      )
-      or
-      exists(JsonReferenceExpression e |
-        this.getArgumentExpr("ref") = e and
-        (
-          e.getAccessPath().matches("%." + ["head", "sha", "commit"] + "%") or
-          e.getInnerExpression().matches("%." + ["head", "sha", "commit"] + "%")
-        )
+      exists(string value |
+        this.getArgumentExpr("ref")
+            .(SimpleReferenceExpression)
+            .getEnclosingJob()
+            .getATriggerEvent()
+            .getName() = checkoutTriggers() and
+        value.regexpMatch(".*(head|sha|commit).*")
+      |
+        this.getArgumentExpr("ref").(StepsExpression).getStepId() = value or
+        this.getArgumentExpr("ref").(StepsExpression).getFieldName() = value or
+        this.getArgumentExpr("ref").(NeedsExpression).getNeededJobId() = value or
+        this.getArgumentExpr("ref").(NeedsExpression).getFieldName() = value or
+        this.getArgumentExpr("ref").(JsonReferenceExpression).getAccessPath() = value or
+        this.getArgumentExpr("ref").(JsonReferenceExpression).getInnerExpression() = value
       )
     )
   }

ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql

@@ -47,6 +47,7 @@ where
   ) and
   // the checkout occurs in a privileged context
   inPrivilegedContext(poisonable, event) and
+  inPrivilegedContext(checkout, event) and
   not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and
   not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout"))
 select poisonable, checkout, poisonable,

ql/test/query-tests/Security/CWE-829/.github/workflows/test21.yml

@@ -0,0 +1,27 @@
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      publish_docs:
+        description: "pub"
+        default: true
+        type: boolean
+
+jobs:
+  Docs:
+    if: github.repository == 'test/test'
+    runs-on: macos-14
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          repository: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ref: ${{ github.head_ref || github.ref }}
+          fetch-depth: 0
+      - run: |
+          # NOT VULNERABLE
+          python docs/build_docs.py