Change queries to use the new bash parser

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -28,13 +28,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
     )
     or
     exists(
-      Run run, string line, string argument, string regexp, int argument_group, int command_group
+      Run run, string cmd, string argument, string regexp, int argument_group, int command_group
     |
-      run.getScript().splitAt("\n") = line and
+      run.getACommand() = cmd and
       run.getScriptScalar() = this.asExpr() and
       argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
-      argument = line.regexpCapture(regexp, argument_group) and
-      command = line.regexpCapture(regexp, command_group) and
+      argument = cmd.regexpCapture(regexp, argument_group) and
+      command = cmd.regexpCapture(regexp, command_group) and
       argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*")
     )
   }
@@ -60,12 +60,12 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
     source instanceof RemoteFlowSource
     or
     exists(
-      Run run, string argument, string line, string regexp, int command_group, int argument_group
+      Run run, string argument, string cmd, string regexp, int command_group, int argument_group
     |
       run.getScriptScalar() = source.asExpr() and
-      run.getScript().splitAt("\n") = line and
+      run.getACommand() = cmd and
       argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
-      argument = line.regexpCapture(regexp, argument_group) and
+      argument = cmd.regexpCapture(regexp, argument_group) and
       argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*")
     )
   }

ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -155,71 +155,54 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
   }
 
   override string getPath() {
-    if
-      this.getAFollowingStep()
-          .(Run)
-          .getScript()
-          .splitAt("\n")
-          .regexpMatch(unzipRegexp() + unzipDirArgRegexp())
+    if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp())
     then
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
-                .getScript()
-                .splitAt("\n")
+                .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
     else
-      if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
+      if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp())
       then result = "GITHUB_WORKSPACE/"
       else none()
   }
 }
 
 class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
-  string script;
-
   GHRunArtifactDownloadStep() {
     // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-    this.getScript() = script and
-    script.splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") and
-    script.splitAt("\n").matches("%github.event.workflow_run.id%") and
+    this.getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and
+    this.getACommand().matches("%github.event.workflow_run.id%") and
     (
-      script.splitAt("\n").regexpMatch(unzipRegexp()) or
-      this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
+      this.getACommand().regexpMatch(unzipRegexp()) or
+      this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp())
     )
   }
 
   override string getPath() {
     if
-      this.getAFollowingStep()
-          .(Run)
-          .getScript()
-          .splitAt("\n")
-          .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
-      script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp())
+      this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
+      this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp())
     then
       result =
-        normalizePath(trimQuotes(script
-                .splitAt("\n")
+        normalizePath(trimQuotes(this.getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
-                .getScript()
-                .splitAt("\n")
+                .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
     else
       if
-        this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or
-        script.splitAt("\n").regexpMatch(unzipRegexp())
+        this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) or
+        this.getACommand().regexpMatch(unzipRegexp())
       then result = "GITHUB_WORKSPACE/"
       else none()
   }
 }
 
 class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
-  string script;
-
   DirectArtifactDownloadStep() {
     // eg:
     // run: |
@@ -230,32 +213,25 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
     //     gh api $url > "$name.zip"
     //     unzip -d "$name" "$name.zip"
     //   done
-    this.getScript() = script and
-    script.splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") and
+    this.getACommand().matches("%github.event.workflow_run.artifacts_url%") and
     (
-      script.splitAt("\n").regexpMatch(unzipRegexp()) or
-      this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
+      this.getACommand().regexpMatch(unzipRegexp()) or
+      this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp())
     )
   }
 
   override string getPath() {
     if
-      script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
-      this.getAFollowingStep()
-          .(Run)
-          .getScript()
-          .splitAt("\n")
-          .regexpMatch(unzipRegexp() + unzipDirArgRegexp())
+      this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
+      this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp())
     then
       result =
-        normalizePath(trimQuotes(script
-                .splitAt("\n")
+        normalizePath(trimQuotes(this.getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
-                .getScript()
-                .splitAt("\n")
+                .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
     else result = "GITHUB_WORKSPACE/"
   }

ql/lib/codeql/actions/security/ControlChecks.qll

@@ -255,10 +255,13 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep {
 
 class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run {
   BashCommentVsHeadDateCheck() {
-    exists(string line |
-      line = this.getScript().splitAt("\n") and
-      line.toLowerCase()
-          .regexpMatch(".*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*")
+    // eg: if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then
+    exists(string cmd1, string cmd2 |
+      cmd1 = this.getACommand() and
+      cmd2 = this.getACommand() and
+      not cmd1 = cmd2 and
+      cmd1.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") and
+      cmd2.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*")
     )
   }
 }

ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll

@@ -37,11 +37,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink {
             // e.g.
             // FOO=$(cat test-results/sha-number)
             // echo "FOO=$FOO" >> $GITHUB_PATH
-            exists(string line, string var_name, string var_value |
-              run.getScript().splitAt("\n") = line
-            |
-              var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and
-              var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and
+            exists(string var_name, string var_value |
+              run.getAnAssignment(var_name, var_value) and
               outputsPartialFileContent(var_value) and
               (
                 value.matches("%$" + ["", "{", "ENV{"] + var_name + "%")

ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -42,11 +42,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
             // e.g.
             // FOO=$(cat test-results/sha-number)
             // echo "FOO=$FOO" >> $GITHUB_ENV
-            exists(string line, string var_name, string var_value |
-              run.getScript().splitAt("\n") = line
-            |
-              var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and
-              var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and
+            exists(string var_name, string var_value |
+              run.getAnAssignment(var_name, var_value) and
               outputsPartialFileContent(var_value) and
               (
                 value.matches("%$" + ["", "{", "ENV{"] + var_name + "%")

ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -56,11 +56,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink {
             // e.g.
             // FOO=$(cat test-results/sha-number)
             // echo "FOO=$FOO" >> $GITHUB_OUTPUT
-            exists(string line, string var_name, string var_value |
-              run.getScript().splitAt("\n") = line
-            |
-              var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and
-              var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and
+            exists(string var_name, string var_value |
+              run.getAnAssignment(var_name, var_value) and
               outputsPartialFileContent(var_value) and
               (
                 value.matches("%$" + ["", "{", "ENV{"] + var_name + "%")
@@ -154,11 +151,11 @@ class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink {
         // A file is read and its content is printed to stdout
         // - run: echo "foo=$(<pr-id.txt)"
         clobbering_line.regexpMatch(".*echo\\s+(-e)?\\s*(\"|')?") and
-        clobbering_line.regexpMatch(partialFileContentRegexp() + ".*")
+        clobbering_line.regexpMatch(["ls", Bash::partialFileContentCommand()] + "\\s.*")
         or
         // A file content is printed to stdout
         // - run: cat pr-id.txt
-        clobbering_line.regexpMatch(partialFileContentRegexp() + ".*")
+        clobbering_line.regexpMatch(["ls", Bash::partialFileContentCommand()] + "\\s.*")
       )
     )
   }

ql/lib/codeql/actions/security/PoisonableSteps.qll

@@ -18,7 +18,7 @@ class PoisonableCommandStep extends PoisonableStep, Run {
   PoisonableCommandStep() {
     exists(string regexp |
       poisonableCommandsDataModel(regexp) and
-      exists(this.getScript().splitAt("\n").trim().regexpFind(regexp, _, _))
+      exists(this.getACommand().regexpFind(regexp, _, _))
     )
   }
 }
@@ -39,11 +39,9 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run {
   string path;
 
   LocalScriptExecutionRunStep() {
-    exists(string line, string regexp, int path_group |
-      line = this.getScript().splitAt("\n").trim()
-    |
+    exists(string cmd, string regexp, int path_group | cmd = this.getACommand() |
       poisonableLocalScriptsDataModel(regexp, path_group) and
-      path = line.regexpCapture(regexp, path_group)
+      path = cmd.regexpCapture(regexp, path_group)
     )
   }
 

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

@@ -265,19 +265,18 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
 /** Checkout of a Pull Request HEAD ref using git within a Run step */
 class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
   GitMutableRefCheckout() {
-    exists(string line |
-      this.getScript().splitAt("\n") = line and
-      line.regexpMatch(".*git\\s+(fetch|pull).*") and
+    exists(string cmd | this.getACommand() = cmd |
+      cmd.regexpMatch("git\\s+(fetch|pull).*") and
       (
-        (containsHeadRef(line) or containsPullRequestNumber(line))
+        (containsHeadRef(cmd) or containsPullRequestNumber(cmd))
         or
         exists(string varname, string expr |
           expr = this.getInScopeEnvVarExpr(varname).getExpression() and
           (
             containsHeadRef(expr) or
             containsPullRequestNumber(expr)
           ) and
-          exists(line.regexpFind(varname, _, _))
+          exists(cmd.regexpFind(varname, _, _))
         )
       )
     )
@@ -289,16 +288,15 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
 /** Checkout of a Pull Request HEAD ref using git within a Run step */
 class GitSHACheckout extends SHACheckoutStep instanceof Run {
   GitSHACheckout() {
-    exists(string line |
-      this.getScript().splitAt("\n") = line and
-      line.regexpMatch(".*git\\s+(fetch|pull).*") and
+    exists(string cmd | this.getACommand() = cmd |
+      cmd.regexpMatch("git\\s+(fetch|pull).*") and
       (
-        containsHeadSHA(line)
+        containsHeadSHA(cmd)
         or
         exists(string varname, string expr |
           expr = this.getInScopeEnvVarExpr(varname).getExpression() and
           containsHeadSHA(expr) and
-          exists(line.regexpFind(varname, _, _))
+          exists(cmd.regexpFind(varname, _, _))
         )
       )
     )
@@ -310,18 +308,17 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run {
 /** Checkout of a Pull Request HEAD ref using gh within a Run step */
 class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
   GhMutableRefCheckout() {
-    exists(string line |
-      this.getScript().splitAt("\n") = line and
-      line.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and
+    exists(string cmd | this.getACommand() = cmd |
+      cmd.regexpMatch(".*(gh|hub)\\s+pr\\s+checkout.*") and
       (
-        (containsHeadRef(line) or containsPullRequestNumber(line))
+        (containsHeadRef(cmd) or containsPullRequestNumber(cmd))
         or
         exists(string varname |
           (
             containsHeadRef(this.getInScopeEnvVarExpr(varname).getExpression()) or
             containsPullRequestNumber(this.getInScopeEnvVarExpr(varname).getExpression())
           ) and
-          exists(line.regexpFind(varname, _, _))
+          exists(cmd.regexpFind(varname, _, _))
         )
       )
     )
@@ -333,15 +330,14 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
 /** Checkout of a Pull Request HEAD ref using gh within a Run step */
 class GhSHACheckout extends SHACheckoutStep instanceof Run {
   GhSHACheckout() {
-    exists(string line |
-      this.getScript().splitAt("\n") = line and
-      line.regexpMatch(".*gh\\s+pr\\s+checkout.*") and
+    exists(string cmd | this.getACommand() = cmd |
+      cmd.regexpMatch("gh\\s+pr\\s+checkout.*") and
       (
-        containsHeadSHA(line)
+        containsHeadSHA(cmd)
         or
         exists(string varname |
           containsHeadSHA(this.getInScopeEnvVarExpr(varname).getExpression()) and
-          exists(line.regexpFind(varname, _, _))
+          exists(cmd.regexpFind(varname, _, _))
         )
       )
     )