Merge pull request #57 from github/workflow_run_branches

workflow run branches

Author: Alvaro Muñoz

ql/lib/codeql/actions/Helper.qll

@@ -1,5 +1,6 @@
 private import codeql.actions.Ast
 private import codeql.Locations
+import codeql.actions.config.Config
 private import codeql.actions.security.ControlChecks
 
 bindingset[expr]
@@ -264,3 +265,10 @@ predicate outputsPartialFileContent(string snippet) {
             ".*"
         ])
 }
+
+string defaultBranchNames() {
+  repositoryDataModel(_, result)
+  or
+  not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and
+  result = ["main", "master"]
+}

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -710,7 +710,18 @@ class EventImpl extends AstNodeImpl, TEventNode {
   /** Holds if the event can be triggered by an external actor. */
   predicate isExternallyTriggerable() {
     // the job is triggered by an event that can be triggered externally
-    externallyTriggerableEventsDataModel(this.getName())
+    // except for workflow_run which requires additional checks
+    externallyTriggerableEventsDataModel(this.getName()) and
+    not this.getName() = "workflow_run"
+    or
+    this.getName() = "workflow_run" and
+    // workflow_run cannot be externally triggered if they triggering workflow runs in the context of the default branch
+    // since an attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow
+    // but in that case, the triggering workflow will run in the context of the PR head branch
+    (
+      not exists(this.getAPropertyValue("branches")) or
+      this.getAPropertyValue("branches").matches("%*%")
+    )
     or
     // the event is `workflow_call` and there is a caller workflow that can be triggered externally
     this.getName() = "workflow_call" and

ql/lib/codeql/actions/security/CachePoisoningQuery.qll

@@ -1,5 +1,6 @@
 import actions
 import codeql.actions.config.Config
+import codeql.actions.Helper
 
 string defaultBranchTriggerEvent() {
   result =
@@ -11,16 +12,6 @@ string defaultBranchTriggerEvent() {
     ]
 }
 
-string defaultBranchNames() {
-  exists(string default_branch_name |
-    repositoryDataModel(_, default_branch_name) and
-    result = default_branch_name
-  )
-  or
-  not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and
-  result = ["main", "master"]
-}
-
 predicate runsOnDefaultBranch(Event e) {
   (
     e.getName() = defaultBranchTriggerEvent() and

ql/lib/ext/manual/appleboy_ssh-action.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSinkModel
+    data:
+      - ["appleboy/ssh-action", "*", "input.script", "code-injection", "manual"]
+      - ["appleboy/ssh-action", "*", "input.envs", "envvar-injection", "manual"]
+

ql/lib/qlpack.yml

@@ -2,7 +2,7 @@
 library: true
 warnOnImplicitThis: true
 name: github/actions-all
-version: 0.1.15
+version: 0.1.16
 dependencies:
   codeql/util: ^1.0.1
   codeql/yaml: ^1.0.1

ql/src/qlpack.yml

@@ -1,7 +1,7 @@
 ---
 library: false
 name: github/actions-queries
-version: 0.1.15
+version: 0.1.16
 groups: [actions, queries]
 suites: codeql-suites
 extractor: javascript

ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml

@@ -0,0 +1,13 @@
+name: Self-hosted runner (AMD mi250 CI caller)
+
+on:
+  workflow_run:
+    workflows: ["Test"]
+    branches: ["main"]
+    types: [completed]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ${{ github.event.workflow_run.head_branch }}

ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml

@@ -0,0 +1,13 @@
+name: Self-hosted runner (AMD mi250 CI caller)
+
+on:
+  workflow_run:
+    workflows: ["Test"]
+    branches: "main"
+    types: [completed]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ${{ github.event.workflow_run.head_branch }}

ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml

@@ -0,0 +1,12 @@
+name: Self-hosted runner (AMD mi250 CI caller)
+
+on:
+  workflow_run:
+    workflows: ["Test"]
+    types: [completed]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ${{ github.event.workflow_run.head_branch }}

ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml

@@ -0,0 +1,13 @@
+name: Self-hosted runner (AMD mi250 CI caller)
+
+on:
+  workflow_run:
+    workflows: ["Test"]
+    branches: ["feat/**"]
+    types: [completed]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ${{ github.event.workflow_run.head_branch }}