Implements multi-version support for extenal actions and workfows

Author: jessehouwing

actions/extractor/tools/autobuild-impl.ps1

@@ -8,6 +8,8 @@ $DefaultPathFilters = @(
     'include:.github/workflows/*.yaml',
     'include:.github/reusable_workflows/**/*.yml',
     'include:.github/reusable_workflows/**/*.yaml',
+    'include:.github/actions/external/mapping.yaml',
+    'include:.github/workflows/external/mapping.yaml',
     'include:**/action.yml',
     'include:**/action.yaml'
 )

actions/extractor/tools/autobuild.sh

@@ -12,6 +12,8 @@ include:.github/workflows/*.yml
 include:.github/workflows/*.yaml
 include:.github/reusable_workflows/**/*.yml
 include:.github/reusable_workflows/**/*.yaml
+include:.github/actions/external/mapping.yaml
+include:.github/workflows/external/mapping.yaml
 include:**/action.yml
 include:**/action.yaml
 END

actions/ql/lib/codeql/actions/MappingHelper.qll

@@ -0,0 +1,49 @@
+/**
+ * Provides predicates for resolving external action and workflow references
+ * through SHA-based mapping files.
+ */
+
+private import codeql.actions.ast.internal.Yaml
+
+/**
+ * Holds if the external action mapping file maps `ownerRepo` at `ref` to `sha`.
+ *
+ * The mapping file is expected at `.github/actions/external/mapping.yaml` and has
+ * the following structure:
+ * ```yaml
+ * owner/repo:
+ *   ref: sha
+ * ```
+ *
+ * This enables SHA-based directory resolution for external composite actions
+ * stored in the `.github/actions/external/{owner}/{repo}/{sha}/` directory structure.
+ */
+predicate externalActionRefMapping(string ownerRepo, string ref, string sha) {
+  exists(YamlMapping mapping, YamlMapping refMap |
+    (
+      mapping.getLocation().getFile().getRelativePath().matches("%/.github/actions/external/mapping.yaml")
+      or
+      mapping.getLocation().getFile().getRelativePath() = ".github/actions/external/mapping.yaml"
+    ) and
+    refMap = mapping.lookup(ownerRepo) and
+    sha = refMap.lookup(ref).(YamlScalar).getValue()
+  )
+}
+
+/**
+ * Holds if the external workflow mapping file maps `ownerRepo` at `ref` to `sha`.
+ *
+ * The mapping file is expected at `.github/workflows/external/mapping.yaml` and has
+ * the same structure as the action mapping file.
+ */
+predicate externalWorkflowRefMapping(string ownerRepo, string ref, string sha) {
+  exists(YamlMapping mapping, YamlMapping refMap |
+    (
+      mapping.getLocation().getFile().getRelativePath().matches("%/.github/workflows/external/mapping.yaml")
+      or
+      mapping.getLocation().getFile().getRelativePath() = ".github/workflows/external/mapping.yaml"
+    ) and
+    refMap = mapping.lookup(ownerRepo) and
+    sha = refMap.lookup(ref).(YamlScalar).getValue()
+  )
+}

actions/ql/lib/codeql/actions/dataflow/internal/DataFlowPrivate.qll

@@ -8,6 +8,7 @@ private import DataFlowPublic
 private import codeql.actions.dataflow.ExternalFlow
 private import codeql.actions.dataflow.FlowSteps
 private import codeql.actions.dataflow.FlowSources
+private import codeql.actions.MappingHelper
 
 class DataFlowSecondLevelScope = Unit;
 
@@ -50,7 +51,7 @@ predicate isArgumentNode(ArgumentNode arg, DataFlowCall call, ArgumentPosition p
 }
 
 DataFlowCallable nodeGetEnclosingCallable(Node node) {
-  node = TExprNode(any(DataFlowExpr e | result = e.getScope()))
+  result = node.(ExprNode).getCfgNode().(DataFlowExpr).getScope()
 }
 
 DataFlowType getNodeType(Node node) { any() }
@@ -80,6 +81,9 @@ class DataFlowCall instanceof Cfg::Node {
 
   string getName() { result = super.getAstNode().(Uses).getCallee() }
 
+  /** Gets the version/ref of the action or workflow being called. */
+  string getVersion() { result = super.getAstNode().(Uses).getVersion() }
+
   DataFlowCallable getEnclosingCallable() { result = super.getScope() }
 
   /** Gets a best-effort total ordering. */
@@ -119,7 +123,40 @@ class NormalReturn extends ReturnKind, TNormalReturn {
 }
 
