CycodeLabs
diff --git a/‎README.md‎
Lines changed: 10 additions & 5 deletions b/‎README.md‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎library/query_body_context_injection.yml‎
Lines changed: 34 additions & 0 deletions b/‎library/query_body_context_injection.yml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎library/query_checkout_on_issue.yml‎
Lines changed: 4 additions & 3 deletions b/‎library/query_checkout_on_issue.yml‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎library/query_codesee_injection.yml‎
Lines changed: 14 additions & 25 deletions b/‎library/query_codesee_injection.yml‎
Lines changed: 14 additions & 25 deletions
diff --git a/‎library/query_email_context_injection.yml‎
Lines changed: 30 additions & 0 deletions b/‎library/query_email_context_injection.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎library/query_injectable_composite_action.yml‎
Lines changed: 56 additions & 0 deletions b/‎library/query_injectable_composite_action.yml‎
Lines changed: 56 additions & 0 deletions
diff --git a/‎library/query_issue_injection.yml‎
Lines changed: 0 additions & 24 deletions b/‎library/query_issue_injection.yml‎
Lines changed: 0 additions & 24 deletions
diff --git a/‎library/query_label_context_injection.yml‎
Lines changed: 27 additions & 0 deletions b/‎library/query_label_context_injection.yml‎
Lines changed: 27 additions & 0 deletions
diff --git a/‎library/query_message_context_injection.yml‎
Lines changed: 30 additions & 0 deletions b/‎library/query_message_context_injection.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎library/query_priv_esc_workflow_run.yml‎
Lines changed: 41 additions & 0 deletions b/‎library/query_priv_esc_workflow_run.yml‎
Lines changed: 41 additions & 0 deletions
@@ -161,9 +161,11 @@ options:
 
 ### Report
 ```bash
-usage: raven report [-h] [--redis-host REDIS_HOST] [--redis-port REDIS_PORT] [--clean-redis] [--neo4j-uri NEO4J_URI] [--neo4j-user NEO4J_USER] [--neo4j-pass NEO4J_PASS]
-                      [--clean-neo4j] [--tag TAG] [--severity SEVERITY] [--queries-path QUERIES_PATH]
-                      {slack} ...
+usage: raven report [-h] [--redis-host REDIS_HOST] [--redis-port REDIS_PORT] [--clean-redis] [--neo4j-uri NEO4J_URI]
+                    [--neo4j-user NEO4J_USER] [--neo4j-pass NEO4J_PASS] [--clean-neo4j]
+                    [--tag {injection,unauthenticated,fixed,priv-esc,supply-chain}]
+                    [--severity {info,low,medium,high,critical}] [--queries-path QUERIES_PATH] [--format {raw,json}]
+                    {slack} ...
 
 positional arguments:
   {slack}
@@ -183,11 +185,14 @@ options:
   --neo4j-pass NEO4J_PASS
                         Neo4j password, default: 123456789
   --clean-neo4j, -cn    Whether to clean cache, and index from scratch, default: False
-  --tag TAG, -t TAG     Filter queries with specific tag
-  --severity SEVERITY, -s SEVERITY
+  --tag {injection,unauthenticated,fixed,priv-esc,supply-chain}, -t {injection,unauthenticated,fixed,priv-esc,supply-chain}
+                        Filter queries with specific tag
+  --severity {info,low,medium,high,critical}, -s {info,low,medium,high,critical}
                         Filter queries by severity level (default: info)
   --queries-path QUERIES_PATH, -dp QUERIES_PATH
                         Queries folder (default: library)
+  --format {raw,json}, -f {raw,json}
+                        Report format (default: raw)
 ```
 
 ## Examples
 
@@ -0,0 +1,34 @@
+id: RQ-1
+
+info:
+  name: Body Context Injection
+  severity: critical
+  description: Body Injection is caused by using body variables in inline scripts
+  full-description: |
+    Issues, comments, discussions and PR bodies can contain any text and special characters.
+    By using a body variable in an inline script, an attacker can inject arbitrary code
+    into the build process.
+  references:
+    - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+    - https://cycode.com/blog/github-actions-vulnerabilities/
+    - https://github.com/CycodeLabs/raven/blob/main/docs/issue_injections/README.md
+  tags:
+    - injection
+    - unauthenticated
+
+query: |
+  MATCH (w:Workflow)-[*]->(d:StepCodeDependency)
+    WHERE (
+        "issues" in w.trigger OR
+        "issue_comment" in w.trigger OR
+        "pull_request_target" in w.trigger
+    ) AND
+      (
+          d.param IN [
+            "github.event.comment.body",
+            "github.event.issue.body",
+            "github.event.discussion.body",
+            "github.event.pull_request.body"
+          ]
+      )
+  RETURN DISTINCT w.url AS url;
@@ -1,9 +1,10 @@
-id: checkout-on-issue
+id: RQ-2
 
