Clean imports

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -2,7 +2,6 @@ private import actions
 private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
-import codeql.actions.dataflow.FlowSteps
 import codeql.actions.DataFlow
 
 abstract class ArgumentInjectionSink extends DataFlow::Node {

ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -1,7 +1,6 @@
 import actions
 private import codeql.actions.TaintTracking
 import codeql.actions.DataFlow
-private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
 import codeql.actions.security.PoisonableSteps
 

ql/lib/codeql/actions/security/CachePoisoningQuery.qll

@@ -1,6 +1,4 @@
 import actions
-import codeql.actions.config.Config
-import codeql.actions.Helper
 
 string defaultBranchTriggerEvent() {
   result =

ql/lib/codeql/actions/security/ControlChecks.qll

@@ -253,6 +253,9 @@ class AssociationActionCheck extends AssociationCheck instanceof UsesStep {
       or
       this.getArgument("exit") = "true"
     )
+    or
+    this.getCallee() = "actions/github-script" and
+    this.getArgument("script").splitAt("\n").matches("%getMembershipForUserInOrg%")
   }
 }
 

ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll

@@ -3,20 +3,11 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 private import codeql.actions.security.ArtifactPoisoningQuery
 private import codeql.actions.security.UntrustedCheckoutQuery
-private import codeql.actions.dataflow.FlowSteps
-import codeql.actions.DataFlow
-import codeql.actions.dataflow.FlowSources
 
 abstract class EnvPathInjectionSink extends DataFlow::Node { }
 
 /**
  * Holds if a Run step declares a PATH environment variable with contents from a local file.
- * e.g.
- *    run: |
- *      cat foo.txt >> $GITHUB_PATH
- *      echo "$(cat foo.txt)" >> $GITHUB_PATH
- *      FOO=$(cat foo.txt)
- *      echo "$FOO" >> $GITHUB_PATH
  */
 class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink {
   EnvPathInjectionFromFileReadSink() {
@@ -28,11 +19,15 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink {
       this.asExpr() = run.getScript() and
       step.getAFollowingStep() = run and
       (
+        // echo "$(cat foo.txt)" >> $GITHUB_PATH
+        // FOO=$(cat foo.txt)
+        // echo "$FOO" >> $GITHUB_PATH
         exists(string cmd |
-          run.getScript().getACmdReachingGitHubPathWrite(cmd) and
-          run.getScript().getAFileReadCommand() = cmd
+          run.getScript().getAFileReadCommand() = cmd and
+          run.getScript().getACmdReachingGitHubPathWrite(cmd)
         )
         or
+        // cat foo.txt >> $GITHUB_PATH
         run.getScript().fileToGitHubPath(_)
       )
     )
@@ -91,8 +86,10 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
       run.getInScopeEnvVarExpr(var) = pred.asExpr() and
       succ.asExpr() = run.getScript() and
       (
-        run.getScript().getAnEnvReachingGitHubOutputWrite(var, _) or
-        run.getScript().getAnEnvReachingGitHubEnvWrite(var, _) or
+        run.getScript().getAnEnvReachingGitHubEnvWrite(var, _)
+        or
+        run.getScript().getAnEnvReachingGitHubOutputWrite(var, _)
+        or
         run.getScript().getAnEnvReachingGitHubPathWrite(var)
       )
     )

ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -3,9 +3,6 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 private import codeql.actions.security.ArtifactPoisoningQuery
 private import codeql.actions.security.UntrustedCheckoutQuery
-private import codeql.actions.dataflow.FlowSteps
-import codeql.actions.DataFlow
-import codeql.actions.dataflow.FlowSources
 
 abstract class EnvVarInjectionSink extends DataFlow::Node { }
 

ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -3,9 +3,6 @@ private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 private import codeql.actions.security.ArtifactPoisoningQuery
 private import codeql.actions.security.UntrustedCheckoutQuery
-private import codeql.actions.dataflow.FlowSteps
-import codeql.actions.DataFlow
-import codeql.actions.dataflow.FlowSources
 
 abstract class OutputClobberingSink extends DataFlow::Node { }
 

ql/lib/codeql/actions/security/PoisonableSteps.qll

@@ -1,5 +1,4 @@
 import actions
-import codeql.actions.config.Config
 
 abstract class PoisonableStep extends Step { }
 

ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll

@@ -2,7 +2,6 @@ private import actions
 private import codeql.actions.TaintTracking
 private import codeql.actions.dataflow.ExternalFlow
 import codeql.actions.dataflow.FlowSources
-private import codeql.actions.security.ArtifactPoisoningQuery
 import codeql.actions.DataFlow
 
 private class SecretExfiltrationSink extends DataFlow::Node {

ql/lib/codeql/actions/security/SelfHostedQuery.qll

@@ -1,5 +1,4 @@
 import actions
-import codeql.actions.config.Config
 
 bindingset[runner]
 predicate isGithubHostedRunner(string runner) {