github
diff --git a/‎ql/lib/codeql/actions/Ast.qll
Lines changed: 36 additions & 2 deletions b/‎ql/lib/codeql/actions/Ast.qll
Lines changed: 36 additions & 2 deletions
diff --git a/‎ql/lib/codeql/actions/dataflow/FlowSources.qll
Lines changed: 133 additions & 69 deletions b/‎ql/lib/codeql/actions/dataflow/FlowSources.qll
Lines changed: 133 additions & 69 deletions
@@ -46,18 +46,39 @@ module Utils {
 
   bindingset[var]
   private string multilineAssignmentRegex(string var) {
+    // eg:
+    // echo "PR_TITLE<<EOF" >> $GITHUB_ENV
+    // echo "$TITLE" >> $GITHUB_ENV
+    // echo "EOF" >> $GITHUB_ENV
     result =
-      ".*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
+      ".*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
         + var.toUpperCase() + "(\\})?(\"|')?.*"
   }
 
   bindingset[var]
   private string multilineBlockAssignmentRegex(string var) {
+    // eg:
+    // {
+    //   echo 'JSON_RESPONSE<<EOF'
+    //   echo "$TITLE" >> "$GITHUB_ENV"
+    //   echo EOF
+    // } >> "$GITHUB_ENV"
     result =
-      ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
+      ".*\\{(\\s|::NEW_LINE::)*(echo|Write-Output)\\s+(.*)<<[\\-]*\\s*([A-Z]*)EOF(.+)(echo|Write-Output)\\s+(\"|')?([A-Z]*)EOF(\"|')?(\\s|::NEW_LINE::)*\\}\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_"
         + var.toUpperCase() + "(\\})?(\"|')?.*"
   }
 
+  bindingset[var]
+  private string multilineHereDocAssignmentRegex(string var) {
+    // eg:
+    // cat <<-EOF >> "$GITHUB_ENV"
+    //   echo "FOO=$TITLE"
+    // EOF
+    result =
+      ".*cat\\s*<<[\\-]*\\s*[A-Z]*EOF\\s*>>\\s*[\"']*\\$[\\{]*GITHUB_.*" + var.toUpperCase() +
+        "[\\}]*[\"']*.*(echo|Write-Output)\\s+([^=]+)=(.*)::NEW_LINE::.*EOF.*"
+  }
+
   bindingset[script, var]
   predicate extractMultilineAssignment(string script, string var, string key, string value) {
     // multiline assignment
@@ -87,6 +108,19 @@ module Utils {
               .splitAt("\n") + ")" and
       key = trimQuotes(flattenedScript.regexpCapture(multilineBlockAssignmentRegex(var), 3))
     )
+    or
+    // multiline heredoc assignment
+    exists(string flattenedScript |
+      flattenedScript = script.replaceAll("\n", "::NEW_LINE::") and
+      value =
+        trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 3))
+            .regexpReplaceAll("\\s*>>\\s*(\"|')?\\$(\\{)?GITHUB_" + var.toUpperCase() +
+                "(\\})?(\"|')?", "")
+            .replaceAll("::NEW_LINE::", "\n")
+            .trim()
+            .splitAt("\n") and
+      key = trimQuotes(flattenedScript.regexpCapture(multilineHereDocAssignmentRegex(var), 2))
+    )
   }
 
   bindingset[line]
 
@@ -1,5 +1,3 @@
-private import actions
-private import codeql.actions.DataFlow
 private import codeql.actions.dataflow.ExternalFlow
 private import codeql.actions.security.ArtifactPoisoningQuery
 
