Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
add query to detect use of actions libs
- v3.22.12
- v3.22.11
- v3
- v2.22.12
- v2.22.11
- v2.22.10
- v2.22.9
- v2.22.8
- v2.22.7
- v2.22.6
- v2.22.5
- v2.22.4
- v2.22.3
- v2.22.2
- v2.22.1
- v2.22.0
- v2.21.9
- v2.21.8
- v2.21.7
- v2.21.6
- v2.21.5
- v2.21.4
- v2.21.3
- v2.21.2
- v2.21.1
- v2.21.0
- v2.20.4
- v2.20.3
- v2.20.2
- v2.20.1
- v2.20.0
- v2.3.6
- v2.3.5
- v2.3.4
- v2.3.3
- v2.3.2
- v2.3.1
- v2.3.0
- v2.2.12
- v2.2.11
- v2.2.10
- v2.2.9
- v2.2.8
- v2.2.7
- v2.2.6
- v2.2.5
- v2.2.4
- v2.2.3
- v2.2.2
- v2.2.1
- v2.2.0
- v2.1.39
- v2.1.38
- v2.1.37
- v2.1.36
- v2.1.35
- v2.1.34
- v2.1.33
- v2.1.32
- v2.1.31
- v2.1.30
- v2.1.29
- v2.1.28
- v2.1.27
- v2.1.26
- v2.1.25
- v2.1.24
- v2.1.23
- v2.1.22
- v2.1.21
- v2.1.20
- v2.1.19
- v2.1.18
- v2.1.17
- v2.1.16
- v2.1.15
- v2.1.14
- v2.1.13
- v2.1.12
- v2.1.11
- v2.1.10
- v2.1.9
- v2.1.8
- v2.1.7
- v2.1.6
- v2
- v1.1.39
- v1.1.38
- v1.1.37
- v1.1.36
- v1.1.35
- v1.1.34
- v1.1.33
- v1.1.32
- v1.1.31
- v1.1.30
- v1.1.29
- v1.1.28
- v1.1.27
- v1.1.26
- v1.1.25
- v1.1.24
- v1.1.23
- v1.1.22
- v1.1.21
- v1.1.20
- v1.1.19
- v1.1.18
- v1.1.17
- v1.1.16
- v1.1.15
- v1.1.14
- v1.1.13
- v1.1.12
- v1.1.11
- v1.1.10
- v1.1.9
- v1.1.8
- v1.1.7
- v1.1.6
- v1.1.5
- v1.1.4
- v1.1.3
- v1.1.2
- v1.1.1
- v1.1.0
- v1.0.32
- v1.0.31
- v1.0.30
- v1.0.29
- v1.0.28
- v1.0.27
- v1.0.26
- v1.0.25
- v1.0.24
- v1.0.23
- v1.0.22
- v1.0.21
- v1.0.20
- v1.0.19
- v1.0.18
- v1.0.17
- v1.0.16
- v1.0.15
- v1.0.14
- v1.0.13
- v1.0.12
- v1.0.11
- v1.0.10
- v1.0.9
- v1.0.8
- v1.0.7
- v1.0.6
- v1.0.5
- v1.0.4
- v1.0.3
- v1.0.2
- v1.0.1
- v1.0.0
- v1
Robert Brignull
committed
Aug 17, 2020
1 parent
e9efcf1
commit f92a680
Showing
1 changed file
with
108 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| /** | ||
| * @name Unguarded actions library use | ||
| * @description Code that runs outside of GitHub Actions tries to use a library that should only be used when running on actions. | ||
| * @kind problem | ||
| * @problem.severity error | ||
| * @id javascript/codeql-action/unguarded-action-lib | ||
| */ | ||
|
|
||
| import javascript | ||
|
|
||
| /** | ||
| * An import from a library that is meant for GitHub Actions and | ||
| * we do not want to be using outside of actions. | ||
| */ | ||
| class ActionsLibImport extends ImportDeclaration { | ||
| ActionsLibImport() { | ||
| getImportedPath().getValue().matches("@actions/%") | ||
| } | ||
|
|
||
| string getName() { | ||
| result = getImportedPath().getValue() | ||
| } | ||
|
|
||
| Variable getAProvidedVariable() { | ||
| result = getASpecifier().getLocal().getVariable() | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * An entrypoint to the CLI. | ||
| */ | ||
| class ClIEntrypoint extends Function { | ||
| ClIEntrypoint() { | ||
| getFile().getAbsolutePath().matches("%/cli.ts") | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * A check of whether we are in actions mode or CLI mode. | ||
| */ | ||
| class ModeGuard extends IfStmt { | ||
| ModeGuard() { | ||
| getCondition().(EqualityTest).getAnOperand().(StringLiteral).getValue() = "actions" or | ||
| getCondition().(EqualityTest).getAnOperand().(StringLiteral).getValue() = "cli" | ||
| } | ||
|
|
||
| string getOperand() { | ||
| result = getCondition().(EqualityTest).getAnOperand().(StringLiteral).getValue() | ||
| } | ||
|
|
||
| predicate isPositive() { | ||
| getCondition().(EqualityTest).getPolarity() = true | ||
| } | ||
|
|
||
| /** | ||
| * Get the then or else block that is the "actions" path. | ||
| */ | ||
| Stmt getActionsBlock() { | ||
| (getOperand() = "actions" and isPositive() and result = getThen()) | ||
| or | ||
| (getOperand() = "cli" and not isPositive() and result = getThen()) | ||
| or | ||
| (getOperand() = "actions" and not isPositive() and result = getElse()) | ||
| or | ||
| (getOperand() = "cli" and isPositive() and result = getElse()) | ||
| } | ||
|
|
||
| /** | ||
| * Get an expr that is only executed on actions | ||
| */ | ||
| Expr getAnActionsExpr() { | ||
| getActionsBlock().getAChildStmt*().getAChildExpr*() = result | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * Any expr that is a transitive child of the given function | ||
| * and is not only called on actions. | ||
| */ | ||
| Expr getAFunctionChildExpr(Function f) { | ||
| not exists(ModeGuard guard | guard.getAnActionsExpr() = result) and | ||
| result.getContainer() = f | ||
| } | ||
|
|
||
| /* | ||
| * Result is a function that is called from the body of the given function `f` | ||
| * and is not only called on actions. | ||
| */ | ||
| Function calledBy(Function f) { | ||
| exists(InvokeExpr invokeExpr | | ||
| invokeExpr = getAFunctionChildExpr(f) and | ||
| invokeExpr.getResolvedCallee() = result and | ||
| not exists(ModeGuard guard | guard.getAnActionsExpr() = invokeExpr) | ||
| ) | ||
| or | ||
| // Assume outer function causes inner function to be called | ||
| (result instanceof Expr and | ||
| result.getEnclosingContainer() = f and | ||
| not exists(ModeGuard guard | guard.getAnActionsExpr() = result)) | ||
| } | ||
|
|
||
| from VarAccess v, ActionsLibImport actionsLib, ClIEntrypoint cliEntry | ||
| where actionsLib.getAProvidedVariable() = v.getVariable() | ||
| and getAFunctionChildExpr(calledBy*(cliEntry)) = v | ||
| select v, "$@ is imported from $@ and this code can be called from $@", | ||
| v, v.getName(), | ||
| actionsLib, actionsLib.getName(), | ||
| cliEntry, "the CLI" |