forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy pathArtifactPoisoningPathTraversal.ql
More file actions
42 lines (40 loc) · 1.59 KB
/
ArtifactPoisoningPathTraversal.ql
File metadata and controls
42 lines (40 loc) · 1.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
/**
* @name Artifact Poisoning (Path Traversal)
* @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
* @kind problem
* @problem.severity error
* @precision very-high
* @security-severity 9
* @id actions/artifact-poisoning/path-traversal
* @tags actions
* security
* experimental
* external/cwe/cwe-829
*/
import actions
import codeql.actions.security.PoisonableSteps
import codeql.actions.security.UseOfKnownVulnerableActionQuery
from UsesStep download, KnownVulnerableAction vulnerable_action, Event event
where
event = download.getATriggerEvent() and
vulnerable_action.getVulnerableAction() = download.getCallee() and
download.getCallee() = "actions/download-artifact" and
(
download.getVersion() = vulnerable_action.getVulnerableVersion() or
download.getVersion() = vulnerable_action.getVulnerableSha()
) and
(
// exists a poisonable upload artifact in the same workflow
exists(UsesStep checkout, PoisonableStep poison, UsesStep upload |
download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() = checkout and
download.getEnclosingJob().isPrivilegedExternallyTriggerable(event) and
checkout.getCallee() = "actions/checkout" and
checkout.getAFollowingStep() = poison and
poison.getAFollowingStep() = upload and
upload.getCallee() = "actions/upload-artifact"
)
or
// upload artifact is not used in the same workflow
not download.getEnclosingWorkflow().getAJob().(LocalJob).getAStep() instanceof UsesStep
)
select download, "Potential artifact poisoning"