New poisonable steps

Alvaro Muñoz · Alvaro Muñoz · commit 8231261ccfa8 · 2024-07-09T17:28:04.000+02:00
diff --git a/ql/lib/codeql/actions/security/PoisonableSteps.qll b/ql/lib/codeql/actions/security/PoisonableSteps.qll
@@ -18,7 +18,12 @@ class PoisonableCommandStep extends PoisonableStep, Run {
   PoisonableCommandStep() {
     exists(string regexp |
       poisonableCommandsDataModel(regexp) and
-      exists(this.getScript().splitAt("\n").trim().regexpFind("(^|\\b|\\s+)" + regexp, _, _))
+      exists(
+        this.getScript()
+            .splitAt("\n")
+            .trim()
+            .regexpFind("(^|\\b|\\s+)" + regexp + "(\\s|;|\\||\\)|`|-|&&|[a-zA-Z]|$)", _, _)
+      )
     )
   }
 }
@@ -41,7 +46,6 @@ class LocalScriptExecutionRunStep extends PoisonableStep, Run {
   LocalScriptExecutionRunStep() {
     exists(string line, string regexp, int group | line = this.getScript().splitAt("\n").trim() |
       poisonableLocalScriptsDataModel(regexp, group) and
-      //cmd = line.regexpCapture(".*(^|\\b|\\s+|\\$\\(|`)" + regexp + "(\\b|\\s+|;|\\)|`|$).*", group)
       cmd =
         line.regexpCapture(".*(^|;|\\$\\(|`|\\||&&)\\s*" + regexp + "\\s*(;|\\||\\)|`|-|&&|$).*",
           group)
diff --git a/ql/lib/ext/config/poisonable_steps.yml b/ql/lib/ext/config/poisonable_steps.yml
@@ -2,7 +2,6 @@ extensions:
   - addsTo:
       pack: github/actions-all
       extensible: poisonableActionsDataModel
-    # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16
     # source: https://boostsecurityio.github.io/lotp/
     data:
       - ["pre-commit/action"]
@@ -14,40 +13,46 @@ extensions:
   - addsTo:
       pack: github/actions-all
       extensible: poisonableCommandsDataModel
-    # source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L23
     # source: https://boostsecurityio.github.io/lotp/
     data:
-      - ["ant "]
-      - ["bundle "]
-      - ["cargo "]
-      - ["checkov "]
-      - ["eslint "]
-      - ["go generate"]
-      - ["go run"]
-      - ["gomplate "]
-      - ["gradle "]
-      - ["java -jar"]
-      - ["make "]
+      - ["ant"]
+      - ["awk\\s+-f"]
+      - ["bundle"]
+      - ["cargo"]
+      - ["checkov"]
+      - ["eslint"]
+      - ["gcloud\\s+builds submit"]
+      - ["golangci-lint"]
+      - ["gomplate"]
+      - ["goreleaser"]
+      - ["gradle"]
+      - ["java\\s+-jar"]
+      - ["make"]
+      - ["mdformat"]
       - ["mkdocs"]
       - ["msbuild"]
       - ["mvn"]
       - ["mypy"]
-      - ["npm [a-z]"]
-      - ["pnpm [a-z]"]
+      - ["(p)?npm\\s+[a-z]"]
       - ["pre-commit"]
       - ["prettier"]
-      - ["pip install -r"]
-      - ["pip install --requirement"]
+      - ["phpstan"]
+      - ["pip\\s+install\\s+-r"]
+      - ["pip\\s+install\\s+--requirement"]
       - ["poetry"]
       - ["pylint"]
       - ["pytest"]
-      - ["rake "]
-      - ["rails db:create"]
-      - ["rails assets:precompile"]
-      - ["rubocop "]
-      - ["terraform "]
+      - ["rake"]
+      - ["rails\\s+db:create"]
+      - ["rails\\s+assets:precompile"]
+      - ["rubocop"]
+      - ["sed\\s+-e"]
+      - ["sed\\s+-f"]
+      - ["stylelint"]
+      - ["terraform"]
       - ["tflint"]
-      - ["yarn "]
+      - ["yarn"]
+      - ["webpack"]
   - addsTo:
       pack: github/actions-all
       extensible: poisonableLocalScriptsDataModel
@@ -59,5 +64,6 @@ extensions:
       - ["(node)\\s+(.*)(\\.js|\\.ts)", 3]
       - ["(python)\\s+(.*)\\.py", 3]
       - ["(ruby)\\s+(.*)\\.rb", 3]
-      - ["(go)\\s+(.*)\\.go", 3]
+      - ["(go)\\s+(generate|run)\\s+(.*)\\.go", 4]
+      - ["(dotnet)\\s+(.*)\\.csproj", 3]
 
diff --git a/ql/test/library-tests/.github/workflows/poisonable_steps.yml b/ql/test/library-tests/.github/workflows/poisonable_steps.yml
@@ -27,3 +27,14 @@ jobs:
       - run: ruby scripts/generate_theme.rb --outfile js/storybook/theme.css
       - run: bundle run exec ruby scripts/generate_theme.rb --outfile js/storybook/theme.css
       - run: xvfb-run ./mvnw clean package
+      - run: echo "foo" && npm i && echo "bar"
+      - run: echo "foo" | npm i | echo "bar"
+      - run: echo "foo" | npm i | echo "bar"
+      - run: echo "foo `npm i` bar"
+      - run: dotnet test foo/Tests.csproj -c Release
+      - run: go run foo.go
+      - run: sed -i "s|git_branch = .*|git_branch = \"$GITHUB_HEAD_REF\"|" config.json # not supported yet
+      - run: sed -f ./config.sed file.txt > foo.txt
+      - run: sed -f config file.txt > foo.txt
+      - run: echo "foo" | awk -f ./config.awk > foo.txt
+      - run: gcloud builds submit --quiet --substitutions="COMMIT_SHA=foo
diff --git a/ql/test/library-tests/poisonable_steps.expected b/ql/test/library-tests/poisonable_steps.expected
@@ -17,4 +17,14 @@
 | .github/workflows/poisonable_steps.yml:26:9:27:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:27:9:28:6 | Run Step |
 | .github/workflows/poisonable_steps.yml:28:9:29:6 | Run Step |
-| .github/workflows/poisonable_steps.yml:29:9:29:43 | Run Step |
+| .github/workflows/poisonable_steps.yml:29:9:30:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:30:9:31:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:31:9:32:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:32:9:33:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:33:9:34:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:34:9:35:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:35:9:36:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:37:9:38:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:38:9:39:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:39:9:40:6 | Run Step |
+| .github/workflows/poisonable_steps.yml:40:9:40:74 | Run Step |
diff --git a/ql/test/library-tests/test.expected b/ql/test/library-tests/test.expected
