-
Notifications
You must be signed in to change notification settings - Fork 339
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into henrymercer/remove-unused-env-var
- Loading branch information
Showing
8 changed files
with
138 additions
and
12 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
--- | ||
lockVersion: 1.0.0 | ||
dependencies: | ||
codeql-javascript: | ||
version: 0.6.1 | ||
codeql/regex: | ||
version: 0.0.12 | ||
codeql/tutorial: | ||
version: 0.0.9 | ||
codeql/util: | ||
version: 0.0.9 | ||
codeql/yaml: | ||
version: 0.0.1 | ||
compiled: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
name: codeql-action-custom-queries-javascript | ||
version: 0.0.0 | ||
libraryPathDependencies: codeql-javascript | ||
|
||
dependencies: | ||
codeql/javascript-all: 0.6.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
/** | ||
* @name Some environment variables may not exist in default setup workflows | ||
* @id javascript/codeql-action/default-setup-env-vars | ||
* @kind problem | ||
* @severity warning | ||
*/ | ||
|
||
import javascript | ||
|
||
bindingset[envVar] | ||
predicate isSafeForDefaultSetup(string envVar) { | ||
// Ignore internal Code Scanning environment variables | ||
envVar.matches("CODE_SCANNING_%") or | ||
envVar.matches("CODEQL_%") or | ||
envVar.matches("CODESCANNING_%") or | ||
envVar.matches("LGTM_%") or | ||
// We flag up usage of potentially unsafe parts of the GitHub event in `default-setup-event-context.ql`. | ||
envVar = "GITHUB_EVENT_PATH" or | ||
// The following environment variables are known to be safe for use with default setup | ||
envVar = | ||
[ | ||
"GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL", | ||
"GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID", | ||
"GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW", | ||
"GITHUB_WORKSPACE", "GOFLAGS", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH", "RUNNER_NAME", "RUNNER_OS", | ||
"RUNNER_TEMP", "RUNNER_TOOL_CACHE" | ||
] | ||
} | ||
|
||
predicate envVarRead(DataFlow::Node node, string envVar) { | ||
node = | ||
any(DataFlow::PropRead read | | ||
read = NodeJSLib::process().getAPropertyRead("env").getAPropertyRead() and | ||
envVar = read.getPropertyName() | ||
) or | ||
node = | ||
any(DataFlow::CallNode call | | ||
call.getCalleeName().matches("get%EnvParam") and | ||
envVar = call.getArgument(0).getStringValue() | ||
) | ||
} | ||
|
||
from DataFlow::Node read, string envVar | ||
where | ||
envVarRead(read, envVar) and | ||
not isSafeForDefaultSetup(envVar) | ||
select read, | ||
"The environment variable " + envVar + | ||
" may not exist in default setup workflows. If all uses are safe, add it to the list of " + | ||
"environment variables that are known to be safe in " + | ||
"'queries/default-setup-environment-variables.ql'. If this use is safe but others are not, " + | ||
"dismiss this alert as a false positive." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/** | ||
* @name Some context properties may not exist in default setup workflows | ||
* @id javascript/codeql-action/default-setup-context-properties | ||
* @kind path-problem | ||
* @severity warning | ||
*/ | ||
|
||
import javascript | ||
import DataFlow::PathGraph | ||
|
||
class NotParsedLabel extends DataFlow::FlowLabel { | ||
NotParsedLabel() { this = "not-parsed" } | ||
} | ||
|
||
class ParsedLabel extends DataFlow::FlowLabel { | ||
ParsedLabel() { this = "parsed" } | ||
} | ||
|
||
class EventContextAccessConfiguration extends DataFlow::Configuration { | ||
EventContextAccessConfiguration() { this = "EventContextAccessConfiguration" } | ||
|
||
override predicate isSource(DataFlow::Node source, DataFlow::FlowLabel lbl) { | ||
source = NodeJSLib::process().getAPropertyRead("env").getAPropertyRead("GITHUB_EVENT_PATH") and | ||
lbl instanceof NotParsedLabel | ||
} | ||
|
||
override predicate isSink(DataFlow::Node sink, DataFlow::FlowLabel lbl) { | ||
sink instanceof DataFlow::PropRead and | ||
lbl instanceof ParsedLabel and | ||
not exists(DataFlow::PropRead n | sink = n.getBase()) and | ||
not sink.asExpr().getFile().getBaseName().matches("%.test.ts") | ||
} | ||
|
||
override predicate isAdditionalFlowStep( | ||
DataFlow::Node src, DataFlow::Node trg, DataFlow::FlowLabel inlbl, DataFlow::FlowLabel outlbl | ||
) { | ||
src = trg.(FileSystemReadAccess).getAPathArgument() and inlbl = outlbl | ||
or | ||
exists(JsonParserCall c | | ||
src = c.getInput() and | ||
trg = c.getOutput() and | ||
inlbl instanceof NotParsedLabel and | ||
outlbl instanceof ParsedLabel | ||
) | ||
or | ||
( | ||
TaintTracking::sharedTaintStep(src, trg) or | ||
DataFlow::SharedFlowStep::step(src, trg) or | ||
DataFlow::SharedFlowStep::step(src, trg, _, _) | ||
) and | ||
inlbl = outlbl | ||
} | ||
} | ||
|
||
from EventContextAccessConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink | ||
where cfg.hasFlowPath(source, sink) | ||
select sink.getNode(), source, sink, | ||
"This event context property may not exist in default setup workflows." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters