Merge branch 'main' into rust-rusqlite

Author: GeekMasher

actions/ql/lib/change-notes/2025-01-07-trusted-owner-ext.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).

actions/ql/lib/codeql/actions/config/Config.qll

@@ -126,6 +126,15 @@ predicate vulnerableActionsDataModel(
  */
 predicate immutableActionsDataModel(string action) { Extensions::immutableActionsDataModel(action) }
 
+/**
+ * MaD models for trusted actions owners
+ * Fields:
+ *    - owner: owner name
+ */
+predicate trustedActionsOwnerDataModel(string owner) {
+  Extensions::trustedActionsOwnerDataModel(owner)
+}
+
 /**
  * MaD models for untrusted git commands
  * Fields:

actions/ql/lib/codeql/actions/config/ConfigExtensions.qll

@@ -63,6 +63,11 @@ extensible predicate vulnerableActionsDataModel(
  */
 extensible predicate immutableActionsDataModel(string action);
 
+/**
+ * Holds for trusted Actions owners.
+ */
+extensible predicate trustedActionsOwnerDataModel(string owner);
+
 /**
  * Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.
  */

actions/ql/lib/ext/config/trusted_actions_owner.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo: 
+      pack: codeql/actions-all
+      extensible: trustedActionsOwnerDataModel
+    data:      
+      - ["actions"]
+      - ["github"]
+      - ["advanced-security"]

actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql

@@ -2,9 +2,9 @@
  * @name PATH Enviroment Variable built from user-controlled sources
  * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
  * @security-severity 5.0
- * @precision high
+ * @precision medium
  * @id actions/envpath-injection/medium
  * @tags actions
  *       security

actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql

@@ -2,9 +2,9 @@
  * @name Enviroment Variable built from user-controlled sources
  * @description Building an environment variable from user-controlled sources may alter the execution of following system commands
  * @kind path-problem
- * @problem.severity warning
+ * @problem.severity error
  * @security-severity 5.0
- * @precision high
+ * @precision medium
  * @id actions/envvar-injection/medium
  * @tags actions
  *       security

actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

@@ -3,11 +3,12 @@
  * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
  * @kind problem
  * @security-severity 5.0
- * @problem.severity recommendation
+ * @problem.severity warning
  * @precision high
  * @id actions/missing-workflow-permissions
  * @tags actions
  *       maintainability
+ *       security
  *       external/cwe/cwe-275
  */
 

actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql

@@ -2,7 +2,8 @@
  * @name Excessive Secrets Exposure
  * @description All organization and repository secrets are passed to the workflow runner.
  * @kind problem
- * @problem.severity recommendation
+ * @precision high
+ * @problem.severity warning
  * @id actions/excessive-secrets-exposure
  * @tags actions
  *       security

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql

@@ -2,8 +2,8 @@
  * @name Artifact poisoning
  * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
  * @kind path-problem
- * @problem.severity warning
- * @precision high
+ * @problem.severity error
+ * @precision medium
  * @security-severity 5.0
  * @id actions/artifact-poisoning/medium
  * @tags actions

actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md

@@ -24,4 +24,4 @@ Pinning an action to a full length commit SHA is currently the only way to use a
 
 ## References
 
-- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)
+- [Using third-party actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions)

actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql

@@ -3,8 +3,8 @@
  * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
  * @kind problem
  * @security-severity 5.0
- * @problem.severity recommendation
- * @precision high
+ * @problem.severity warning
+ * @precision medium
  * @id actions/unpinned-tag
  * @tags security
  *       actions
@@ -17,24 +17,25 @@ import codeql.actions.security.UseOfUnversionedImmutableAction
 bindingset[version]
 private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
 
-bindingset[repo]
-private predicate isTrustedOrg(string repo) {
-  repo.matches(["actions", "github", "advanced-security"] + "/%")
+bindingset[nwo]
+private predicate isTrustedOwner(string nwo) {
+  // Gets the segment before the first '/' in the name with owner(nwo) string
+  trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
 }
 
-from UsesStep uses, string repo, string version, Workflow workflow, string name
+from UsesStep uses, string nwo, string version, Workflow workflow, string name
 where
-  uses.getCallee() = repo and
+  uses.getCallee() = nwo and
   uses.getEnclosingWorkflow() = workflow and
   (
     workflow.getName() = name
     or
     not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
   ) and
   uses.getVersion() = version and
-  not isTrustedOrg(repo) and
+  not isTrustedOwner(nwo) and
   not isPinnedCommit(version) and
-  not isImmutableAction(uses, repo)
+  not isImmutableAction(uses, nwo)
 select uses.getCalleeNode(),
-  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + repo + "' with ref '" + version +
+  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
     "', not a pinned commit hash", uses, uses.toString()

actions/ql/src/change-notes/2025-02-06-curate-suites.md

@@ -0,0 +1,20 @@
+---
+category: breaking
+---
+* The following queries have been removed from the `code-scanning` and `security-extended` suites.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/if-expression-always-true/critical`
+  * `actions/if-expression-always-true/high`
+  * `actions/unnecessary-use-of-advanced-config`
+  
+* The following query has been moved from the `code-scanning` suite to the `security-extended`
+  suite. Any existing alerts for this query will be closed automatically unless the analysis is
+  configured to use the `security-extended` suite.
+  * `actions/unpinned-tag`
+* The following queries have been added to the `security-extended` suite.
+  * `actions/unversioned-immutable-action`
+  * `actions/envpath-injection/medium`
+  * `actions/envvar-injection/medium`
+  * `actions/code-injection/medium`
+  * `actions/artifact-poisoning/medium`
+  * `actions/untrusted-checkout/medium`

actions/ql/src/codeql-suites/actions-code-scanning.qls

@@ -1,11 +1,4 @@
 - description: Standard Code Scanning queries for GitHub Actions
-- queries: '.'
-- include:
-    problem.severity: 
-      - error
-      - recommendation
-- exclude:
-    tags contain:
-      - experimental
-      - debug
-      - internal
+- queries: .
+- apply: code-scanning-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/codeql-suites/actions-security-extended.qls

@@ -1,2 +1,4 @@
 - description: Security-extended queries for GitHub Actions
-- import: codeql-suites/actions-code-scanning.qls
+- queries: .
+- apply: security-extended-selectors.yml
+  from: codeql/suite-helpers

actions/ql/src/Security/CWE-074/OutputClobberingHigh.ql renamed to actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql

@@ -1 +1 @@
-Security/CWE-074/OutputClobberingHigh.ql
+experimental/Security/CWE-074/OutputClobberingHigh.ql

actions/ql/src/Security/CWE-078/CommandInjectionCritical.ql renamed to actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql

@@ -1 +1 @@
-Security/CWE-078/CommandInjectionCritical.ql
+experimental/Security/CWE-078/CommandInjectionCritical.ql

actions/ql/src/Security/CWE-078/CommandInjectionMedium.ql renamed to actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql

@@ -1 +1 @@
-Security/CWE-078/CommandInjectionMedium.ql
+experimental/Security/CWE-078/CommandInjectionMedium.ql

actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.md renamed to actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.md

@@ -1 +1 @@
-Security/CWE-088/ArgumentInjectionCritical.ql
+experimental/Security/CWE-088/ArgumentInjectionCritical.ql

actions/ql/src/Security/CWE-088/ArgumentInjectionCritical.ql renamed to actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql

@@ -1 +1 @@
-Security/CWE-088/ArgumentInjectionMedium.ql
+experimental/Security/CWE-088/ArgumentInjectionMedium.ql

actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.md renamed to actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.md

@@ -1,2 +1,2 @@
-Security/CWE-200/SecretExfiltration.ql
+experimental/Security/CWE-200/SecretExfiltration.ql
 

actions/ql/src/Security/CWE-088/ArgumentInjectionMedium.ql renamed to actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql

@@ -1,2 +1,2 @@
-Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
+experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
 

actions/ql/src/Security/CWE-200/SecretExfiltration.ql renamed to actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql

@@ -1,2 +1,2 @@
-Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
 

actions/ql/src/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql renamed to actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql

@@ -1 +1 @@
-Security/CWE-918/RequestForgery.ql
+experimental/Security/CWE-918/RequestForgery.ql

actions/ql/src/Security/CWE-829/ArtifactPoisoningPathTraversal.ql renamed to actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Blazor `[Parameter]` fields bound to a variable from the route specified in the `@page` directive are now modeled as remote flow sources.

actions/ql/src/Security/CWE-918/RequestForgery.ql renamed to actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql

