I Al Istannen and Simon Gerst discovered that an XML parser used by the CodeQL CLI to read various auxiliary files was vulnerable to XXE.
Impact
If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to a URL that contains material read from a local file chosen by the attacker. This may result in exfiltration of secrets from the local file system.
Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted.
A single untrusted .ql or .qll file cannot be affected, but a zip archive or tarball containing QL sources may unpack auxiliary files that will trigger an attack when CodeQL sees them in the file system.
The typical use case for customers of GitHub Advanced Security code scanning on GitHub.com or GitHub Enterprise Server -- using CodeQL for routine analysis of source trees with a preselected set of trusted query packs -- is not affected. In particular, extracting XML files from a source tree into the CodeQL database is not vulnerable.
(Note that, independently of this security advisory, using CodeQL to analyze an untrusted source tree inherently involves running build commands provided in that source tree, so this should only ever be done in an appropriately locked-down and sandboxed environment. If the database produced during such an analysis is subsequently copied out of the sandbox for offline analysis, it should be treated as untrusted).
Patches
The problem is fixed in release 2.16.3 of the CodeQL CLI, published on 2024-02-22.
Security researchers and QL authors using the default settings of the CodeQL extension for Visual Studio will be automatically prompted to upgrade to the latest version of the CodeQL CLI. If using a specific local version of the CodeQL CLI, please update this local version to 2.16.3 or later.
Optional updates:
- Customers using the default settings for code scanning on GitHub.com do not need to take any action to upgrade to this version.
- Customers using a specific
tools version in code scanning advanced setup workflows on GitHub.com may optionally choose to update this tools URL, or remove the field to use the latest version of CodeQL by default.
- Customers on GitHub Enterprise Server may optionally choose to upgrade the version of CodeQL used in their code scanning Actions workflows using GitHub Connect or the CodeQL Action Sync Tool - see this documentation for more information.
- Customers using the CodeQL CLI in a third-party CI system may optionally choose to update to the latest version of CodeQL.
Workarounds
Other than upgrading, workarounds include not accepting CodeQL databases or queries from untrusted sources, or only processing such material on a machine without an Internet connection.
GHAS customers who use older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons can continue using that version. That use case is safe.
If such customers have a private query pack and use the codeql pack create command to precompile them before using them in the CI system, they should be using the production CodeQL release to run codeql pack create. That command is safe as long as the QL source it precompiles is trusted. We recommend that all other development of the query pack should use an upgraded CLI.
References
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXELocal.ql is a CodeQL query that would have found this vulnerability. It is usually disabled because a high risk of false positives. Java projects that know they will never need to parse XML that depends on document-provided DTDs may want to enable it in their own CodeQL analysis.
intrigus-lgtm Reporter
I-Al-Istannen Reporter
I Al Istannen and Simon Gerst discovered that an XML parser used by the CodeQL CLI to read various auxiliary files was vulnerable to XXE.
Impact
If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to a URL that contains material read from a local file chosen by the attacker. This may result in exfiltration of secrets from the local file system.
Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted.
A single untrusted
.qlor.qllfile cannot be affected, but a zip archive or tarball containing QL sources may unpack auxiliary files that will trigger an attack when CodeQL sees them in the file system.The typical use case for customers of GitHub Advanced Security code scanning on GitHub.com or GitHub Enterprise Server -- using CodeQL for routine analysis of source trees with a preselected set of trusted query packs -- is not affected. In particular, extracting XML files from a source tree into the CodeQL database is not vulnerable.
(Note that, independently of this security advisory, using CodeQL to analyze an untrusted source tree inherently involves running build commands provided in that source tree, so this should only ever be done in an appropriately locked-down and sandboxed environment. If the database produced during such an analysis is subsequently copied out of the sandbox for offline analysis, it should be treated as untrusted).
Patches
The problem is fixed in release 2.16.3 of the CodeQL CLI, published on 2024-02-22.
Security researchers and QL authors using the default settings of the CodeQL extension for Visual Studio will be automatically prompted to upgrade to the latest version of the CodeQL CLI. If using a specific local version of the CodeQL CLI, please update this local version to 2.16.3 or later.
Optional updates:
toolsversion in code scanning advanced setup workflows on GitHub.com may optionally choose to update thistoolsURL, or remove the field to use the latest version of CodeQL by default.Workarounds
Other than upgrading, workarounds include not accepting CodeQL databases or queries from untrusted sources, or only processing such material on a machine without an Internet connection.
GHAS customers who use older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons can continue using that version. That use case is safe.
If such customers have a private query pack and use the
codeql pack createcommand to precompile them before using them in the CI system, they should be using the production CodeQL release to runcodeql pack create. That command is safe as long as the QL source it precompiles is trusted. We recommend that all other development of the query pack should use an upgraded CLI.References
https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXELocal.ql is a CodeQL query that would have found this vulnerability. It is usually disabled because a high risk of false positives. Java projects that know they will never need to parse XML that depends on document-provided DTDs may want to enable it in their own CodeQL analysis.