 info:
-  name: Checkout on new Issue
+  name: Checkout On New Issue
   severity: critical
   description: workflows triggered by issue events where a job involves checking out code from a repository ("actions/checkout") on issue event.
+  full-description:
   references:
     - https://github.com/CycodeLabs/raven/tree/main/docs/issue_injections
     - https://cycode.com/blog/github-actions-vulnerabilities/
@@ -32,4 +33,4 @@ query: |
               )
           )
       }
-  RETURN DISTINCT w.path
+  RETURN DISTINCT w.url AS url;
@@ -1,37 +1,26 @@
-id: codesee-injection
+id: RQ-3
 
 info:
   name: CodeSee Injection
   severity: info
-  description: CodeSee NPM package before v0.376.0 allowed code injection vulnerability. 
+  description: CodeSee NPM package before v0.376.0 allowed code injection vulnerability.
+  full-description:
   references:
     - https://github.com/CycodeLabs/raven/tree/main/docs/codesee_injections
-    - https://cycode.com/blog/github-actions-vulnerabilities/
+    - https://cycode.com/blog/cycode-secures-thousands-of-open-source-projects/
   tags:
     - unauthenticated
     - injection
     - fixed
 
 query: |
-  MATCH (w:Workflow)-[*]->(j:Job)
-  WHERE
-      (
-          "issue_comment" in w.trigger OR
-          "issues" in w.trigger
-      ) AND
-      EXISTS {
-          (j)-->(s:Step)-->(ca:CompositeAction)
-          WHERE (
-              ca.path = "actions/checkout" AND
-              ANY(param IN s.with WHERE 
-                  (
-                      param STARTS WITH "ref" and 
-                      (
-                          param contains "head.sha" OR
-                          param contains "head.ref"
-                      )
-                  )
-              )
-          )
-      }
-  RETURN DISTINCT w.path
+    MATCH (w:Workflow)
+    WHERE
+        w.permissions is null AND
+        EXISTS {
+            (w)-[*]->(ca:CompositeAction)
+            WHERE (
+                ca.path = "Codesee-io/codesee-map-action"
+            )
+        }
+    RETURN DISTINCT w.url AS url;
@@ -0,0 +1,30 @@
+id: RQ-4
+
+info:
+  name: Email Context Injection
+  severity: high
+  description: Email Injection is caused by using email variables in inline scripts
+  full-description: |
+    GitHub allows creating accounts with email addresses that contain special characters,
+    such as `+`, `@` and `"`. By using an email variable in an inline script, an attacker
+    can inject arbitrary code into the build process.
+  references:
+    - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+  tags:
+    - injection
+    - unauthenticated
+
+query: |
+  MATCH (w:Workflow)-[*]->(d:StepCodeDependency)
+    WHERE (
+        "issues" in w.trigger OR
+        "issue_comment" in w.trigger OR
+        "pull_request_target" in w.trigger
+    ) AND
+      (
+          d.param IN [
+            "github.event.comment.author.email",
+            "github.event.head_commit.committer.email"
+          ]
+      )
+  RETURN DISTINCT w.url AS url;
@@ -0,0 +1,56 @@
+id: RQ-13
+
+info:
+  name: Injectable Composite Action
+  severity: high
+  description: Composite Actions that use input parameters in inline scripts can be used to inject arbitrary code.
+  full-description: |
+    Composite Actions can get input parameters from the workflow file.
+    If these input parameters are used in inline scripts, an attacker can 
+    inject arbitrary code into the build process.
+  references:
+    - https://docs.github.com/en/actions/creating-actions/creating-a-composite-action
+    - https://cycode.com/blog/cycode-secures-thousands-of-open-source-projects/
+  tags:
+    - injection
+    - unauthenticated
+
+query: |
+  MATCH (w:Workflow)-[*]->(s:Step)-->(ca:CompositeAction)-->(cas:CompositeActionStep)-->(d:StepCodeDependency)
+  WHERE (
+      (
+          "issues" in w.trigger OR
+          "issue_comment" in w.trigger OR
+          "pull_request_target" in w.trigger
+      ) AND (
+          ca.using = "composite" AND
+          NOT cas.run is null AND
+          d.param STARTS WITH "inputs."
+      ) AND (
+          ANY(input IN s.with WHERE
+              ANY (
+                  pattern IN [
+                      "github.event.issue.title",
+                      "github.event.issue.body",
+                      "github.event.pull_request.title",
