Merge pull request #98 from github/improve_arginj

improve arginj

Author: Alvaro Muñoz

ql/lib/codeql/actions/Ast.qll

@@ -293,6 +293,10 @@ class Run extends Step instanceof RunImpl {
   Expression getAnScriptExpr() { result = super.getAnScriptExpr() }
 
   string getWorkingDirectory() { result = super.getWorkingDirectory() }
+
+  string getACommand() { result = super.getACommand() }
+
+  predicate getAnAssignment(string name, string value) { super.getAnAssignment(name, value) }
 }
 
 abstract class SimpleReferenceExpression extends AstNode instanceof SimpleReferenceExpressionImpl {

ql/lib/codeql/actions/Helper.qll

@@ -54,7 +54,6 @@ predicate isBashParameterExpansion(string expr, string parameter, string operato
   )
 }
 
-// TODO, the followinr test fails
 bindingset[raw_content]
 predicate extractVariableAndValue(string raw_content, string key, string value) {
   exists(string regexp, string content | content = trimQuotes(raw_content) |
@@ -246,18 +245,14 @@ predicate inNonPrivilegedContext(AstNode node) {
   not node.getEnclosingJob().isPrivilegedExternallyTriggerable(_)
 }
 
-string partialFileContentRegexp() {
-  result = ["cat\\s+", "jq\\s+", "yq\\s+", "tail\\s+", "head\\s+", "ls\\s+"]
-}
-
 bindingset[snippet]
 predicate outputsPartialFileContent(string snippet) {
   // e.g.
   // echo FOO=`yq '.foo' foo.yml` >> $GITHUB_ENV
   // echo "FOO=$(<foo.txt)" >> $GITHUB_ENV
   // yq '.foo' foo.yml >> $GITHUB_PATH
   // cat foo.txt >> $GITHUB_PATH
-  snippet.regexpMatch(["(\\$\\(|`)<.*", ".*(\\b|^|\\s+)" + partialFileContentRegexp() + ".*"])
+  Bash::getACommand(snippet).indexOf(["<", Bash::partialFileContentCommand() + " "]) = 0
 }
 
