Account for tar -C option to specify path

Alvaro Muñoz · Alvaro Muñoz · commit ae6309daf624 · 2024-10-23T22:02:58.000+02:00
diff --git a/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -4,9 +4,9 @@ import codeql.actions.DataFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 
-string unzipRegexp() { result = ".*(unzip|tar)\\s+.*" }
+string unzipRegexp() { result = "(unzip|tar)\\s+.*" }
 
-string unzipDirArgRegexp() { result = "-d\\s+([^ ]+).*" }
+string unzipDirArgRegexp() { result = "(-d|-C)\\s+([^ ]+).*" }
 
 abstract class UntrustedArtifactDownloadStep extends Step {
   abstract string getPath();
@@ -166,7 +166,7 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
                 .(Run)
                 .getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
     else
       if this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp())
       then result = "GITHUB_WORKSPACE/"
@@ -197,13 +197,13 @@ class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
       result =
         normalizePath(trimQuotes(this.getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
                 .getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
     else
       if
         this.getAFollowingStep().(Run).getScript().getACommand().regexpMatch(unzipRegexp()) or
@@ -243,13 +243,13 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
       result =
         normalizePath(trimQuotes(this.getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3))) or
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
                 .getScript()
                 .getACommand()
-                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
+                .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 3)))
     else result = "GITHUB_WORKSPACE/"
   }
 }
diff --git a/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml b/ql/test/query-tests/Security/CWE-829/.github/workflows/test25.yml
@@ -0,0 +1,42 @@
+on:
+  workflow_run:
+    workflows: [ "build" ]
+    types: [ completed ]
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  publish-build-scans:
+    name: Build scan publish
+    if: github.repository == 'test/test' && github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion != 'cancelled'
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout target branch which has trusted code
+      - name: Check out target branch
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+          ref: ${{ github.ref }}
+      - name: Download build scan
+        id: downloadBuildScan
+        uses: actions/download-artifact@v4
+        with:
+          name: build-scan
+          github-token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          run-id: ${{ github.event.workflow_run.id }}
+        # Don't fail a build if the file doesn't exist
+        continue-on-error: true
+      - name: Extract previously uploaded build scan content
+        if: ${{ steps.downloadBuildScan.outcome != 'failure'}}
+        run: tar -xzf build-scan.tgz -C ~
+      - name: Publish
+        if: ${{ steps.downloadBuildScan.outcome != 'failure'}}
+        # Don't fail a build if publishing fails
+        continue-on-error: true
+        run: |
+          ./gradlew buildScanPublishPrevious
+        env:
+          ACCESS_KEY: ${{ secrets.TEST_ACCESS_KEY }}
diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected
@@ -15,6 +15,7 @@ edges
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config |
 | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config |
 | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config |
+| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config |
 nodes
 | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
@@ -47,6 +48,8 @@ nodes
 | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n |
 | .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan |
+| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n |
 subpaths
 #select
 | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build |
@@ -65,3 +68,4 @@ subpaths
 | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot |
 | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n |
 | .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step |
+| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user. | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n |
diff --git a/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected b/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningMedium.expected
@@ -15,6 +15,7 @@ edges
 | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | provenance | Config |
 | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | provenance | Config |
 | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | provenance | Config |
+| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | provenance | Config |
 nodes
 | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | semmle.label | Uses Step |
@@ -47,5 +48,7 @@ nodes
 | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | semmle.label | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n |
 | .github/workflows/test18.yml:12:15:33:12 | Uses Step | semmle.label | Uses Step |
 | .github/workflows/test18.yml:36:15:40:58 | Uses Step | semmle.label | Uses Step |
+| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | semmle.label | Uses Step: downloadBuildScan |
+| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n |
 subpaths
 #select
diff --git a/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected b/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected
@@ -276,6 +276,9 @@ edges
 | .github/workflows/test23.yml:38:9:43:6 | Uses Step | .github/workflows/test23.yml:43:9:46:16 | Run Step |
 | .github/workflows/test24.yml:7:9:10:6 | Uses Step | .github/workflows/test24.yml:10:9:16:6 | Run Step |
 | .github/workflows/test24.yml:10:9:16:6 | Run Step | .github/workflows/test24.yml:16:9:20:57 | Run Step |
+| .github/workflows/test25.yml:17:9:22:6 | Uses Step | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan |
+| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:32:9:35:6 | Run Step |
+| .github/workflows/test25.yml:32:9:35:6 | Run Step | .github/workflows/test25.yml:35:9:42:53 | Run Step |
 | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step |
 | .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
 | .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
