Merge pull request #63 from github/cwe_1395

Alvaro Muñoz · web-flow · commit 4334524ac419 · 2024-07-31T18:30:27.000+02:00
feat(queries): Add query to report vulnerable 3rd party actions
diff --git a/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql b/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
@@ -0,0 +1,38 @@
+/**
+ * @name Use of known vulnerable 3rd party action.
+ * @description The workflow is using a known vulnerable 3rd party action.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id actions/vulnerable-action
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-1395
+ */
+
+import actions
+
+//  gh api /repos/actions/download-artifact/tags --jq 'map({name: .name, sha: .commit.sha})' --paginate
+from UsesStep step
+where
+  step.getCallee() = "actions/download-artifact" and
+  (
+    step.getVersion() =
+      [
+        "4.1.6", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.1", "4.1.0", "4.0.0", "3.0.2", "3.0.1",
+        "3.0.0", "3", "3-node20", "2.1.1", "2.1.0", "2.0.10", "2.0.9", "2.0.8", "2.0.7", "2.0.6",
+        "2.0.5", "2.0.4", "2.0.3", "2.0.2", "2.0.1", "2.0", "2", "1.0.0", "1", "1.0.0",
+      ]
+    or
+    step.getVersion()
+        .matches([
+              "9c19ed7f", "8caf195a", "c850b930", "87c55149", "eaceaf80", "6b208ae0", "f44cd7b4",
+              "7a1cd321", "9bc31d5c", "9782bd6a", "fb598a63", "9bc31d5c", "246d7188", "cbed621e",
+              "f023be2c", "3be87be1", "158ca71f", "4a7a7112", "f144d3c3", "f8e41fbf", "c3f5d00c",
+              "b3cedea9", "80d2d402", "381af06b", "1ac47ba4", "1de1dea8", "cbed621e", "18f0f591",
+              "18f0f591", "18f0f591",
+            ] + "%")
+  )
+select step, "The workflow is using a known vulnerable version ($@) of the $@ action.", step,
+  step.getVersion(), step, step.getCallee()
diff --git a/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml b/ql/test/query-tests/Security/CWE-1395/.github/workflows/test1.yml
@@ -0,0 +1,23 @@
+name: Test
+
+on:
+  issues:
+
+jobs:
+  test1:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/download-artifact@v1
+      - uses: actions/download-artifact@v1.0.0
+      - uses: actions/download-artifact@v2
+      - uses: actions/download-artifact@v2.1.0
+      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v3.0.2
+      - uses: actions/download-artifact@v4.1.0
+      - uses: actions/download-artifact@87c55149d96e628cc2ef7e6fc2aab372015aec85 # v4.1.3
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@v4 # SECURE
+      - uses: actions/download-artifact@v4.1.7 # SECURE
+      - uses: actions/download-artifact@v4.1.8 # SECURE
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 SECURE
+      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 SECURE
diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.expected
@@ -0,0 +1,9 @@
+| .github/workflows/test1.yml:10:9:11:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:10:9:11:6 | Uses Step | 1 | .github/workflows/test1.yml:10:9:11:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:11:9:12:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:11:9:12:6 | Uses Step | 1.0.0 | .github/workflows/test1.yml:11:9:12:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:12:9:13:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:12:9:13:6 | Uses Step | 2 | .github/workflows/test1.yml:12:9:13:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:13:9:14:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:13:9:14:6 | Uses Step | 2.1.0 | .github/workflows/test1.yml:13:9:14:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:14:9:15:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:14:9:15:6 | Uses Step | 3 | .github/workflows/test1.yml:14:9:15:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:15:9:16:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:15:9:16:6 | Uses Step | 3.0.2 | .github/workflows/test1.yml:15:9:16:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:16:9:17:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:16:9:17:6 | Uses Step | 4.1.0 | .github/workflows/test1.yml:16:9:17:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:17:9:18:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:17:9:18:6 | Uses Step | 87c55149d96e628cc2ef7e6fc2aab372015aec85 | .github/workflows/test1.yml:17:9:18:6 | Uses Step | actions/download-artifact |
+| .github/workflows/test1.yml:18:9:19:6 | Uses Step | The workflow is using a known vulnerable version ($@) of the $@ action. | .github/workflows/test1.yml:18:9:19:6 | Uses Step | 9bc31d5ccc31df68ecc42ccf4149144866c47d8a | .github/workflows/test1.yml:18:9:19:6 | Uses Step | actions/download-artifact |
diff --git a/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref b/ql/test/query-tests/Security/CWE-1395/UseOfKnownVulnerableAction.qlref
@@ -0,0 +1,2 @@
+Security/CWE-1395/UseOfKnownVulnerableAction.ql
+

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Security/CWE-1395/UseOfKnownVulnerableAction.ql`
	`2`	`+`