 string defaultBranchNames() {
@@ -310,3 +305,96 @@ string normalizePath(string path) {
  */
 bindingset[subpath, path]
 predicate isSubpath(string subpath, string path) { subpath.substring(0, path.length()) = path }
+
+module Bash {
+  string stmtSeparator() { result = ";" }
+
+  string commandSeparator() { result = ["&&", "||"] }
+
+  string pipeSeparator() { result = "|" }
+
+  string splitSeparators() {
+    result = stmtSeparator() or result = commandSeparator() or result = pipeSeparator()
+  }
+
+  string redirectionSeparator() { result = [">", ">>", "2>", "2>>", ">&", "2>&", "<", "<<<"] }
+
+  string partialFileContentCommand() { result = ["cat", "jq", "yq", "tail", "head"] }
+
+  bindingset[script]
+  string getACommand(string script) {
+    exists(string stmt_, string stmt, string subline2, string cmd |
+      stmt_ = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n") and
+      stmt =
+        [
+          // $() command substitution
+          stmt_
+              .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", _, _)
+              .regexpReplaceAll("^\\$\\(", "")
+              .regexpReplaceAll("\\)$", ""),
+          // `...` command substitution
+          stmt_
+              .regexpFind("\\`[^\\`]+\\`", _, _)
+              .regexpReplaceAll("^\\`", "")
+              .regexpReplaceAll("\\`$", ""),
+          // original line with no substitutions
+          stmt_
+              .regexpReplaceAll("\\`[^\\`]+\\`", "SUBCOMMAND")
+              .regexpReplaceAll("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", "SUBCOMMAND")
+        ] and
+      // We shoulg replace quoted arguments with a placeholder to avoid splitting them
+      // eg: ls | grep -E "*.(tar.gz|zip)$"
+      //subline2 = subline.regexpReplaceAll("\"([^\"]+)\"", "$0").regexpReplaceAll("'([^']+)'", "$0") and
+      (
+        stmt.regexpMatch(".*\"([^\"]+)\".*") and
+        exists(int i |
+          subline2 =
+            stmt.replaceAll(stmt.regexpFind("\"([^\"]+)\"", _, i),
+              stmt.regexpFind("\"([^\"]+)\"", _, i)
+                  .replaceAll("|", "::PIPE::")
+                  .replaceAll(";", "::SEMICOLON::")
+                  .replaceAll("&&", "::AND::")
+                  .replaceAll("||", "::OR::"))
+        )
+        or
+        stmt.regexpMatch(".*'([^']+)'.*") and
+        exists(int i |
+          subline2 =
+            stmt.replaceAll(stmt.regexpFind("'([^']+)'", _, i),
+              stmt.regexpFind("'([^']+)'", _, i)
+                  .replaceAll("|", "::PIPE::")
+                  .replaceAll(";", "::SEMICOLON::")
+                  .replaceAll("&&", "::AND::")
+                  .replaceAll("||", "::OR::"))
+        )
+        or
+        not stmt.regexpMatch(".*'([^']+)'.*") and
+        not stmt.regexpMatch(".*\"([^\"]+)\".*") and
+        subline2 = stmt
+      ) and
+      cmd = subline2.splitAt(splitSeparators()).trim() and
+      // when splitting the line with a separator that is not found, the result is the original line which may contain other separators
+      // we only one the split parts that do not contain any of the separators
+      not cmd.indexOf(splitSeparators()) > -1 and
+      not cmd =
+        [
+          "", "for", "in", "do", "done", "if", "then", "else", "elif", "fi", "while", "until",
+          "case", "esac", "{", "}"
+        ] and
+      result =
+        cmd.replaceAll("::PIPE::", "|")
+            .replaceAll("::SEMICOLON::", ";")
+            .replaceAll("::AND::", "&&")
+            .replaceAll("::OR::", "||")
+    )
+  }
+
+  bindingset[script]
+  predicate getAnAssignment(string script, string name, string value) {
+    exists(string stmt |
+      stmt = script.regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n").trim() and
+      name = stmt.regexpCapture("^([a-zA-Z0-9\\-_]+)=.*", 1) and
+      value = stmt.regexpCapture("^[a-zA-Z0-9\\-_]+=(.*)", 1)
+    )
+  }
+}

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -722,13 +722,10 @@ class EventImpl extends AstNodeImpl, TEventNode {
     not this.getName() = "workflow_run"
     or
     this.getName() = "workflow_run" and
-    // workflow_run cannot be externally triggered if they triggering workflow runs in the context of the default branch
-    // since an attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow
-    // but in that case, the triggering workflow will run in the context of the PR head branch
-    (
-      not exists(this.getAPropertyValue("branches")) or
-      this.getAPropertyValue("branches").matches("%*%")
-    )
+    // workflow_run cannot be externally triggered if the triggering workflow runs in the context of the default branch
+    // An attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow
+    // in that case, the triggering workflow will run in the context of the PR head branch
+    not exists(this.getAPropertyValue("branches"))
     or
     // the event is `workflow_call` and there is a caller workflow that can be triggered externally
     this.getName() = "workflow_call" and
@@ -1322,6 +1319,12 @@ class RunImpl extends StepImpl {
 
   string getScript() { result = script.getValue().regexpReplaceAll("\\\\\\s*\n", "") }
 
+  string getACommand() { result = Bash::getACommand(this.getScript()) }
+
+  predicate getAnAssignment(string name, string value) {
+    Bash::getAnAssignment(this.getScript(), name, value)
+  }
+
   ScalarValueImpl getScriptScalar() { result = TScalarValueNode(script) }
 
