Add code injection low severity query for step outputs

Author: owen-mc

actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -48,6 +48,22 @@ Event getRelevantCachePoisoningEventForSink(DataFlow::Node sink) {
   )
 }
 
+private predicate codeInjectionAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+  exists(Uses step |
+    pred instanceof FileSource and
+    pred.asExpr().(Step).getAFollowingStep() = step and
+    succ.asExpr() = step and
+    madSink(succ, "code-injection")
+  )
+  or
+  exists(Run run |
+    pred instanceof FileSource and
+    pred.asExpr().(Step).getAFollowingStep() = run and
+    succ.asExpr() = run.getScript() and
+    exists(run.getScript().getAFileReadCommand())
+  )
+}
+
 /**
  * A taint-tracking configuration for unsafe user input
  * that is used to construct and evaluate a code script.
@@ -58,19 +74,7 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
 
   predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(Uses step |
-      pred instanceof FileSource and
-      pred.asExpr().(Step).getAFollowingStep() = step and
-      succ.asExpr() = step and
-      madSink(succ, "code-injection")
-    )
-    or
-    exists(Run run |
-      pred instanceof FileSource and
-      pred.asExpr().(Step).getAFollowingStep() = run and
-      succ.asExpr() = run.getScript() and
-      exists(run.getScript().getAFileReadCommand())
-    )
+    codeInjectionAdditionalFlowStep(pred, succ)
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
@@ -87,6 +91,64 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
 module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
 
+private predicate knownSafeAction(string action) {
+  action =
+    [
+      // Setup actions - version/cache outputs are deterministic
+      "actions/setup-java",
+      "actions/setup-python",
+      "actions/setup-node",
+      "actions/setup-go",
+      "actions/setup-dotnet",
+      "actions/cache",
+      "actions/download-artifact",
+      "actions/configure-pages",
+      "actions/attest-build-provenance",
+      "actions/create-github-app-token",
+      "oracle-actions/setup-java",
+      "spring-io/artifactory-deploy-action",
+      "YunaBraska/java-info-action",
+      // Docker actions - digest/version outputs are system-generated
+      "docker/build-push-action",
+      "docker/metadata-action",
+      "docker/setup-buildx-action",
+      // PR/repo automation - outputs are GitHub-assigned identifiers
+      "dorny/test-reporter",
+      "peter-evans/create-pull-request",
+      // AWS actions - outputs are AWS-generated identifiers
+      "aws-actions/aws-codebuild-run-build",
+      // Security/crypto actions - outputs are cryptographic, not user-controllable
+      "crazy-max/ghaction-import-gpg",
+      // Hardware/system info actions - outputs are deterministic
+      "SimonShi1994/cpu-cores"
+    ]
+}
+
+/**
+ * A taint-tracking configuration for step outputs
+ * that are used to construct and evaluate a code script.
+ */
+private module CodeInjectionFromStepOutputConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(StepOutputExpression soe, UsesStep us |
+      soe = source.asExpr() and soe.getStepId() = us.getId()
+    |
+      not knownSafeAction(us.getCallee())
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof CodeInjectionSink }
+
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    codeInjectionAdditionalFlowStep(pred, succ)
+  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
+module CodeInjectionFromStepOutputFlow = TaintTracking::Global<CodeInjectionFromStepOutputConfig>;
+
 /**
  * Holds if there is a code injection flow from `source` to `sink` with
  * critical severity, linked by `event`.
@@ -110,6 +172,16 @@ predicate mediumSeverityCodeInjection(
   not isGithubScriptUsingToJson(sink.getNode().asExpr())
 }
 
+/**
+ * Holds if there is a code injection flow from `source` to `sink` with low severity.
+ */
+predicate lowSeverityCodeInjection(
+  CodeInjectionFromStepOutputFlow::PathNode source, CodeInjectionFromStepOutputFlow::PathNode sink
+) {
+  CodeInjectionFromStepOutputFlow::flowPath(source, sink) and
+  not isGithubScriptUsingToJson(sink.getNode().asExpr())
+}
+
 /**
  * Holds if `expr` is the `script` input to `actions/github-script` and it uses
  * `toJson`.

actions/ql/src/Security/CWE-094/CodeInjectionLow.md

@@ -0,0 +1,80 @@
+## Overview
+
+Using user-controlled input in GitHub Actions may lead to code injection in contexts like _run:_ or _script:_.
+
+Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing an attacker to make changes to the repository.
+
+## Recommendation
+
+The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not _${{ env.VAR }}_).
+
+It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
+
+## Example
+
+### Incorrect Usage
+
+The following example lets attackers inject an arbitrary shell command:
+
+```yaml
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+      - run: |
+          echo '${{ github.event.comment.body }}'
+```
+
+The following example uses an environment variable, but **still allows the injection** because of the use of expression syntax:
+
+```yaml
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+    -  env:
+        BODY: ${{ github.event.issue.body }}
+      run: |
+        echo '${{ env.BODY }}'
+```
+
+### Correct Usage
+
+The following example uses shell syntax to read the environment variable and will prevent the attack:
+
+```yaml
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+      - env:
+          BODY: ${{ github.event.issue.body }}
+        run: |
+          echo "$BODY"
+```
+
+The following example uses `process.env` to read environment variables within JavaScript code.
+
+```yaml
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: uses: actions/github-script@v4
+        env:
+          BODY: ${{ github.event.issue.body }}
+        with:
+          script: |
+            const { BODY } = process.env
+            ...
+```
+
+## References
+
+- GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input).
+- GitHub Docs: [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions).
+- GitHub Docs: [Permissions for the GITHUB_TOKEN](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).

actions/ql/src/Security/CWE-094/CodeInjectionLow.ql

@@ -0,0 +1,26 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 5.0
+ * @precision low
+ * @id actions/code-injection/low
+ * @tags actions
+ *       security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-116
+ */
+
+import actions
+import codeql.actions.security.CodeInjectionQuery
+import CodeInjectionFromStepOutputFlow::PathGraph
+
+from
+  CodeInjectionFromStepOutputFlow::PathNode source, CodeInjectionFromStepOutputFlow::PathNode sink
+where lowSeverityCodeInjection(source, sink)
+select sink.getNode(), source, sink,
+  "Potential code injection in $@, which may be controlled by an external user because it comes from a step output.",
+  sink, sink.getNode().asExpr().(Expression).getRawExpression()