Merge pull request #69 from github/improve_cache_poisoning

Improve Cache Poisoning Query

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/CachePoisoningQuery.qll

@@ -44,70 +44,27 @@ predicate runsOnDefaultBranch(Event e) {
   )
 }
 
-abstract class CacheWritingStep extends Step { }
+abstract class CacheWritingStep extends Step {
+  abstract string getPath();
+}
 
 class CacheActionUsesStep extends CacheWritingStep, UsesStep {
   CacheActionUsesStep() { this.getCallee() = "actions/cache" }
+
+  override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") }
 }
 
 class CacheActionSaveUsesStep extends CacheWritingStep, UsesStep {
   CacheActionSaveUsesStep() { this.getCallee() = "actions/cache/save" }
-}
-
-class SetupJavaUsesStep extends CacheWritingStep, UsesStep {
-  SetupJavaUsesStep() {
-    this.getCallee() = "actions/setup-java" and
-    (
-      exists(this.getArgument("cache")) or
-      exists(this.getArgument("cache-dependency-path"))
-    )
-  }
-}
-
-class SetupGoUsesStep extends CacheWritingStep, UsesStep {
-  SetupGoUsesStep() {
-    this.getCallee() = "actions/setup-go" and
-    (
-      not exists(this.getArgument("cache"))
-      or
-      this.getArgument("cache") = "true"
-    )
-  }
-}
 
-class SetupNodeUsesStep extends CacheWritingStep, UsesStep {
-  SetupNodeUsesStep() {
-    this.getCallee() = "actions/setup-node" and
-    (
-      exists(this.getArgument("cache")) or
-      exists(this.getArgument("cache-dependency-path"))
-    )
-  }
-}
-
-class SetupPythonUsesStep extends CacheWritingStep, UsesStep {
-  SetupPythonUsesStep() {
-    this.getCallee() = "actions/setup-python" and
-    (
-      exists(this.getArgument("cache")) or
-      exists(this.getArgument("cache-dependency-path"))
-    )
-  }
-}
-
-class SetupDotnetUsesStep extends CacheWritingStep, UsesStep {
-  SetupDotnetUsesStep() {
-    this.getCallee() = "actions/setup-dotnet" and
-    (
-      this.getArgument("cache") = "true" or
-      exists(this.getArgument("cache-dependency-path"))
-    )
-  }
+  override string getPath() { result = this.(UsesStep).getArgument("path").splitAt("\n") }
 }
 
 class SetupRubyUsesStep extends CacheWritingStep, UsesStep {
   SetupRubyUsesStep() {
     this.getCallee() = ["actions/setup-ruby", "ruby/setup-ruby"] and
     this.getArgument("bundler-cache") = "true"
   }
+
+  override string getPath() { result = "vendor/bundle" }
 }

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

@@ -1,6 +1,12 @@
 import actions
 import codeql.actions.DataFlow
 
+string getStepCWD() {
+  // TODO: This should be the path of the git command.
+  // Read if from the step's CWD, workspace or look for a cd command.
+  result = "?"
+}
+
 bindingset[s]
 predicate containsPullRequestNumber(string s) {
   exists(
@@ -68,7 +74,9 @@ predicate containsHeadRef(string s) {
 }
 
 /** Checkout of a Pull Request HEAD */
-abstract class PRHeadCheckoutStep extends Step { }
+abstract class PRHeadCheckoutStep extends Step {
+  abstract string getPath();
+}
 
 /** Checkout of a Pull Request HEAD ref */
 abstract class MutableRefCheckoutStep extends PRHeadCheckoutStep { }
@@ -138,6 +146,12 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
       )
     )
   }
+
+  override string getPath() {
+    if exists(this.(UsesStep).getArgument("path"))
+    then result = this.(UsesStep).getArgument("path")
+    else result = "?"
+  }
 }
 
