Skip to content

Add query to detect use of actions libs #151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
robertbrignull merged 3 commits into from
Aug 21, 2020
Merged

Add query to detect use of actions libs #151

robertbrignull merged 3 commits into from
Aug 21, 2020

Conversation

@robertbrignull
Copy link
Contributor

@robertbrignull robertbrignull commented Aug 17, 2020

Since some of the code now needs to run flawlessly outside of actions, I think a CodeQL query will be really helpful for spotting accidental uses.

This borrows a lot of the framework from undeclared-action-input.ql but adds in checks for guards that we are running in actions/cli mode.

This finds a few cases, which I've fixed in this PR. I've pushed a branch without the fixes too so you can see what the alerts were at https://github.com/github/codeql-action/security/code-scanning?query=ref%3Arefs%2Fheads%2Faction_libs_query_alerts

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.

chrisgavin
chrisgavin approved these changes Aug 20, 2020
View reviewed changes
Copy link
Contributor

@chrisgavin chrisgavin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's essential to resolve now, but just to check my understanding, am I right in thinking that so long as a use of an Actions library is guarded on one call path, it will be considered guarded on all of them?

Might make sense to add a global logger at some point so we don't have to pass it around.

@robertbrignull
Copy link
Contributor Author

robertbrignull commented Aug 21, 2020

am I right in thinking that so long as a use of an Actions library is guarded on one call path, it will be considered guarded on all of them?

Partially. You're right it only checks for the existance of one guard instead of making sure that all paths are covered, however we're also looking at individual InvokeExpr or inner functions, so I think in the vast majority of cases there will only be one path and it'll be correct.
Also unfortunately doing it the other way of making sure all paths are covered always seems to end up being very hard to express and compute. It's generally not worked for me in the past when I've tried it. I always wish there were a proper library like dataflow but for execution flow. Using the control flow graph directly never works well for me.

@robertbrignull
Copy link
Contributor Author

robertbrignull commented Aug 21, 2020

Might make sense to add a global logger at some point so we don't have to pass it around.

Makes sense to me. I think it should work ok too as we can make a very good guess of whether we're in actions mode or CLI mode by looking at the env vars, so we should be able to create a logged of the right type on demand.

@robertbrignull robertbrignull merged commit 1f5a571 into main Aug 21, 2020
@robertbrignull robertbrignull deleted the action_libs_query branch August 21, 2020 09:31
@github-actions github-actions bot mentioned this pull request Aug 24, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@chrisgavin chrisgavin chrisgavin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@robertbrignull @chrisgavin