Merge pull request #74 from github/docs/help_files

docs/help files

Author: JarLob

ql/src/Security/CWE-077/EnvPathInjectionCritical.md

@@ -0,0 +1,39 @@
+# Environment Path Injection
+
+## Description
+
+GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job.
+
+E.g.:
+
+```bash
+echo "$HOME/.local/bin" >> $GITHUB_PATH
+```
+
+If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job.
+
+## Recommendations
+
+Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
+
+## Examples
+
+### Incorrect Usage
+
+Consider the following basic setup where an environment variable `PATH` is set:
+
+```yaml
+steps:
+  - name: Set the path
+    env:
+      BODY: ${{ github.event.comment.body }}
+    run: |
+      PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+')
+      echo "$PATH" >> "$GITHUB_PATH"
+```
+
+If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps.
+
+## References
+
+- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)

ql/src/Security/CWE-077/EnvPathInjectionMedium.md

@@ -0,0 +1,39 @@
+# Environment Path Injection
+
+## Description
+
+GitHub Actions allow to define the system PATH variable by writing to a file pointed to by the `GITHUB_PATH` environment variable. Writing to this file appends a directory to the system PATH variable and automatically makes it available to all subsequent actions in the current job.
+
+E.g.:
+
+```bash
+echo "$HOME/.local/bin" >> $GITHUB_PATH
+```
+
+If an attacker can control the contents of the system PATH, they are able to influence what commands are run in subsequent steps of the same job.
+
+## Recommendations
+
+Do not allow untrusted data to influence the system PATH: Avoid using untrusted data sources (e.g., artifact content) to define the system PATH.
+
+## Examples
+
+### Incorrect Usage
+
+Consider the following basic setup where an environment variable `PATH` is set:
+
+```yaml
+steps:
+  - name: Set the path
+    env:
+      BODY: ${{ github.event.comment.body }}
+    run: |
+      PATH=$(echo "$BODY" | grep -oP 'system path: \K\S+')
+      echo "$PATH" >> "$GITHUB_PATH"
+```
+
+If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, they can potentially change the system PATH and get arbitrary command execution in subsequent steps.
+
+## References
+
+- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)

ql/src/Security/CWE-077/EnvVarInjectionCritical.md

@@ -0,0 +1,117 @@
+# Environment Variable Injection
+
+## Description
+
+GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
+
+This file contains lines in the `KEY=VALUE` format:
+
+```bash
+steps:
+  - name: Set the value
+    id: step_one
+    run: |
+      echo "action_state=yellow" >> "$GITHUB_ENV"
+```
+
+It is also possible to define multiline variables by using the [following construct](https://en.wikipedia.org/wiki/Here_document):
+
+```
+KEY<<{delimiter}
+VALUE
+VALUE
+{delimiter}
+```
+
+```bash
+steps:
+  - name: Set the value in bash
+    id: step_one
+    run: |
+      {
+        echo 'JSON_RESPONSE<<EOF'
+        curl https://example.com
+        echo EOF
+      } >> "$GITHUB_ENV"
+```
+
+If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`.
+
+## Recommendations
+
+1. **Do not allow untrusted data to influence environment variables**:
+
+    - Avoid using untrusted data sources (e.g., artifact content) to define environment variables.
+    - Validate and sanitize all inputs before using them in environment settings.
+
+2. **Do not allow new lines when defining single line environment variables**:
+
+    - `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"`
+
+3. **Use unique identifiers when defining multi line environment variables**:
+
+    ```bash
+    steps:
+      - name: Set the value in bash
+        id: step_one
+        run: |
+          # Generate a UUID
+          UUID=$(uuidgen)
+          {
+            echo "JSON_RESPONSE<<EOF$UUID"
+            curl https://example.com
+            echo "EOF$UUID"
+          } >> "$GITHUB_ENV"
+    ```
+
+## Examples
+
+### Example of Vulnerability
+
+Consider the following basic setup where an environment variable `MYVAR` is set and used in subsequent steps:
+
+```yaml
+steps:
+  - name: Set the value
+    id: step_one
+    env:
+      BODY: ${{ github.event.comment.body }}
+    run: |
+      REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g')
+      echo "MYVAR=$REPLACED" >> "$GITHUB_ENV"
+```
+
+If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, the attacker can potentially inject new environment variables. For example, they could write an issue comment like:
+
+```text
+FOO
+NEW_ENV_VAR=MALICIOUS_VALUE
+```
+
+Likewise, if the attacker controls a file in the GitHub Actions Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact) and the contents of that file are assigned to an environment variable such as:
+
+```bash
+- run: |
+    PR_NUMBER=$(cat pr-number.txt)
+    echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
+```
+
+An attacker could craft a malicious artifact that writes dangerous environment variables:
+
+```bash
+  - run: |
+      echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt
+  - uses: actions/upload-artifact@v4
+    with:
+      name: pr-number
+      path: ./pr-number.txt
+```
+
+### Exploitation
+
+An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
+
+## References
+
+- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
+- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)

