Improve artifact poisoning query

Better check of download path
Add downloading to /tmp as a sanitizer

Author: Alvaro Muñoz

ql/lib/codeql/actions/dataflow/FlowSources.qll

@@ -107,7 +107,7 @@ class MaDSource extends RemoteFlowSource {
 /**
  * A downloaded artifact.
  */
-private class ArtifactSource extends RemoteFlowSource {
+class ArtifactSource extends RemoteFlowSource {
   ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep }
 
   override string getSourceType() { result = "artifact" }

ql/lib/codeql/actions/dataflow/FlowSteps.qll

@@ -263,12 +263,11 @@ predicate artifactDownloadToRunStep(DataFlow::Node pred, DataFlow::Node succ) {
 
 //
 /**
- * A download artifact step followed by a envvar-injection uses step .
+ * A download artifact step followed by a uses step .
  */
 predicate artifactDownloadToUsesStep(DataFlow::Node pred, DataFlow::Node succ) {
   exists(Step artifact, Uses uses |
     controlledCWD(artifact) and
-    madSink(succ, "envvar-injection") and
     pred.asExpr() = artifact and
     succ.asExpr() = uses and
     artifact.getAFollowingStep() = uses

ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -7,10 +7,7 @@ import codeql.actions.security.PoisonableSteps
 
 string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" }
 
-string unzipDirArgRegexp() {
-  result = "-d\\s+\"([^ ]+)\".*" or
-  result = "-d\\s+'([^ ]+)'.*"
-}
+string unzipDirArgRegexp() { result = "-d\\s+([^ ]+).*" }
 
 abstract class UntrustedArtifactDownloadStep extends Step {
   abstract string getPath();
@@ -164,11 +161,11 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
           .regexpMatch(unzipRegexp() + unzipDirArgRegexp())
     then
       result =
-        this.getAFollowingStep()
-            .(Run)
-            .getScript()
-            .splitAt("\n")
-            .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)
+        trimQuotes(this.getAFollowingStep()
+              .(Run)
+              .getScript()
+              .splitAt("\n")
+              .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))
     else
       if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
       then result = ""
@@ -199,13 +196,14 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
           .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
       script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp())
     then
-      result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or
       result =
-        this.getAFollowingStep()
-            .(Run)
-            .getScript()
-            .splitAt("\n")
-            .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)
+        trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or
+      result =
+        trimQuotes(this.getAFollowingStep()
+              .(Run)
+              .getScript()
+              .splitAt("\n")
+              .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))
     else
       if
         this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or
@@ -245,45 +243,55 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
           .splitAt("\n")
           .regexpMatch(unzipRegexp() + unzipDirArgRegexp())
     then
-      result = script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2) or
       result =
-        this.getAFollowingStep()
-            .(Run)
-            .getScript()
-            .splitAt("\n")
-            .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)
+        trimQuotes(script.splitAt("\n").regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)) or
+      result =
+        trimQuotes(this.getAFollowingStep()
+              .(Run)
+              .getScript()
+              .splitAt("\n")
+              .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))
     else result = ""
   }
 }
 
 class ArtifactPoisoningSink extends DataFlow::Node {
+  UntrustedArtifactDownloadStep download;
+  PoisonableStep poisonable;
+
   ArtifactPoisoningSink() {
-    exists(UntrustedArtifactDownloadStep download, PoisonableStep poisonable |
-      download.getAFollowingStep() = poisonable and
-      (
-        poisonable.(Run).getScriptScalar() = this.asExpr()
-        or
-        poisonable.(UsesStep) = this.asExpr()
-      ) and
+    download.getAFollowingStep() = poisonable and
+    // excluding artifacts downloaded to /tmp
+    not download.getPath().regexpMatch("^/tmp.*") and
+    (
+      poisonable.(Run).getScriptScalar() = this.asExpr() and
       (
         // Check if the poisonable step is a local script execution step
         // and the path of the command or script matches the path of the downloaded artifact
-        not poisonable instanceof LocalScriptExecutionRunStep or
+        // Checking the path for non local script execution steps is very difficult
+        not poisonable instanceof LocalScriptExecutionRunStep
+        or
+        // TODO: account for Run's working directory
         poisonable
             .(LocalScriptExecutionRunStep)
             .getCommand()
             .matches(["./", ""] + download.getPath() + "%")
       )
+      or
+      poisonable.(UsesStep) = this.asExpr() and
+      download.getPath() = ""
     )
   }
+
+  string getPath() { result = download.getPath() }
 }
 
 /**
  * A taint-tracking configuration for unsafe artifacts
  * that is used may lead to artifact poisoning
  */
 private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node source) { source instanceof ArtifactSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ArtifactPoisoningSink }
 }

ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact-2/action.yaml

@@ -0,0 +1,32 @@
+name: DownloadArtifacts
+description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data'
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      with:
+        script: |
+          let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+             owner: context.repo.owner,
+             repo: context.repo.repo,
+             run_id: context.payload.workflow_run.id,
+          });
+          let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+            return artifact.name == "artifacts"
+          })[0];
+          let download = await github.rest.actions.downloadArtifact({
+             owner: context.repo.owner,
+             repo: context.repo.repo,
+             artifact_id: matchArtifact.id,
+             archive_format: 'zip',
+          });
+          let fs = require('fs');
+          fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data));
+    - run: |
+        mkdir -p /tmp/artifacts
+        unzip /tmp/artifacts.zip
+      shell: bash
+    - run: |
+        echo "Downloaded artifacts:"
+        ls -ablh 
+      shell: bash

ql/test/query-tests/Security/CWE-829/.github/actions/download-artifact/action.yaml

@@ -0,0 +1,32 @@
+name: DownloadArtifacts
+description: 'Downloads and unarchives artifacts for a workflow that runs on workflow_run so that it can use its data'
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+      with:
+        script: |
+          let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
+             owner: context.repo.owner,
+             repo: context.repo.repo,
+             run_id: context.payload.workflow_run.id,
+          });
+          let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
+            return artifact.name == "artifacts"
+          })[0];
+          let download = await github.rest.actions.downloadArtifact({
+             owner: context.repo.owner,
+             repo: context.repo.repo,
+             artifact_id: matchArtifact.id,
+             archive_format: 'zip',
+          });
+          let fs = require('fs');
+          fs.writeFileSync(`/tmp/artifacts.zip`, Buffer.from(download.data));
+    - run: |
+        mkdir -p /tmp/artifacts
+        unzip /tmp/artifacts.zip -d /tmp/artifacts
+      shell: bash
+    - run: |
+        echo "Downloaded artifacts:"
+        ls -ablh /tmp/artifacts
+      shell: bash

ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning91.yml

@@ -0,0 +1,29 @@
+name: SnapshotPR
+on:
+  workflow_run:
+    workflows:
+      - ApprovalComment
+    types:
+      - completed
+jobs:
+  snapshot:
+    permissions:
+      id-token: write
+      pull-requests: write
+      statuses: write
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: ./.github/actions/download-artifact
+      - id: metadata
+        run: |
+          pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)"
+          pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"
+          echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"
+          echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV"
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ env.PR_COMMIT }}
+      - uses: ./.github/actions/install-deps
+      - run: make snapshot

ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning92.yml

@@ -0,0 +1,29 @@
+name: SnapshotPR
+on:
+  workflow_run:
+    workflows:
+      - ApprovalComment
+    types:
+      - completed
+jobs:
+  snapshot:
+    permissions:
+      id-token: write
+      pull-requests: write
+      statuses: write
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: ./.github/actions/download-artifact-2
+      - id: metadata
+        run: |
+          pr_number="$(head -n 2 /tmp/artifacts/metadata.txt | tail -n 1)"
+          pr_commit="$(tail -n 1 /tmp/artifacts/metadata.txt)"
+          echo PR_COMMIT="$pr_commit" >> "$GITHUB_ENV"
+          echo PR_NUMBER="$pr_number" >> "$GITHUB_ENV"
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          ref: ${{ env.PR_COMMIT }}
+      - uses: ./.github/actions/install-deps
+      - run: make snapshot

ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected

@@ -1,4 +1,7 @@
 edges
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | provenance |  |
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance |  |
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance |  |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
 | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance |  |
 | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance |  |
@@ -14,7 +17,10 @@ edges
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
 | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance |  |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance |  |
+| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance |  |
+| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance |  |
 nodes
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
 | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
@@ -45,6 +51,9 @@ nodes
 | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
+| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot |
 subpaths
 #select
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
@@ -62,3 +71,5 @@ subpaths
 | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n |
 | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n |
 | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py |
+| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step |
+| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot |

ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected

@@ -1,4 +1,7 @@
 edges
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | provenance |  |
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance |  |
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance |  |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | provenance |  |
 | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | provenance |  |
 | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | provenance |  |
@@ -14,7 +17,10 @@ edges
 | .github/workflows/artifactpoisoning53.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning53.yml:18:14:23:29 | {\n  echo 'JSON_RESPONSE<<EOF'\n  ls \| grep -E "*.(tar.gz\|zip)$"\n  echo EOF\n} >> "$GITHUB_ENV"\n | provenance |  |
 | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | provenance |  |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance |  |
+| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | provenance |  |
+| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | provenance |  |
 nodes
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | semmle.label | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
 | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
@@ -45,5 +51,8 @@ nodes
 | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | semmle.label | sed -f config foo.md > bar.md\n |
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | semmle.label | python test.py |
+| .github/workflows/artifactpoisoning92.yml:25:9:28:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | semmle.label | make snapshot |
 subpaths
 #select