github actions queries

[JarLob]

No description provided.

[JarLob]

Initially developed by @adityasharad I have made few improvements.

[erik-krogh]

Nice work.

I think it should be possible to make these queries more precise.
E.g. looking for a build step that executes code in pull_request_target.ql.
But that's for another time, the queries look good for experimental as they are.

The autoformatter is failing on pull_request_target.ql.
(I can probably fix that for you if you want).

[JarLob]

The autoformatter is failing on pull_request_target.ql.
(I can probably fix that for you if you want).

Tried the format command, but it doesn't change anything in the document, please check.

[JarLob]

I see it fails on a test complaining about regex. Interestingly it works fine locally when I run jus these two tests. Any idea how to fix?

[erik-krogh]

I think we are good to go for merging into experimental.

Could you give me a ping when you get CVEs from these queries (I didn't find CVEs in your published advisories, but I also didn't look very hard).
Because such CVEs could be helpful for improving the queries, and from there get the queries into the default suite.

[JarLob]

We decided not to request CVEs because these queries find vulnerabilities in CI/CD configuration, but not in a final product. Since there is no immediate action a consumer would need to take, like upgrade to the new version, it made no sense to request CVEs.

Theses articles may be useful to improve the queries in the future:
https://securitylab.github.com/research/github-actions-preventing-pwn-requests
https://securitylab.github.com/research/github-actions-untrusted-input

If you want to examine real world occurrences look here https://securitylab.github.com/advisories At the moment there are ~100 workflow related reports.