JS: Add more sources, more unit tests, fixes to the GitHub Actions injection query

[JarLob]

No description provided.

[github-actions]

QHelp previews:

javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp

Expression injection in Actions

Using user-controlled input in GitHub Actions may lead to code injection in contexts like run: or script:.

Code injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token might have write access to the repository, allowing an attacker to use the token to make changes to the repository.

Recommendation

The best practice to avoid code injection vulnerabilities in GitHub workflows is to set the untrusted input value of the expression to an intermediate environment variable and then use the environment variable using the native syntax of the shell/script interpreter (that is, not ${{ env.VAR }}).

It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.

Example

The following example lets a user inject an arbitrary shell command:

on: issue_comment

jobs:
  echo-body:
    runs-on: ubuntu-latest
    steps:
    - run: |
        echo '${{ github.event.comment.body }}'

The following example uses an environment variable, but still allows the injection because of the use of expression syntax:

on: issue_comment

jobs:
  echo-body:
    runs-on: ubuntu-latest
    steps:
    -  env:
        BODY: ${{ github.event.issue.body }}
      run: |
        echo '${{ env.BODY }}'

The following example uses shell syntax to read the environment variable and will prevent the attack:

on: issue_comment

jobs:
  echo-body:
    runs-on: ubuntu-latest
    steps:
    - env:
        BODY: ${{ github.event.issue.body }}
      run: |
        echo '$BODY'

References

• GitHub Security Lab Research: Keeping your GitHub Actions and workflows secure: Untrusted input.
• GitHub Docs: Security hardening for GitHub Actions.
• GitHub Docs: Permissions for the GITHUB_TOKEN.
• Common Weakness Enumeration: CWE-94.

[JarLob]

Sorry for keep pushing new changes. I think I'm done now. Ready for review.

[JarLob]

I made the last commit separate on purpose. Maybe it needs to reverted. I wanted to make the message more clear: instead of injection from github.event.comment.body, injection from ${{ github.event.comment.body }}. However I have noticed that VSCode doubles the curly braces so it becomes ${{{{ github.event.comment.body }}}}. I thought I found the way to display it as I need, but just noticed it is now ${ github.event.comment.body } in the terminal where I ran tests.
I'm open to suggestions how to properly display ${{ }} everywhere... Or is it better to revert?

[JarLob]

Since nobody is reviewing :) I have added support for composite actions.

[adityasharad]

Good stuff. I'm particularly glad to see the modelling of Actions concepts growing, and to see more tests! Some high-level comments about the modelling, and a few minor suggestions on the details.

[adityasharad]

Good stuff. I'm particularly glad to see the modelling of Actions concepts growing, and to see more tests! Some high-level comments about the modelling, and a few minor suggestions on the details.

[JarLob]

Good to be merged?

[asgerf]

Sorry for the delayed review, @aibaars and I will try to get this merged soon.