Skip to content

Commit

Permalink
Actions: mass enable diff-informed data flow
Browse files Browse the repository at this point in the history
  • Loading branch information
asgerf committed Dec 20, 2024
1 parent 772b972 commit 12bf31e
Show file tree
Hide file tree
Showing 16 changed files with 42 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,8 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -316,6 +316,8 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Tracks flow of unsafe artifacts that is used in an insecure way. */
Expand Down
2 changes: 2 additions & 0 deletions actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ private module CommandInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof CommandInjectionSink }

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,8 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Tracks flow of unsafe user input that is used to construct and evaluate the PATH environment variable. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,8 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
)
)
}

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }

predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }

predicate observeDiffInformedIncrementalMode() { any() }
}

/** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */
Expand Down
12 changes: 12 additions & 0 deletions actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,12 @@ private module ActionsMutableRefCheckoutConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:238: Flow call outside 'select' clause
none()
}
}

module ActionsMutableRefCheckoutFlow = TaintTracking::Global<ActionsMutableRefCheckoutConfig>;
Expand Down Expand Up @@ -121,6 +127,12 @@ private module ActionsSHACheckoutConfig implements DataFlow::ConfigSig {
exists(run.getScript().getAFileReadCommand())
)
}

predicate observeDiffInformedIncrementalMode() {
// TODO(diff-informed): Manually verify if config can be diff-informed.
// actions/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll:273: Flow call outside 'select' clause
none()
}
}

module ActionsSHACheckoutFlow = TaintTracking::Global<ActionsSHACheckoutConfig>;
Expand Down
2 changes: 2 additions & 0 deletions actions/ql/src/Models/CompositeActionsSinks.ql
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module MyFlow = TaintTracking::Global<MyConfig>;
Expand Down
2 changes: 2 additions & 0 deletions actions/ql/src/Models/CompositeActionsSources.ql
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
isSink(node) and
set instanceof DataFlow::FieldContent
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module MyFlow = TaintTracking::Global<MyConfig>;
Expand Down
2 changes: 2 additions & 0 deletions actions/ql/src/Models/CompositeActionsSummaries.ql
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module MyFlow = TaintTracking::Global<MyConfig>;
Expand Down
2 changes: 2 additions & 0 deletions actions/ql/src/Models/ReusableWorkflowsSinks.ql
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ private module MyConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module MyFlow = TaintTracking::Global<MyConfig>;
Expand Down
2 changes: 2 additions & 0 deletions actions/ql/src/Models/ReusableWorkflowsSources.ql
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,8 @@ private module MyConfig implements DataFlow::ConfigSig {
isSink(node) and
set instanceof DataFlow::FieldContent
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module MyFlow = TaintTracking::Global<MyConfig>;
Expand Down
2 changes: 2 additions & 0 deletions actions/ql/src/Models/ReusableWorkflowsSummaries.ql
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ private module MyConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node sink) {
exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
}

predicate observeDiffInformedIncrementalMode() { any() }
}

module MyFlow = TaintTracking::Global<MyConfig>;
Expand Down

0 comments on commit 12bf31e

Please sign in to comment.