   ExpressionImpl getAnScriptExpr() { result.getParentNode().getNode() = script }

ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -28,13 +28,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
     )
     or
     exists(
-      Run run, string line, string argument, string regexp, int argument_group, int command_group
+      Run run, string cmd, string argument, string regexp, int argument_group, int command_group
     |
-      run.getScript().splitAt("\n") = line and
+      run.getACommand() = cmd and
       run.getScriptScalar() = this.asExpr() and
       argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
-      argument = line.regexpCapture(regexp, argument_group) and
-      command = line.regexpCapture(regexp, command_group) and
+      argument = cmd.regexpCapture(regexp, argument_group) and
+      command = cmd.regexpCapture(regexp, command_group) and
       argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*")
     )
   }
@@ -60,12 +60,12 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
     source instanceof RemoteFlowSource
     or
     exists(
-      Run run, string argument, string line, string regexp, int command_group, int argument_group
+      Run run, string argument, string cmd, string regexp, int command_group, int argument_group
     |
       run.getScriptScalar() = source.asExpr() and
-      run.getScript().splitAt("\n") = line and
+      run.getACommand() = cmd and
       argumentInjectionSinksDataModel(regexp, command_group, argument_group) and
-      argument = line.regexpCapture(regexp, argument_group) and
+      argument = cmd.regexpCapture(regexp, argument_group) and
       argument.regexpMatch(".*\\$(\\{)?(GITHUB_HEAD_REF).*")
     )
   }

ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -155,71 +155,54 @@ class ActionsGitHubScriptDownloadStep extends UntrustedArtifactDownloadStep, Use
   }
 
   override string getPath() {
-    if
-      this.getAFollowingStep()
-          .(Run)
-          .getScript()
-          .splitAt("\n")
-          .regexpMatch(unzipRegexp() + unzipDirArgRegexp())
+    if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp())
     then
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
-                .getScript()
-                .splitAt("\n")
+                .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
     else
-      if this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
+      if this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp())
       then result = "GITHUB_WORKSPACE/"
       else none()
   }
 }
 
 class GHRunArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
-  string script;
-
   GHRunArtifactDownloadStep() {
     // eg: - run: gh run download ${{ github.event.workflow_run.id }} --repo "${GITHUB_REPOSITORY}" --name "artifact_name"
-    this.getScript() = script and
-    script.splitAt("\n").regexpMatch(".*gh\\s+run\\s+download.*") and
-    script.splitAt("\n").matches("%github.event.workflow_run.id%") and
+    this.getACommand().regexpMatch(".*gh\\s+run\\s+download.*") and
+    this.getACommand().matches("%github.event.workflow_run.id%") and
     (
-      script.splitAt("\n").regexpMatch(unzipRegexp()) or
-      this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
+      this.getACommand().regexpMatch(unzipRegexp()) or
+      this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp())
     )
   }
 
   override string getPath() {
     if
-      this.getAFollowingStep()
-          .(Run)
-          .getScript()
-          .splitAt("\n")
-          .regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
-      script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp())
+      this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
+      this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp())
     then
       result =
-        normalizePath(trimQuotes(script
-                .splitAt("\n")
+        normalizePath(trimQuotes(this.getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
-                .getScript()
-                .splitAt("\n")
+                .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
     else
       if
-        this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp()) or
-        script.splitAt("\n").regexpMatch(unzipRegexp())
+        this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp()) or
+        this.getACommand().regexpMatch(unzipRegexp())
       then result = "GITHUB_WORKSPACE/"
       else none()
   }
 }
 
 class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
-  string script;
-
   DirectArtifactDownloadStep() {
     // eg:
     // run: |
@@ -230,32 +213,25 @@ class DirectArtifactDownloadStep extends UntrustedArtifactDownloadStep, Run {
     //     gh api $url > "$name.zip"
     //     unzip -d "$name" "$name.zip"
     //   done
-    this.getScript() = script and
-    script.splitAt("\n").matches("%github.event.workflow_run.artifacts_url%") and
+    this.getACommand().matches("%github.event.workflow_run.artifacts_url%") and
     (
-      script.splitAt("\n").regexpMatch(unzipRegexp()) or
-      this.getAFollowingStep().(Run).getScript().splitAt("\n").regexpMatch(unzipRegexp())
+      this.getACommand().regexpMatch(unzipRegexp()) or
+      this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp())
     )
   }
 