 /** Checkout of a Pull Request HEAD ref using actions/checkout action */
@@ -194,6 +208,12 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
       )
     )
   }
+
+  override string getPath() {
+    if exists(this.(UsesStep).getArgument("path"))
+    then result = this.(UsesStep).getArgument("path")
+    else result = "?"
+  }
 }
 
 /** Checkout of a Pull Request HEAD ref using git within a Run step */
@@ -216,6 +236,8 @@ class GitMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
       )
     )
   }
+
+  override string getPath() { result = getStepCWD() }
 }
 
 /** Checkout of a Pull Request HEAD ref using git within a Run step */
@@ -235,6 +257,8 @@ class GitSHACheckout extends SHACheckoutStep instanceof Run {
       )
     )
   }
+
+  override string getPath() { result = getStepCWD() }
 }
 
 /** Checkout of a Pull Request HEAD ref using gh within a Run step */
@@ -256,6 +280,8 @@ class GhMutableRefCheckout extends MutableRefCheckoutStep instanceof Run {
       )
     )
   }
+
+  override string getPath() { result = getStepCWD() }
 }
 
 /** Checkout of a Pull Request HEAD ref using gh within a Run step */
@@ -274,4 +300,6 @@ class GhSHACheckout extends SHACheckoutStep instanceof Run {
       )
     )
   }
+
+  override string getPath() { result = getStepCWD() }
 }

ql/src/Security/CWE-349/CachePoisoning.ql

@@ -1,5 +1,5 @@
 /**
- * @name Cache Poisoning via low-privilege code injection
+ * @name Cache Poisoning via low-privileged code injection
  * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
  * @kind path-problem
  * @problem.severity error

ql/src/Security/CWE-349/CachePoisoningByCodeInjection.ql renamed to ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql

@@ -0,0 +1,90 @@
+/**
+ * @name Cache Poisoning via caching of untrusted files
+ * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @security-severity 7.5
+ * @id actions/cache-poisoning/direct-cache
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-349
+ */
+
+import actions
+import codeql.actions.security.ArtifactPoisoningQuery
+import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.CachePoisoningQuery
+import codeql.actions.security.PoisonableSteps
+import codeql.actions.security.ControlChecks
+
+/**
+ * Holds if the path cache_path is a subpath of the path untrusted_path.
+ */
+bindingset[cache_path, untrusted_path]
+predicate controlledCachePath(string cache_path, string untrusted_path) {
+  exists(string normalized_cache_path, string normalized_untrusted_path |
+    (
+      cache_path.regexpMatch("^[a-zA-Z0-9_-].*") and
+      normalized_cache_path = "./" + cache_path.regexpReplaceAll("/$", "")
+      or
+      normalized_cache_path = cache_path.regexpReplaceAll("/$", "")
+    ) and
+    (
+      untrusted_path.regexpMatch("^[a-zA-Z0-9_-].*") and
+      normalized_untrusted_path = "./" + untrusted_path.regexpReplaceAll("/$", "")
+      or
+      normalized_untrusted_path = untrusted_path.regexpReplaceAll("/$", "")
+    ) and
+    normalized_cache_path.substring(0, normalized_untrusted_path.length()) =
+      normalized_untrusted_path
+  )
+}
+
+query predicate edges(Step a, Step b) { a.getNextStep() = b }
+
+from LocalJob j, Event e, Step source, Step s, string message, string path
+where
+  // the job checkouts untrusted code from a pull request or downloads an untrusted artifact
+  j.getAStep() = source and
+  (
+    source instanceof PRHeadCheckoutStep and
+    message = "due to privilege checkout of untrusted code." and
+    path = source.(PRHeadCheckoutStep).getPath()
+    or
+    source instanceof UntrustedArtifactDownloadStep and
+    message = "due to downloading an untrusted artifact." and
+    path = source.(UntrustedArtifactDownloadStep).getPath()
+  ) and
+  // the checkout/download is not controlled by an access check
+  not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and
+  j.getATriggerEvent() = e and
+  // job can be triggered by an external user
+  e.isExternallyTriggerable() and
+  (
+    // the workflow runs in the context of the default branch
+    runsOnDefaultBranch(e)
+    or
+    // the workflow's caller runs in the context of the default branch
+    e.getName() = "workflow_call" and
+    exists(ExternalJob caller |
+      caller.getCallee() = j.getLocation().getFile().getRelativePath() and
+      runsOnDefaultBranch(caller.getATriggerEvent())
+    )
+  ) and
+  // the job writes to the cache
+  // (No need to follow the checkout/download step since the cache is normally write after the job completes)
+  j.getAStep() = s and
+  s instanceof CacheWritingStep and
+  (
+    // we dont know what code can be controlled by the attacker
+    path = "?"
+    or
+    // we dont know what files are being cached
+    s.(CacheWritingStep).getPath() = "?"
+    or
+    // the cache writing step reads from a path the attacker can control
+    not path = "?" and controlledCachePath(s.(CacheWritingStep).getPath(), path)
+  ) and
+  not s instanceof PoisonableStep
+select s, source, s, "Potential cache poisoning in the context of the default branch " + message

ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql

@@ -0,0 +1,58 @@
+/**
+ * @name Cache Poisoning via execution of untrusted code
+ * @description The cache can be poisoned by untrusted code, leading to a cache poisoning attack.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @security-severity 7.5
+ * @id actions/cache-poisoning/poisonable-step
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-349
+ */
+
+import actions
+import codeql.actions.security.ArtifactPoisoningQuery
+import codeql.actions.security.UntrustedCheckoutQuery
+import codeql.actions.security.CachePoisoningQuery
+import codeql.actions.security.PoisonableSteps
+import codeql.actions.security.ControlChecks
+
+query predicate edges(Step a, Step b) { a.getNextStep() = b }
+
+from LocalJob j, Event e, Step source, Step s, string message, string path
+where
+  // the job checkouts untrusted code from a pull request or downloads an untrusted artifact
+  j.getAStep() = source and
+  (
+    source instanceof PRHeadCheckoutStep and
+    message = "due to privilege checkout of untrusted code." and
+    path = source.(PRHeadCheckoutStep).getPath()
+    or
+    source instanceof UntrustedArtifactDownloadStep and
+    message = "due to downloading an untrusted artifact." and
+    path = source.(UntrustedArtifactDownloadStep).getPath()
+  ) and
+  // the checkout/download is not controlled by an access check
+  not exists(ControlCheck check | check.protects(source, j.getATriggerEvent())) and
+  j.getATriggerEvent() = e and
+  // job can be triggered by an external user
+  e.isExternallyTriggerable() and
+  (
+    // the workflow runs in the context of the default branch
+    runsOnDefaultBranch(e)
+    or
+    // the workflow's caller runs in the context of the default branch
+    e.getName() = "workflow_call" and
+    exists(ExternalJob caller |
+      caller.getCallee() = j.getLocation().getFile().getRelativePath() and
+      runsOnDefaultBranch(caller.getATriggerEvent())
+    )
+  ) and
+  // the job executes checked-out code
+  // (The cache specific token can be leaked even for non-privileged workflows)
+  source.getAFollowingStep() = s and
+  s instanceof PoisonableStep and
+  // excluding privileged workflows since they can be exploited in easier circumstances
+  not j.isPrivileged()
+select s, source, s, "Potential cache poisoning in the context of the default branch " + message

ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql

@@ -0,0 +1,16 @@
+name: Test
+
+on:
+  pull_request_target:
+    branches: [ master, main, dev ]
+
+jobs:
+  test:
+    name: Test
+    runs-on: ubuntu-latest
+    steps:
+      - id: modified_files
+        uses: trilom/[email protected]
+        with:
+          output: ","
+      - run: echo "${{ steps.modified_files.outputs.files_modified }}"