@@ -0,0 +1,135 @@
+/** Provides classes for working with `Microsoft.AspNetCore.Components` */
+
+import csharp
+import semmle.code.csharp.frameworks.Microsoft
+import semmle.code.csharp.frameworks.microsoft.AspNetCore
+
+/** The `Microsoft.AspNetCore.Components` namespace */
+class MicrosoftAspNetCoreComponentsNamespace extends Namespace {
+  MicrosoftAspNetCoreComponentsNamespace() {
+    this.getParentNamespace() instanceof MicrosoftAspNetCoreNamespace and
+    this.hasName("Components")
+  }
+}
+
+/**
+ * A class in the `Microsoft.AspNetCore.Components` namespace.
+ */
+private class MicrosoftAspNetCoreComponentsClass extends Class {
+  MicrosoftAspNetCoreComponentsClass() {
+    this.getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace
+  }
+}
+
+/** The `Microsoft.AspNetCore.Components.CascadingParameterAttributeBase` class. */
+class MicrosoftAspNetCoreComponentsCascadingParameterAttributeBaseClass extends MicrosoftAspNetCoreComponentsClass
+{
+  MicrosoftAspNetCoreComponentsCascadingParameterAttributeBaseClass() {
+    this.hasName("CascadingParameterAttributeBase")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Components.ComponentBase` class. */
+class MicrosoftAspNetCoreComponentsComponentBaseClass extends MicrosoftAspNetCoreComponentsClass {
+  MicrosoftAspNetCoreComponentsComponentBaseClass() { this.hasName("ComponentBase") }
+}
+
+/** The `Microsoft.AspNetCore.Components.IComponent` interface. */
+class MicrosoftAspNetCoreComponentsIComponentInterface extends Interface {
+  MicrosoftAspNetCoreComponentsIComponentInterface() {
+    this.getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace and
+    this.hasName("IComponent")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Components.RouteAttribute` attribute. */
+private class MicrosoftAspNetCoreComponentsRouteAttribute extends Attribute {
+  MicrosoftAspNetCoreComponentsRouteAttribute() {
+    this.getType().getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace and
+    this.getType().hasName("RouteAttribute")
+  }
+}
+
+/** The `Microsoft.AspNetCore.Components.ParameterAttribute` attribute. */
+private class MicrosoftAspNetCoreComponentsParameterAttribute extends Attribute {
+  MicrosoftAspNetCoreComponentsParameterAttribute() {
+    this.getType().getNamespace() instanceof MicrosoftAspNetCoreComponentsNamespace and
+    this.getType().hasName("ParameterAttribute")
+  }
+}
+
+/** An ASP.NET Core (Blazor) component. */
+class MicrosoftAspNetCoreComponentsComponent extends Class {
+  MicrosoftAspNetCoreComponentsComponent() {
+    this.getABaseType+() instanceof MicrosoftAspNetCoreComponentsComponentBaseClass or
+    this.getABaseType+() instanceof MicrosoftAspNetCoreComponentsIComponentInterface
+  }
+
+  /** Gets a property whose value cascades down the component hierarchy. */
+  Property getACascadingParameterProperty() {
+    result = this.getAProperty() and
+    result.getAnAttribute().getType().getBaseClass() instanceof
+      MicrosoftAspNetCoreComponentsCascadingParameterAttributeBaseClass
+  }
+
+  /** Gets the url for the route from the `Microsoft.AspNetCore.Components.RouteAttribute` of the component. */
+  private string getRouteAttributeUrl() {
+    exists(MicrosoftAspNetCoreComponentsRouteAttribute a | a = this.getAnAttribute() |
+      result = a.getArgument(0).getValue()
+    )
+  }
+
+  /**
+   * Gets a route parameter from the `Microsoft.AspNetCore.Components.RouteAttribute` of the component.
+   *
+   * A route parameter is defined in the URL by wrapping its name in a pair of { braces } when adding a component's @page declaration.
+   * There are various extensions that can be added next to the parameter name, such as `:int` or `?` to make the parameter optional.
+   * Optionally, the parameter name can start with a `*` to make it a catch-all parameter.
+   *
+   * An example of a route parameter is `@page "/counter/{id:int}/{other?}/{*rest}"`, from this we're getting the `id`, `other` and `rest` parameters.
+   */
+  pragma[nomagic]
+  private string getARouteParameter() {
+    exists(string s |
+      s = this.getRouteAttributeUrl().splitAt("{").regexpCapture("\\*?([^:?}]+)[:?}](.*)", 1) and
+      result = s.toLowerCase()
+    )
+  }
+
+  /** Gets a property attributed with `[Parameter]` attribute. */
+  pragma[nomagic]
+  private Property getAParameterProperty(string name) {
+    result = this.getAProperty() and
+    result.getAnAttribute() instanceof MicrosoftAspNetCoreComponentsParameterAttribute and
+    name = result.getName().toLowerCase()
+  }
+
+  /** Gets a property whose value is populated from route parameters. */
+  Property getARouteParameterProperty() {
+    exists(string name | name = this.getARouteParameter() |
+      result = this.getAParameterProperty(name)
+    )
+  }
+}
+
+private module Sources {
+  private import semmle.code.csharp.security.dataflow.flowsources.Remote
+
+  /**
+   * A property with a `[Parameter]` attribute in an ASP.NET Core component which
+   * is populated from a route parameter.
+   */
+  private class AspNetCoreComponentRouteParameterFlowSource extends AspNetRemoteFlowSource,
+    DataFlow::ExprNode
+  {
+    AspNetCoreComponentRouteParameterFlowSource() {
+      exists(MicrosoftAspNetCoreComponentsComponent c, Property p |
+        p = c.getARouteParameterProperty()
+      |
+        this.asExpr() = p.getGetter().getACall()
+      )
+    }
+
+    override string getSourceType() { result = "ASP.NET Core component route parameter" }
+  }
+}

actions/ql/test/query-tests/Security/CWE-074/OutputClobberingHigh.qlref

@@ -26,7 +26,8 @@ abstract class RemoteFlowSource extends SourceNode {
  * A module for importing frameworks that defines remote flow sources.
  */
 private module RemoteFlowSources {
-  private import semmle.code.csharp.frameworks.ServiceStack
+  private import semmle.code.csharp.frameworks.ServiceStack as ServiceStack
+  private import semmle.code.csharp.frameworks.microsoft.aspnetcore.Components as Blazor
 }
 
 /** A data flow source of remote user input (ASP.NET). */