Merge pull request #57 from github/workflow_run_branches

workflow run branches

Author: Alvaro Muñoz

ql/lib/codeql/actions/Helper.qll

@@ -1,5 +1,6 @@
 private import codeql.actions.Ast
 private import codeql.Locations
+import codeql.actions.config.Config
 private import codeql.actions.security.ControlChecks
 
 bindingset[expr]
@@ -264,3 +265,10 @@ predicate outputsPartialFileContent(string snippet) {
             ".*"
         ])
 }
+
+string defaultBranchNames() {
+  repositoryDataModel(_, result)
+  or
+  not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and
+  result = ["main", "master"]
+}

ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -710,7 +710,18 @@ class EventImpl extends AstNodeImpl, TEventNode {
   /** Holds if the event can be triggered by an external actor. */
   predicate isExternallyTriggerable() {
     // the job is triggered by an event that can be triggered externally
-    externallyTriggerableEventsDataModel(this.getName())
+    // except for workflow_run which requires additional checks
+    externallyTriggerableEventsDataModel(this.getName()) and
+    not this.getName() = "workflow_run"
+    or
+    this.getName() = "workflow_run" and
+    // workflow_run cannot be externally triggered if they triggering workflow runs in the context of the default branch
+    // since an attacker can change the triggering workflow from any event to `pull_request` to trigger the workflow
+    // but in that case, the triggering workflow will run in the context of the PR head branch
+    (
+      not exists(this.getAPropertyValue("branches")) or
+      this.getAPropertyValue("branches").matches("%*%")
+    )
     or
     // the event is `workflow_call` and there is a caller workflow that can be triggered externally
     this.getName() = "workflow_call" and

ql/lib/codeql/actions/security/CachePoisoningQuery.qll

@@ -1,5 +1,6 @@
 import actions
 import codeql.actions.config.Config
+import codeql.actions.Helper
 
 string defaultBranchTriggerEvent() {
   result =
@@ -11,16 +12,6 @@ string defaultBranchTriggerEvent() {
     ]
 }
 
-string defaultBranchNames() {
-  exists(string default_branch_name |
-    repositoryDataModel(_, default_branch_name) and
-    result = default_branch_name
-  )
-  or
-  not exists(string default_branch_name | repositoryDataModel(_, default_branch_name)) and
-  result = ["main", "master"]
-}
-
 predicate runsOnDefaultBranch(Event e) {
   (
     e.getName() = defaultBranchTriggerEvent() and

ql/lib/ext/manual/appleboy_ssh-action.model.yml

@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: github/actions-all
+      extensible: actionsSinkModel
+    data:
+      - ["appleboy/ssh-action", "*", "input.script", "code-injection", "manual"]
+      - ["appleboy/ssh-action", "*", "input.envs", "envvar-injection", "manual"]
+

ql/lib/qlpack.yml

@@ -2,7 +2,7 @@
 library: true
 warnOnImplicitThis: true
 name: github/actions-all
-version: 0.1.15
+version: 0.1.16
 dependencies:
   codeql/util: ^1.0.1
   codeql/yaml: ^1.0.1

ql/src/qlpack.yml

@@ -1,7 +1,7 @@
 ---
 library: false
 name: github/actions-queries
-version: 0.1.15
+version: 0.1.16
 groups: [actions, queries]
 suites: codeql-suites
 extractor: javascript

ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches1.yml

@@ -0,0 +1,13 @@
+name: Self-hosted runner (AMD mi250 CI caller)
+
+on:
+  workflow_run:
+    workflows: ["Test"]
+    branches: ["main"]
+    types: [completed]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ${{ github.event.workflow_run.head_branch }}

ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches2.yml

@@ -0,0 +1,13 @@
+name: Self-hosted runner (AMD mi250 CI caller)
+
+on:
+  workflow_run:
+    workflows: ["Test"]
+    branches: "main"
+    types: [completed]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ${{ github.event.workflow_run.head_branch }}

ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches3.yml

@@ -0,0 +1,12 @@
+name: Self-hosted runner (AMD mi250 CI caller)
+
+on:
+  workflow_run:
+    workflows: ["Test"]
+    types: [completed]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ${{ github.event.workflow_run.head_branch }}

ql/test/query-tests/Security/CWE-094/.github/workflows/workflow_run_branches4.yml

@@ -0,0 +1,13 @@
+name: Self-hosted runner (AMD mi250 CI caller)
+
+on:
+  workflow_run:
+    workflows: ["Test"]
+    branches: ["feat/**"]
+    types: [completed]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo ${{ github.event.workflow_run.head_branch }}

ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -295,6 +295,10 @@ nodes
 | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name |
 | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description |
+| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 subpaths
 #select
 | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action1/action.yml:7:19:7:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
@@ -388,3 +392,5 @@ subpaths
 | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | ${{ github.event.workflow_run.head_commit.committer.name }} |
 | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | ${{ github.event.workflow_run.head_repository.description }} |
+| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
+| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |

ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -295,6 +295,10 @@ nodes
 | .github/workflows/workflow_run.yml:14:19:14:77 | github.event.workflow_run.head_commit.committer.name | semmle.label | github.event.workflow_run.head_commit.committer.name |
 | .github/workflows/workflow_run.yml:15:19:15:62 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 | .github/workflows/workflow_run.yml:16:19:16:78 | github.event.workflow_run.head_repository.description | semmle.label | github.event.workflow_run.head_repository.description |
+| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches3.yml:12:20:12:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
+| .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
 subpaths
 #select
 | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/actions/action3/action.yml:9:19:9:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
@@ -325,3 +329,5 @@ subpaths
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
 | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | .github/workflows/simple1.yml:11:20:11:58 | github.event.head_commit.message | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/simple1.yml:16:18:16:49 | steps.summary.outputs.value | ${{steps.summary.outputs.value}} |
 | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | .github/workflows/test.yml:15:20:15:64 | github.event['head_commit']['message'] | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test.yml:49:20:49:56 | needs.job1.outputs['job_output'] | ${{needs.job1.outputs['job_output']}} |
+| .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
+| .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |

ql/test/query-tests/Security/CWE-349/.github/workflows/test21.yml

@@ -0,0 +1,44 @@
+name: OpenAPI
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - 'v*'
+  pull_request_target:
+
+permissions: {}
+
+jobs:
+
+  openapi-base:
+    name: OpenAPI - BASE
+    if: ${{ github.base_ref != '' }}
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          fetch-depth: 0
+      - name: Generate openapi.json
+        run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests"
+
+  publish-unstable:
+    name: OpenAPI - Publish Unstable Spec
+    if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
+    runs-on: ubuntu-latest
+    needs:
+      - openapi-base
+    steps:
+      - name: Upload openapi.json (unstable) to repository server
+        uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
+        with:
+          host: "${{ secrets.REPO_HOST }}"
+          username: "${{ secrets.REPO_USER }}"
+          key: "${{ secrets.REPO_KEY }}"
+          source: openapi-head/openapi.json
+          strip_components: 1
+          target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}"

ql/test/query-tests/Security/CWE-349/CachePoisoning.expected

@@ -155,6 +155,7 @@ edges
 | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:42:7:43:4 | Run Step |
 | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
 | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:43:7:46:39 | Uses Step |
+| .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step |
 #select
 | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:33:7:38:4 | Uses Step | Potential cache poisoning in the context of the default branch |
 | .github/workflows/poc3.yml:38:7:40:4 | Run Step | .github/workflows/poc3.yml:18:7:25:4 | Uses Step | .github/workflows/poc3.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch |
@@ -177,3 +178,4 @@ edges
 | .github/workflows/test20.yml:38:7:40:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:38:7:40:4 | Run Step | Potential cache poisoning in the context of the default branch |
 | .github/workflows/test20.yml:41:7:42:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:41:7:42:4 | Run Step | Potential cache poisoning in the context of the default branch |
 | .github/workflows/test20.yml:42:7:43:4 | Run Step | .github/workflows/test20.yml:18:7:25:4 | Uses Step | .github/workflows/test20.yml:42:7:43:4 | Run Step | Potential cache poisoning in the context of the default branch |
+| .github/workflows/test21.yml:26:9:29:2 | Run Step | .github/workflows/test21.yml:20:9:26:6 | Uses Step | .github/workflows/test21.yml:26:9:29:2 | Run Step | Potential cache poisoning in the context of the default branch |

ql/test/query-tests/Security/CWE-829/.github/workflows/test8.yml

@@ -0,0 +1,44 @@
+name: OpenAPI
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - 'v*'
+  pull_request_target:
+
+permissions: {}
+
+jobs:
+
+  openapi-base:
+    name: OpenAPI - BASE
+    if: ${{ github.base_ref != '' }}
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+          fetch-depth: 0
+      - name: Generate openapi.json
+        run: dotnet test tests/Jellyfin.Server.Integration.Tests/Jellyfin.Server.Integration.Tests.csproj -c Release --filter "Jellyfin.Server.Integration.Tests.OpenApiSpecTests"
+
+  publish-unstable:
+    name: OpenAPI - Publish Unstable Spec
+    if: ${{ github.event_name != 'pull_request_target' && !startsWith(github.ref, 'refs/tags/v') && contains(github.repository_owner, 'jellyfin') }}
+    runs-on: ubuntu-latest
+    needs:
+      - openapi-base
+    steps:
+      - name: Upload openapi.json (unstable) to repository server
+        uses: appleboy/scp-action@917f8b81dfc1ccd331fef9e2d61bdc6c8be94634 # v0.1.7
+        with:
+          host: "${{ secrets.REPO_HOST }}"
+          username: "${{ secrets.REPO_USER }}"
+          key: "${{ secrets.REPO_KEY }}"
+          source: openapi-head/openapi.json
+          strip_components: 1
+          target: "/srv/incoming/openapi/unstable/jellyfin-openapi-${{ env.JELLYFIN_VERSION }}"

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -325,6 +325,7 @@ edges
 | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command |
 | .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr |
 | .github/workflows/test7.yml:39:9:49:6 | Run Step: bench-command | .github/workflows/test7.yml:49:9:58:20 | Run Step: benchmark-pr |
+| .github/workflows/test8.yml:20:9:26:6 | Uses Step | .github/workflows/test8.yml:26:9:29:2 | Run Step |
 | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:14:9:25:6 | Run Step |
 | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
 | .github/workflows/test.yml:13:9:14:6 | Uses Step | .github/workflows/test.yml:33:9:37:34 | Run Step |

ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected

@@ -6,3 +6,4 @@
 | .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
 | .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |