Skip to content

Commit 6136a98

Browse files
author
Alvaro Muñoz
committed
Add getEvent to RemoteFlowSource for events able to trigger the source
1 parent fe9c908 commit 6136a98

1 file changed

Lines changed: 40 additions & 6 deletions

File tree

ql/lib/codeql/actions/dataflow/FlowSources.qll

Lines changed: 40 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,39 +18,47 @@ abstract class RemoteFlowSource extends SourceNode {
1818
/** Gets a string that describes the type of this remote flow source. */
1919
abstract string getSourceType();
2020

21+
/** Gets the event that triggered the source. */
22+
abstract Event getEvent();
23+
2124
override string getThreatModel() { result = "remote" }
2225
}
2326

2427
class GitHubCtxSource extends RemoteFlowSource {
2528
string flag;
29+
Event event;
2630

2731
GitHubCtxSource() {
2832
exists(Expression e, string context, string context_prefix |
2933
this.asExpr() = e and
3034
context = e.getExpression() and
35+
event = e.getEnclosingWorkflow().getATriggerEvent() and
3136
normalizeExpr(context) = "github.head_ref" and
32-
contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(), context_prefix) and
37+
contextTriggerDataModel(event.getName(), context_prefix) and
3338
normalizeExpr(context).matches("%" + context_prefix + "%") and
3439
flag = "branch"
3540
)
3641
}
3742

3843
override string getSourceType() { result = flag }
44+
45+
override Event getEvent() { result = event }
3946
}
4047

4148
class GitHubEventCtxSource extends RemoteFlowSource {
4249
string flag;
4350
string context;
51+
Event event;
4452

4553
GitHubEventCtxSource() {
4654
exists(Expression e, string regexp |
4755
this.asExpr() = e and
4856
context = e.getExpression() and
57+
event = e.getATriggerEvent() and
4958
(
5059
// the context is available for the job trigger events
5160
exists(string context_prefix |
52-
contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(),
53-
context_prefix) and
61+
contextTriggerDataModel(event.getName(), context_prefix) and
5462
normalizeExpr(context).matches("%" + context_prefix + "%")
5563
)
5664
or
@@ -65,12 +73,16 @@ class GitHubEventCtxSource extends RemoteFlowSource {
6573
override string getSourceType() { result = flag }
6674

6775
string getContext() { result = context }
76+
77+
override Event getEvent() { result = event }
6878
}
6979

7080
abstract class CommandSource extends RemoteFlowSource {
7181
abstract string getCommand();
7282

7383
abstract Run getEnclosingRun();
84+
85+
override Event getEvent() { result = this.getEnclosingRun().getATriggerEvent() }
7486
}
7587

7688
class GitCommandSource extends RemoteFlowSource, CommandSource {
@@ -181,18 +193,19 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
181193

182194
class GitHubEventJsonSource extends RemoteFlowSource {
183195
string flag;
196+
Event event;
184197

185198
GitHubEventJsonSource() {
186199
exists(Expression e, string context, string regexp |
187200
this.asExpr() = e and
188201
context = e.getExpression() and
202+
event = e.getEnclosingWorkflow().getATriggerEvent() and
189203
untrustedEventPropertiesDataModel(regexp, _) and
190204
(
191205
// only contexts for the triggering events are considered tainted.
192206
// eg: for `pull_request`, we only consider `github.event.pull_request`
193207
exists(string context_prefix |
194-
contextTriggerDataModel(e.getEnclosingWorkflow().getATriggerEvent().getName(),
195-
context_prefix) and
208+
contextTriggerDataModel(event.getName(), context_prefix) and
196209
normalizeExpr(context).matches("%" + context_prefix + "%")
197210
) and
198211
normalizeExpr(context).regexpMatch("(?i).*" + wrapJsonRegexp(regexp) + ".*")
@@ -206,6 +219,8 @@ class GitHubEventJsonSource extends RemoteFlowSource {
206219
}
207220

208221
override string getSourceType() { result = flag }
222+
223+
override Event getEvent() { result = event }
209224
}
210225

211226
/**
@@ -217,6 +232,8 @@ class MaDSource extends RemoteFlowSource {
217232
MaDSource() { madSource(this, sourceType, _) }
218233

219234
override string getSourceType() { result = sourceType }
235+
236+
override Event getEvent() { result = this.asExpr().getATriggerEvent() }
220237
}
221238

222239
abstract class FileSource extends RemoteFlowSource { }
@@ -228,12 +245,16 @@ class ArtifactSource extends RemoteFlowSource, FileSource {
228245
ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep }
229246

230247
override string getSourceType() { result = "artifact" }
248+
249+
override Event getEvent() { result = this.asExpr().getATriggerEvent() }
231250
}
232251

233252
/**
234253
* A file from an untrusted checkout.
235254
*/
236255
private class CheckoutSource extends RemoteFlowSource, FileSource {
256+
Event event;
257+
237258
CheckoutSource() {
238259
// This should be:
239260
// source instanceof PRHeadCheckoutStep
@@ -245,7 +266,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource {
245266
uses.getCallee() = "actions/checkout" and
246267
exists(uses.getArgument("ref")) and
247268
not uses.getArgument("ref").matches("%base%") and
248-
uses.getATriggerEvent().getName() = checkoutTriggers()
269+
event = uses.getATriggerEvent() and
270+
event.getName() = checkoutTriggers()
249271
)
250272
or
251273
this.asExpr() instanceof GitMutableRefCheckout
@@ -258,6 +280,8 @@ private class CheckoutSource extends RemoteFlowSource, FileSource {
258280
}
259281

260282
override string getSourceType() { result = "artifact" }
283+
284+
override Event getEvent() { result = event }
261285
}
262286

263287
/**
@@ -273,6 +297,8 @@ class DornyPathsFilterSource extends RemoteFlowSource {
273297
}
274298

275299
override string getSourceType() { result = "filename" }
300+
301+
override Event getEvent() { result = this.asExpr().getATriggerEvent() }
276302
}
277303

278304
/**
@@ -294,6 +320,8 @@ class TJActionsChangedFilesSource extends RemoteFlowSource {
294320
}
295321

296322
override string getSourceType() { result = "filename" }
323+
324+
override Event getEvent() { result = this.asExpr().getATriggerEvent() }
297325
}
298326

299327
/**
@@ -315,6 +343,8 @@ class TJActionsVerifyChangedFilesSource extends RemoteFlowSource {
315343
}
316344

317345
override string getSourceType() { result = "filename" }
346+
347+
override Event getEvent() { result = this.asExpr().getATriggerEvent() }
318348
}
319349

320350
class Xt0rtedSlashCommandSource extends RemoteFlowSource {
@@ -327,6 +357,8 @@ class Xt0rtedSlashCommandSource extends RemoteFlowSource {
327357
}
328358

329359
override string getSourceType() { result = "text" }
360+
361+
override Event getEvent() { result = this.asExpr().getATriggerEvent() }
330362
}
331363

332364
class OctokitRequestActionSource extends RemoteFlowSource {
@@ -348,4 +380,6 @@ class OctokitRequestActionSource extends RemoteFlowSource {
348380
}
349381

350382
override string getSourceType() { result = "text" }
383+
384+
override Event getEvent() { result = this.asExpr().getATriggerEvent() }
351385
}

0 commit comments

Comments
 (0)