@@ -22,152 +20,218 @@ abstract class RemoteFlowSource extends SourceNode {
 }
 
 bindingset[context]
-private predicate isExternalUserControlled(string context) {
-  exists(string reg | reg = "github\\.event" |
+private predicate titleEvent(string context) {
+  exists(string reg |
+    reg =
+      [
+        // title
+        "github\\.event\\.issue\\.title", // issue
+        "github\\.event\\.pull_request\\.title", // pull request
+        "github\\.event\\.discussion\\.title", // discussion
+        "github\\.event\\.pages\\[[0-9]+\\]\\.page_name",
+        "github\\.event\\.pages\\[[0-9]+\\]\\.title",
+        "github\\.event\\.workflow_run\\.display_title", // The event-specific title associated with the run or the run-name if set, or the value of run-name if it is set in the workflow.
+      ]
+  |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
-private predicate isExternalUserControlledIssue(string context) {
-  exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] |
+private predicate urlEvent(string context) {
+  exists(string reg |
+    reg =
+      [
+        // url
+        "github\\.event\\.pull_request\\.head\\.repo\\.homepage",
+      ]
+  |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
-private predicate isExternalUserControlledPullRequest(string context) {
+private predicate textEvent(string context) {
   exists(string reg |
     reg =
       [
-        "github\\.event\\.pull_request\\.title", "github\\.event\\.pull_request\\.body",
-        "github\\.event\\.pull_request\\.head\\.label",
-        "github\\.event\\.pull_request\\.head\\.repo\\.default_branch",
-        "github\\.event\\.pull_request\\.head\\.repo\\.description",
-        "github\\.event\\.pull_request\\.head\\.repo\\.homepage",
-        "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref"
+        // text
+        "github\\.event\\.issue\\.body", // body
+        "github\\.event\\.pull_request\\.body", // body
+        "github\\.event\\.discussion\\.body", // body
+        "github\\.event\\.review\\.body", // body
+        "github\\.event\\.comment\\.body", // body
+        "github\\.event\\.commits\\[[0-9]+\\]\\.message", // messsage
+        "github\\.event\\.head_commit\\.message", // message
+        "github\\.event\\.workflow_run\\.head_commit\\.message", // message
+        "github\\.event\\.pull_request\\.head\\.repo\\.description", // description
+        "github\\.event\\.workflow_run\\.head_repository\\.description", // description
+        "github\\.event\\.client_payload\\[[0-9]+\\]", // payload
+        "github\\.event\\.client_payload", // payload
+        "github\\.event\\.inputs\\[[0-9]+\\]", // input
+        "github\\.event\\.inputs", // input
       ]
   |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
-private predicate isExternalUserControlledReview(string context) {
-  Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.review\\.body"))
+private predicate repoNameEvent(string context) {
+  exists(string reg |
+    reg =
+      [
+        // repo name
+        // Owner: All characters must be either a hyphen (-) or alphanumeric
+        // Repo: All code points must be either a hyphen (-), an underscore (_), a period (.), or an ASCII alphanumeric code point
+        "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name", // repo name
+        "github\\.event\\.workflow_run\\.head_repository\\.name", // repo name
+        "github\\.event\\.workflow_run\\.head_repository\\.full_name", // nwo
+      ]
+  |
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
+  )
 }
 
 bindingset[context]
-private predicate isExternalUserControlledComment(string context) {
-  Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.comment\\.body"))
+private predicate branchEvent(string context) {
+  exists(string reg |
+    reg =
+      [
+        // branch
+        // https://docs.github.com/en/get-started/using-git/dealing-with-special-characters-in-branch-and-tag-names
+        // - They can include slash / for hierarchical (directory) grouping, but no slash-separated component can begin with a dot . or end with the sequence .lock.
+        // - They must contain at least one /
+        // - They cannot have two consecutive dots .. anywhere.
+        // - They cannot have ASCII control characters (i.e. bytes whose values are lower than \040, or \177 DEL), space, tilde ~, caret ^, or colon : anywhere.
+        // - They cannot have question-mark ?, asterisk *, or open bracket [ anywhere.
+        // - They cannot begin or end with a slash / or contain multiple consecutive slashes
+        // - They cannot end with a dot .
+        // - They cannot contain a sequence @{
+        // - They cannot be the single character @
+        // - They cannot contain a \
+        // eg: zzz";echo${IFS}"hello";# would be a valid branch name
+        "github\\.event\\.pull_request\\.head\\.repo\\.default_branch",
+        "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref",
+        "github\\.event\\.workflow_run\\.head_branch",
+        "github\\.event\\.workflow_run\\.head_branch",
+        "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref",
+      ]
+  |
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
+  )
 }
 