ql/src/Security/CWE-077/EnvVarInjectionMedium.md

@@ -0,0 +1,117 @@
+# Environment Variable Injection
+
+## Description
+
+GitHub Actions allow to define environment variables by writing to a file pointed to by the `GITHUB_ENV` environment variable:
+
+This file contains lines in the `KEY=VALUE` format:
+
+```bash
+steps:
+  - name: Set the value
+    id: step_one
+    run: |
+      echo "action_state=yellow" >> "$GITHUB_ENV"
+```
+
+It is also possible to define multiline variables by using the [following construct](https://en.wikipedia.org/wiki/Here_document):
+
+```
+KEY<<{delimiter}
+VALUE
+VALUE
+{delimiter}
+```
+
+```bash
+steps:
+  - name: Set the value in bash
+    id: step_one
+    run: |
+      {
+        echo 'JSON_RESPONSE<<EOF'
+        curl https://example.com
+        echo EOF
+      } >> "$GITHUB_ENV"
+```
+
+If an attacker can control the values assigned to environment variables and there is no sanitization in place, the attacker will be able to inject additional variables by injecting new lines or `{delimiters}`.
+
+## Recommendations
+
+1. **Do not allow untrusted data to influence environment variables**:
+
+    - Avoid using untrusted data sources (e.g., artifact content) to define environment variables.
+    - Validate and sanitize all inputs before using them in environment settings.
+
+2. **Do not allow new lines when defining single line environment variables**:
+
+    - `echo "BODY=$(echo "$BODY" | tr -d '\n')" >> "$GITHUB_ENV"`
+
+3. **Use unique identifiers when defining multi line environment variables**:
+
+    ```bash
+    steps:
+      - name: Set the value in bash
+        id: step_one
+        run: |
+          # Generate a UUID
+          UUID=$(uuidgen)
+          {
+            echo "JSON_RESPONSE<<EOF$UUID"
+            curl https://example.com
+            echo "EOF$UUID"
+          } >> "$GITHUB_ENV"
+    ```
+
+## Examples
+
+### Example of Vulnerability
+
+Consider the following basic setup where an environment variable `MYVAR` is set and used in subsequent steps:
+
+```yaml
+steps:
+  - name: Set the value
+    id: step_one
+    env:
+      BODY: ${{ github.event.comment.body }}
+    run: |
+      REPLACED=$(echo "$BODY" | sed 's/FOO/BAR/g')
+      echo "MYVAR=$REPLACED" >> "$GITHUB_ENV"
+```
+
+If an attacker can manipulate the value being set, such as through artifact downloads or user inputs, the attacker can potentially inject new environment variables. For example, they could write an issue comment like:
+
+```text
+FOO
+NEW_ENV_VAR=MALICIOUS_VALUE
+```
+
+Likewise, if the attacker controls a file in the GitHub Actions Runner's workspace (eg: the workflow checkouts untrusted code or downloads an untrusted artifact) and the contents of that file are assigned to an environment variable such as:
+
+```bash
+- run: |
+    PR_NUMBER=$(cat pr-number.txt)
+    echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
+```
+
+An attacker could craft a malicious artifact that writes dangerous environment variables:
+
+```bash
+  - run: |
+      echo -e "666\nNEW_ENV_VAR=MALICIOUS_VALUE" > pr-number.txt
+  - uses: actions/upload-artifact@v4
+    with:
+      name: pr-number
+      path: ./pr-number.txt
+```
+
+### Exploitation
+
+An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
+
+## References
+
+- [Workflow commands for GitHub Actions](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions)
+- [GitHub Actions Exploitation: Repo Jacking and Environment Manipulation](https://www.synacktiv.com/publications/github-actions-exploitation-repo-jacking-and-environment-manipulation)

ql/src/Security/CWE-078/CommandInjectionCritical.ql

@@ -9,6 +9,7 @@
  * @id actions/command-injection/critical
  * @tags actions
  *       security
+ *       experimental
  *       external/cwe/cwe-078
  */
 

ql/src/Security/CWE-078/CommandInjectionMedium.ql

@@ -9,6 +9,7 @@
  * @id actions/command-injection/medium
  * @tags actions
  *       security
+ *       experimental
  *       external/cwe/cwe-078
  */
 

ql/src/Security/CWE-088/ArgumentInjectionCritical.md

@@ -0,0 +1,41 @@
+# Argument Injection in GitHub Actions
+
+## Description
+
+Passing user-controlled arguments to certain commands in the context of `Run` steps may lead to arbitrary code execution.
+
+Argument injection in GitHub Actions may allow an attacker to exfiltrate any secrets used in the workflow and the temporary GitHub repository authorization token. The token may have write access to the repository, allowing the attacker to make changes to the repository.
+
+## Recommendations
+
+When possible avoid passing user-controlled data to commands which may spawn new processes using some of their arguments.
+
+It is also recommended to limit the permissions of any tokens used by a workflow such as the GITHUB_TOKEN.
+
+## Examples
+
+### Incorrect Usage
+
+The following example lets a user inject an arbitrary shell command through argument injection:
+
+```yaml
+on: issue_comment
+
+jobs:
+  echo-body:
+    runs-on: ubuntu-latest
+    steps:
+      - env:
+          BODY: ${{ github.event.comment.body }}
+        run: |
+          cat file.txt | sed  "s/BODY_PLACEHOLDER/$BODY/g" > replaced.txt
+```
+
+An attacker may set the body of an Issue comment to `BAR|g;1e whoami;#` and the command `whoami` will get executed during the `sed` operation.
+
+## References
+
+- [Common Weakness Enumeration: CWE-88](https://cwe.mitre.org/data/definitions/88.html).
+- [Argument Injection Explained](https://sonarsource.github.io/argument-injection-vectors/explained/)
+- [Argument Injection Vectors](https://sonarsource.github.io/argument-injection-vectors/)
+- [GTFOBins](https://gtfobins.github.io/)

ql/src/Security/CWE-094/ArgumentInjectionCritical.ql renamed to ql/src/Security/CWE-088/ArgumentInjectionCritical.ql

@@ -8,9 +8,7 @@
  * @id actions/argument-injection/critical
  * @tags actions
  *       security
- *       external/cwe/cwe-094
- *       external/cwe/cwe-095
- *       external/cwe/cwe-116
+ *       external/cwe/cwe-088
  */
 
 import actions