 /** Gets a viable implementation of the target of the given `Call`. */
-DataFlowCallable viableCallable(DataFlowCall c) { c.getName() = result.getName() }
+DataFlowCallable viableCallable(DataFlowCall c) {
+  // Direct name match (existing behavior for local actions and backward compatibility)
+  c.getName() = result.getName()
+  or
+  // SHA-based resolution via mapping.yaml for external composite actions.
+  // Resolves uses: owner/repo[/path]@ref to owner/repo/sha[/path] using the mapping file.
+  exists(string callee, string version, string ownerRepo, string sha |
+    callee = c.getName() and
+    version = c.getVersion() and
+    ownerRepo = callee.regexpCapture("([^/]+/[^/]+)(?:/.*)?", 1) and
+    externalActionRefMapping(ownerRepo, version, sha)
+  |
+    // With sub-path: e.g. actions/cache/restore@v4 -> actions/cache/{sha}/restore
+    exists(string subpath |
+      subpath = callee.regexpCapture("[^/]+/[^/]+/(.*)", 1) and
+      result.getName() = [ownerRepo + "/" + sha + "/" + subpath, "./" + ownerRepo + "/" + sha + "/" + subpath]
+    )
+    or
+    // No sub-path: e.g. actions/cache@v4 -> actions/cache/{sha}
+    not callee.regexpMatch("[^/]+/[^/]+/.*") and
+    result.getName() = [ownerRepo + "/" + sha, "./" + ownerRepo + "/" + sha]
+  )
+  or
+  // SHA-based resolution via mapping.yaml for external callable workflows.
+  // Resolves uses: owner/repo/path/to/workflow.yml@ref to owner/repo/sha/path/to/workflow.yml.
+  exists(string callee, string version, string ownerRepo, string sha, string workflowPath |
+    callee = c.getName() and
+    version = c.getVersion() and
+    ownerRepo = callee.regexpCapture("([^/]+/[^/]+)(?:/.*)?", 1) and
+    workflowPath = callee.regexpCapture("[^/]+/[^/]+/(.*)", 1) and
+    externalWorkflowRefMapping(ownerRepo, version, sha) and
+    result.getName() = [ownerRepo + "/" + sha + "/" + workflowPath, "./" + ownerRepo + "/" + sha + "/" + workflowPath]
+  )
+}
 
 /**
  * Gets a node that can read the value returned from `call` with return kind

actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql

@@ -53,7 +53,8 @@ where
   ) and
   // the job writes to the cache
   // (No need to follow the checkout/download step since the cache is normally write after the job completes)
-  job.getAStep() = step and
+  // Check both direct job steps and steps inside composite actions called from the job.
+  step.getEnclosingJob() = job and
   step instanceof CacheWritingStep and
   (
     // we dont know what code can be controlled by the attacker

actions/ql/test/library-tests/mapping-resolution/.github/actions/external/LegacyOrg/LegacyAction/action.yml

@@ -0,0 +1,8 @@
+name: Legacy Action (no SHA)
+description: An external action stored without SHA directory, for backward compat testing
+
+runs:
+  using: composite
+  steps:
+  - shell: bash
+    run: echo "Legacy action without SHA-based resolution"

actions/ql/test/library-tests/mapping-resolution/.github/actions/external/TestOrg/TestAction-Sub/fedcba987654/sub-action/action.yml

@@ -0,0 +1,13 @@
+name: Test Sub-Path Action
+description: A composite action at a sub-path for testing mapping resolution
+inputs:
+  path:
+    description: Path to restore
+    required: true
+
+runs:
+  using: composite
+  steps:
+  - shell: bash
+    run: |
+      echo "Restoring ${{ inputs.path }}"

actions/ql/test/library-tests/mapping-resolution/.github/actions/external/TestOrg/TestAction/abc123def456/action.yml

@@ -0,0 +1,13 @@
+name: Test Composite Action
+description: A simple composite action for testing mapping resolution
+inputs:
+  message:
+    description: A test message
+    required: true
+
+runs:
+  using: composite
+  steps:
+  - shell: bash
+    run: |
+      echo "${{ inputs.message }}"

actions/ql/test/library-tests/mapping-resolution/.github/actions/external/TestOrg/TestAction/def789abc012/action.yml

@@ -0,0 +1,13 @@
+name: Test Composite Action v2
+description: A v2 composite action for testing mapping resolution
+inputs:
+  message:
+    description: A test message
+    required: true
+
+runs:
+  using: composite
+  steps:
+  - shell: bash
+    run: |
+      echo "v2: ${{ inputs.message }}"

actions/ql/test/library-tests/mapping-resolution/.github/actions/external/mapping.yaml

@@ -0,0 +1,5 @@
+TestOrg/TestAction:
+  v1: abc123def456
+  v2: def789abc012
+TestOrg/TestAction-Sub:
+  main: fedcba987654