Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions actions/ql/lib/actions.qll
Original file line number Diff line number Diff line change
@@ -1 +1,3 @@
import codeql.actions.Ast

abstract class CustomEnvEnable extends Environment { }
16 changes: 16 additions & 0 deletions actions/ql/lib/codeql/actions/config/Config.qll
Original file line number Diff line number Diff line change
Expand Up @@ -164,3 +164,19 @@ predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
predicate actionsPermissionsDataModel(string action, string permission) {
Extensions::actionsPermissionsDataModel(action, permission)
}

/**
* MaD models for deployment environments
* Fields:
* - name: deployment environment name, e.g. `Public CI`
*/
predicate enabledDeploymentEnvironmentDataModel(string name) {
Extensions::enabledDeploymentEnvironmentDataModel(name)
}

/**
* `EnvironmentCheck` implementation model.
*/
predicate selectDeploymentEnvironmentDataModel(string selected) {
Extensions::selectDeploymentEnvironmentDataModel(selected)
}
12 changes: 12 additions & 0 deletions actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
Original file line number Diff line number Diff line change
Expand Up @@ -88,3 +88,15 @@ extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
* - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.
*/
extensible predicate actionsPermissionsDataModel(string action, string permission);

/**
* Holds for deployment environments that exist for a given repository.
* Requires this to be externally supplied but once done can be used to
* toggle precision of whether that suffices or not as a control check.
*/
extensible predicate enabledDeploymentEnvironmentDataModel(string name);

/**
* Selects which deployment environments model to use to implement `EnvironmentCheck`.
*/
extensible predicate selectDeploymentEnvironmentDataModel(string mechanism);
12 changes: 12 additions & 0 deletions actions/ql/lib/codeql/actions/security/ControlChecks.qll
Original file line number Diff line number Diff line change
Expand Up @@ -277,6 +277,18 @@ abstract class LabelCheck extends ControlCheck {
}

class EnvironmentCheck extends ControlCheck instanceof Environment {
EnvironmentCheck() {
exists(string selected |
selectDeploymentEnvironmentDataModel(selected) and
if selected = "EnvironmentCheckMaD"
then enabledDeploymentEnvironmentDataModel(this.(Environment).getName())
else
if selected = "EnvironmentCheckCustomQL"
then this instanceof CustomEnvEnable
else this instanceof Environment
)
}

// Environment checks are not effective against any mutable attacks
// they do actually protect against untrusted code execution (sha)
override predicate protectsCategoryAndEvent(string category, string event) {
Expand Down
9 changes: 9 additions & 0 deletions actions/ql/lib/ext/config/customize_checks.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
extensions:
- addsTo:
pack: codeql/actions-all
extensible: selectDeploymentEnvironmentDataModel
data:
# The possible values this can take are:
# EnvironmentCheckCustomQL - for a custom QL implementation for the sufficient EnvironmentCheck.
# EnvironmentCheckMaD - for a custom MaD list of deployment environments that are relevant to a database.
- [""]
6 changes: 6 additions & 0 deletions actions/ql/lib/ext/config/deployment_environment.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
extensions:
- addsTo:
pack: codeql/actions-all
extensible: enabledDeploymentEnvironmentDataModel
data:
- [""]
Loading