Merge pull request #64 from github/query/path_traversal

query/path traversal

Author: Alvaro Muñoz

ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql

@@ -13,26 +13,37 @@
 
 import actions
 
+abstract class KnownVulnerableAction extends UsesStep {
+  abstract string getFixedVersion();
+}
+
+class ActionsDownloadArtifact extends KnownVulnerableAction {
+  ActionsDownloadArtifact() {
+    this.getCallee() = "actions/download-artifact" and
+    (
+      this.getVersion() =
+        [
+          "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1",
+          "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6",
+          "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0",
+        ]
+      or
+      this.getVersion()
+          .matches([
+                "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4",
+                "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e",
+                "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c",
+                "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591",
+                "18f0f591", "18f0f591",
+              ] + "%")
+    )
+  }
+
+  override string getFixedVersion() { result = "4.1.7" }
+}
+
 //  gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate
-from UsesStep step
-where
-  step.getCallee() = "actions/download-artifact" and
-  (
-    step.getVersion() =
-      [
-        "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1",
-        "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6",
-        "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0",
-      ]
-    or
-    step.getVersion()
-        .matches([
-              "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4",
-              "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e",
-              "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c",
-              "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591",
-              "18f0f591", "18f0f591",
-            ] + "%")
-  )
-select step, "The workflow is using a known vulnerable version ($@) of the $@ action.", step,
-  step.getVersion(), step, step.getCallee()
+from KnownVulnerableAction step
+select step,
+  "The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@", step,
+  step.getVersion(), step, step.getCallee(), step, step.getFixedVersion()

ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

@@ -0,0 +1,56 @@
+/**
+ * @name Artifact Poisoning (Path Traversal).
+ * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
+ * @kind problem
+ * @problem.severity error
+ * @precision very-high
+ * @security-severity 9
+ * @id actions/artifact-poisoning/path-traversal
+ * @tags actions
+ *       security
+ *       experimental
+ *       external/cwe/cwe-829
+ */
+
+import actions
+import codeql.actions.security.PoisonableSteps
+
+from UsesStep download
+where
+  download.getCallee() = "actions/download-artifact" and
+  download.getCallee() = "actions/download-artifact" and
+  (
+    download.getVersion() =
+      [
+        "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1",
+        "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6",
+        "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0",
+      ]
+    or
+    download
+        .getVersion()
+        .matches([
+              "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4",
+              "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e",
+              "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c",
+              "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591",
+              "18f0f591", "18f0f591",
+            ] + "%")
+  ) and
+  (
+    // exists a poisonable upload artifact in the same workflow
+    exists(UsesStep checkout, PoisonableStep poison, UsesStep upload |
+      download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and
+      download.getEnclosingJob().isPrivilegedExternallyTriggerable() and
+      checkout.getCallee() = "actions/checkout" and
+      checkout.getAFollowingStep() = poison and
+      poison.getAFollowingStep() = upload and
+      upload.getCallee() = "actions/upload-artifact"
+    )
+    or
+    // upload artifact is not used in the same workflow
+    not exists(UsesStep upload |
+      download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = upload
+    )
+  )
+select download, "Potential artifact poisoning"

ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected

@@ -1,9 +1,9 @@
-| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact |
-| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 4.1.7 |
+| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. Update it to $@ | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 4.1.7 |

ql/test/query-tests/Security/CWE-829/.github/workflows/artifactpoisoning81.yml

@@ -25,7 +25,7 @@ jobs:
     permissions:                       
       contents: write
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v3
         with:
           name: results
       - run: python test.py

ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.expected

@@ -0,0 +1 @@
+| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | Potential artifact poisoning |

ql/test/query-tests/Security/CWE-829/ArtifactPoisoningPathTraversal.qlref

@@ -0,0 +1,2 @@
+Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+