 bindingset[context]
-private predicate isExternalUserControlledGollum(string context) {
+private predicate labelEvent(string context) {
   exists(string reg |
     reg =
       [
-        "github\\.event\\.pages\\[[0-9]+\\]\\.page_name",
-        "github\\.event\\.pages\\[[0-9]+\\]\\.title"
+        // label
+        // - They cannot contain a escaping \
+        "github\\.event\\.pull_request\\.head\\.label",
       ]
   |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
-private predicate isExternalUserControlledCommit(string context) {
+private predicate emailEvent(string context) {
   exists(string reg |
     reg =
       [
-        "github\\.event\\.commits\\[[0-9]+\\]\\.message", "github\\.event\\.head_commit\\.message",
+        // email
+        // `echo${IFS}hello`@domain.com
         "github\\.event\\.head_commit\\.author\\.email",
-        "github\\.event\\.head_commit\\.author\\.name",
         "github\\.event\\.head_commit\\.committer\\.email",
-        "github\\.event\\.head_commit\\.committer\\.name",
         "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email",
-        "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name",
         "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email",
-        "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name",
+        "github\\.event\\.workflow_run\\.head_commit\\.author\\.email",
+        "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email",
       ]
   |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
-private predicate isExternalUserControlledDiscussion(string context) {
+private predicate usernameEvent(string context) {
   exists(string reg |
-    reg = ["github\\.event\\.discussion\\.title", "github\\.event\\.discussion\\.body"]
+    reg =
+      [
+        // username
+        // All characters must be either a hyphen (-) or alphanumeric
+        "github\\.event\\.head_commit\\.author\\.name",
+        "github\\.event\\.head_commit\\.committer\\.name",
+        "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name",
+        "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name",
+        "github\\.event\\.workflow_run\\.head_commit\\.author\\.name",
+        "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name",
+      ]
   |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
-private predicate isExternalUserControlledWorkflowRun(string context) {
+private predicate pathEvent(string context) {
   exists(string reg |
     reg =
       [
-        "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch",
-        "github\\.event\\.workflow_run\\.display_title",
-        "github\\.event\\.workflow_run\\.head_branch",
-        "github\\.event\\.workflow_run\\.head_repository\\.description",
-        "github\\.event\\.workflow_run\\.head_repository\\.full_name",
-        "github\\.event\\.workflow_run\\.head_repository\\.name",
-        "github\\.event\\.workflow_run\\.head_commit\\.message",
-        "github\\.event\\.workflow_run\\.head_commit\\.author\\.email",
-        "github\\.event\\.workflow_run\\.head_commit\\.author\\.name",
-        "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email",
-        "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name",
-        "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.ref",
-        "github\\.event\\.workflow_run\\.pull_requests\\[[0-9]+\\]\\.head\\.repo\\.name",
+        // filename
+        "github\\.event\\.workflow\\.path",
       ]
   |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
-private predicate isExternalUserControlledRepositoryDispatch(string context) {
+private predicate jsonEvent(string context) {
   exists(string reg |
-    reg = ["github\\.event\\.client_payload\\[[0-9]+\\]", "github\\.event\\.client_payload",]
+    reg =
+      [
+        // json
+        "github\\.event",
+      ]
   |
     Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
-bindingset[context]
-private predicate isExternalUserControlledWorkflowDispatch(string context) {
-  exists(string reg | reg = ["github\\.event\\.inputs\\[[0-9]+\\]", "github\\.event\\.inputs",] |
-    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
-  )
-}
+class EventSource extends RemoteFlowSource {
+  string flag;
 
-private class EventSource extends RemoteFlowSource {
   EventSource() {
     exists(Expression e, string context | this.asExpr() = e and context = e.getExpression() |
-      isExternalUserControlled(context) or
-      isExternalUserControlledIssue(context) or
-      isExternalUserControlledPullRequest(context) or
-      isExternalUserControlledReview(context) or
-      isExternalUserControlledComment(context) or
-      isExternalUserControlledGollum(context) or
-      isExternalUserControlledCommit(context) or
-      isExternalUserControlledDiscussion(context) or
-      isExternalUserControlledWorkflowRun(context) or
-      isExternalUserControlledRepositoryDispatch(context) or
-      isExternalUserControlledWorkflowDispatch(context)
+      titleEvent(context) and flag = "title"
+      or
+      urlEvent(context) and flag = "url"
+      or
+      textEvent(context) and flag = "text"
+      or
+      branchEvent(context) and flag = "branch"
+      or
+      labelEvent(context) and flag = "label"
+      or
+      emailEvent(context) and flag = "email"
+      or
+      usernameEvent(context) and flag = "username"
+      or
+      pathEvent(context) and flag = "filename"
+      or
+      jsonEvent(context) and flag = "json"
     )
   }
 
-  override string getSourceType() { result = "User-controlled events" }
+  override string getSourceType() { result = flag }
 }
 
 /**
  * A Source of untrusted data defined in a MaD specification
  */
-private class ExternallyDefinedSource extends RemoteFlowSource {
+class ExternallyDefinedSource extends RemoteFlowSource {
   string sourceType;
 
   ExternallyDefinedSource() { externallyDefinedSource(this, sourceType, _) }
@@ -178,19 +242,19 @@ private class ExternallyDefinedSource extends RemoteFlowSource {
 /**
  * An input for a Composite Action
  */
-private class CompositeActionInputSource extends RemoteFlowSource {
+class CompositeActionInputSource extends RemoteFlowSource {
   CompositeAction c;
 
   CompositeActionInputSource() { c.getAnInput() = this.asExpr() }
 
-  override string getSourceType() { result = "Composite action input" }
+  override string getSourceType() { result = "input" }
 }
 
 /**
  * A downloadeded artifact.
  */
-private class ArtifactToOptionSource extends RemoteFlowSource {
-  ArtifactToOptionSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep }
+private class ArtifactSource extends RemoteFlowSource {
+  ArtifactSource() { this.asExpr() instanceof UntrustedArtifactDownloadStep }
 
-  override string getSourceType() { result = "Step output from Artifact" }
+  override string getSourceType() { result = "artifact" }
 }