Add query to find context variables that may not work with default setup

2023-05-12 19:35:08 +01:00 · 2023-05-12 19:35:08 +01:00 · 8065746a2a
commit 8065746a2a
parent abb267d186
2 changed files with 72 additions and 0 deletions
--- a/queries/default-setup-environment-variables.ql
+++ b/queries/default-setup-environment-variables.ql
@ -14,6 +14,8 @@ predicate isSafeForDefaultSetup(string envVar) {
  envVar.matches("CODEQL_%") or
  envVar.matches("CODESCANNING_%") or
  envVar.matches("LGTM_%") or
+  // We flag up usage of potentially unsafe parts of the GitHub event in `default-setup-event-context.ql`.
+  envVar = "GITHUB_EVENT_PATH" or
  // The following environment variables are known to be safe for use with default setup
  envVar =
    [
--- a/queries/default-setup-event-context.ql
+++ b/queries/default-setup-event-context.ql
@ -0,0 +1,70 @@
+/**
+ * @name Some context properties may not exist in default setup workflows
+ * @id javascript/codeql-action/default-setup-context-properties
+ * @kind path-problem
+ * @severity error
+ */
+
+import javascript
+import DataFlow::PathGraph
+
+class NotParsedLabel extends DataFlow::FlowLabel {
+  NotParsedLabel() { this = "not-parsed" }
+}
+
+class ParsedLabel extends DataFlow::FlowLabel {
+  ParsedLabel() { this = "parsed" }
+}
+
+class EventContextAccessConfiguration extends DataFlow::Configuration {
+  EventContextAccessConfiguration() { this = "EventContextAccessConfiguration" }
+
+  override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) {
+    source = NodeJSLib::process().getAPropertyRead("env").getAPropertyRead("GITHUB_EVENT_PATH") and
+    lbl instanceof NotParsedLabel
+  }
+
+  override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) {
+    sink instanceof DataFlow::PropRead and lbl instanceof ParsedLabel
+  }
+
+  override predicate isAdditionalFlowStep(
+    DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl
+  ) {
+    src = trg.(FileSystemReadAccess).getAPathArgument() and inlbl = outlbl
+    or
+    exists(JsonParserCall c |
+      src = c.getInput() and
+      trg = c.getOutput() and
+      inlbl instanceof NotParsedLabel and
+      outlbl instanceof ParsedLabel
+    )
+    or
+    (
+      TaintTracking::sharedTaintStep(src, trg) or
+      DataFlow::SharedFlowStep::step(src, trg) or
+      DataFlow::SharedFlowStep::step(src, trg, _, _)
+    ) and
+    inlbl = outlbl
+  }
+}
+
+predicate deepPropertyRead(DataFlow::PropRead originalRead, DataFlow::PropRead read, int depth) {
+  read = originalRead and depth = 1
+  or
+  exists(DataFlow::PropRead prevRead, int prevDepth |
+    deepPropertyRead(originalRead, prevRead, prevDepth) and
+    read = prevRead.getAPropertyRead() and
+    depth = prevDepth + 1
+  )
+}
+
+from EventContextAccessConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where
+  cfg.hasFlowPath(source, sink) and
+  not sink.getNode().asExpr().getFile().getBaseName().matches("%.test.ts")
+select sink.getNode(), source, sink,
+  "This context property may not exist in default setup workflows. If all uses are safe, add it to the list of "
+    + "context properties that are known to be safe in " +
+    "'queries/default-setup-event-context.ql'. If this use is safe but others are not, " +
+    "dismiss this alert as a false positive."