   override string getPath() {
     if
-      script.splitAt("\n").regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
-      this.getAFollowingStep()
-          .(Run)
-          .getScript()
-          .splitAt("\n")
-          .regexpMatch(unzipRegexp() + unzipDirArgRegexp())
+      this.getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp()) or
+      this.getAFollowingStep().(Run).getACommand().regexpMatch(unzipRegexp() + unzipDirArgRegexp())
     then
       result =
-        normalizePath(trimQuotes(script
-                .splitAt("\n")
+        normalizePath(trimQuotes(this.getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2))) or
       result =
         normalizePath(trimQuotes(this.getAFollowingStep()
                 .(Run)
-                .getScript()
-                .splitAt("\n")
+                .getACommand()
                 .regexpCapture(unzipRegexp() + unzipDirArgRegexp(), 2)))
     else result = "GITHUB_WORKSPACE/"
   }

ql/lib/codeql/actions/security/ControlChecks.qll

@@ -255,10 +255,13 @@ class PermissionActionCheck extends PermissionCheck instanceof UsesStep {
 
 class BashCommentVsHeadDateCheck extends CommentVsHeadDateCheck, Run {
   BashCommentVsHeadDateCheck() {
-    exists(string line |
-      line = this.getScript().splitAt("\n") and
-      line.toLowerCase()
-          .regexpMatch(".*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*date\\s+-d.*(commit_at|pushed_at|comment_at|commented_at).*")
+    // eg: if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then
+    exists(string cmd1, string cmd2 |
+      cmd1 = this.getACommand() and
+      cmd2 = this.getACommand() and
+      not cmd1 = cmd2 and
+      cmd1.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*") and
+      cmd2.toLowerCase().regexpMatch("date\\s+-d.*(commit|pushed|comment|commented)_at.*")
     )
   }
 }

ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll

@@ -37,11 +37,8 @@ class EnvPathInjectionFromFileReadSink extends EnvPathInjectionSink {
             // e.g.
             // FOO=$(cat test-results/sha-number)
             // echo "FOO=$FOO" >> $GITHUB_PATH
-            exists(string line, string var_name, string var_value |
-              run.getScript().splitAt("\n") = line
-            |
-              var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and
-              var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and
+            exists(string var_name, string var_value |
+              run.getAnAssignment(var_name, var_value) and
               outputsPartialFileContent(var_value) and
               (
                 value.matches("%$" + ["", "{", "ENV{"] + var_name + "%")

ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -42,11 +42,8 @@ class EnvVarInjectionFromFileReadSink extends EnvVarInjectionSink {
             // e.g.
             // FOO=$(cat test-results/sha-number)
             // echo "FOO=$FOO" >> $GITHUB_ENV
-            exists(string line, string var_name, string var_value |
-              run.getScript().splitAt("\n") = line
-            |
-              var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and
-              var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and
+            exists(string var_name, string var_value |
+              run.getAnAssignment(var_name, var_value) and
               outputsPartialFileContent(var_value) and
               (
                 value.matches("%$" + ["", "{", "ENV{"] + var_name + "%")

ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -56,11 +56,8 @@ class OutputClobberingFromFileReadSink extends OutputClobberingSink {
             // e.g.
             // FOO=$(cat test-results/sha-number)
             // echo "FOO=$FOO" >> $GITHUB_OUTPUT
-            exists(string line, string var_name, string var_value |
-              run.getScript().splitAt("\n") = line
-            |
-              var_name = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 1) and
-              var_value = line.regexpCapture("([a-zA-Z0-9\\-_]+)=(.*)", 2) and
+            exists(string var_name, string var_value |
+              run.getAnAssignment(var_name, var_value) and
               outputsPartialFileContent(var_value) and
               (
                 value.matches("%$" + ["", "{", "ENV{"] + var_name + "%")
@@ -154,11 +151,11 @@ class WorkflowCommandClobberingFromFileReadSink extends OutputClobberingSink {
         // A file is read and its content is printed to stdout
         // - run: echo "foo=$(<pr-id.txt)"
         clobbering_line.regexpMatch(".*echo\\s+(-e)?\\s*(\"|')?") and
-        clobbering_line.regexpMatch(partialFileContentRegexp() + ".*")
+        clobbering_line.regexpMatch(["ls", Bash::partialFileContentCommand()] + "\\s.*")
         or
         // A file content is printed to stdout
         // - run: cat pr-id.txt
-        clobbering_line.regexpMatch(partialFileContentRegexp() + ".*")
+        clobbering_line.regexpMatch(["ls", Bash::partialFileContentCommand()] + "\\s.*")
       )
     )
   }