+                      "github.event.pull_request.body",
+                      "github.event.comment.body",
+                      "github.event.review.body",
+                      "github.event.review_comment.body",
+                      "github.event.pages.*.page_name",
+                      "github.event.commits.*.message",
+                      "github.event.head_commit.message",
+                      "github.event.head_commit.author.email",
+                      "github.event.head_commit.author.name",
+                      "github.event.commits.*.author.email",
+                      "github.event.commits.*.author.name",
+                      "github.event.pull_request.head.ref",
+                      "github.event.pull_request.head.label",
+                      "github.event.pull_request.head.repo.default_branch",
+                      "github.head_ref"
+                  ] WHERE input CONTAINS pattern
+              )
+          )
+      )
+  )
+  RETURN DISTINCT s.url AS url;
@@ -0,0 +1,27 @@
+id: RQ-5
+
+info:
+  name: Label Context Injection
+  severity: high
+  description: Label Injection is caused by using label variables in inline scripts
+  full-description: |
+    Creating a new pull request could be submitted with a label that contains special characters.
+    By using a label variable in an inline script, an attacker can inject arbitrary code into the build process.
+  references:
+    - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+  tags:
+    - injection
+
+query: |
+  MATCH (w:Workflow)-[*]->(d:StepCodeDependency)
+    WHERE (
+        "issues" in w.trigger OR
+        "issue_comment" in w.trigger OR
+        "pull_request_target" in w.trigger
+    ) AND
+      (
+          d.param IN [
+            "github.event.pull_request.head.label"
+          ]
+      )
+  RETURN DISTINCT w.url AS url;
@@ -0,0 +1,30 @@
+id: RQ-6
+
+info:
+  name: Message Context Injection
+  severity: high
+  description: Commit Injection is caused by using commit message variables in inline scripts
+  full-description: |
+    Commit messages can contain any text and special characters.
+    By using a commit message variable in an inline script, an attacker can inject arbitrary code
+    into the build process.
+  references:
+    - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
+  tags:
+    - injection
+    - unauthenticated
+
+query: |
+  MATCH (w:Workflow)-[*]->(d:StepCodeDependency)
+    WHERE (
+        "issues" in w.trigger OR
+        "issue_comment" in w.trigger OR
+        "pull_request_target" in w.trigger
+    ) AND
+      (
+          d.param IN [
+            "github.event.head_commit.message",
+            "github.event.merge_group.head_commit.message"
+          ]
+      )
+  RETURN DISTINCT w.url AS url;
@@ -0,0 +1,41 @@
+id: RQ-7
+
+info:
+  name: Privilege Escalation Workflow Run
+  severity: critical
+  description: Injection of malicious code that triggers a workflow run pipeline can lead to privilege escalation.
+  full-description: |
+    Pull request pipeline runs without access to secrets.
+    However, if a workflow run is triggered by a pull request, the workflow run will have access to secrets.
+    Meaning, if an attacker can inject malicious code into the PR workflow and pass the malicious code to the workflow run,
+    the attacker can gain access to secrets even though the original workflow did not have access to secrets.
+  references:
+    - https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability
+  tags:
+    - unauthenticated
+    - injection
+    - priv-esc
+
+query: |
+  MATCH (w:Workflow)-[*]->(w2:Workflow)
+  WHERE (
+      (
+          "pull_request" in w.trigger OR
+          "pull_request_target" in w.trigger
+      ) AND
+      (
+          "workflow_run" in w2.trigger
+      )
+  ) AND EXISTS {
+          (w)-[*]->(d:StepCodeDependency)
+          WHERE (
+              d.param IN [
+                  "github.event.pull_request.title",
+                  "github.event.pull_request.body",
+                  "github.event.pull_request.head.ref",
+                  "github.event.pull_request.head.label",
+                  "github.event.pull_request.head.repo.default_branch"
+              ]
+          )
+      }
+  RETURN DISTINCT w.url AS url;
Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,10 @@`
`1`		`-id: checkout-on-issue`
	`1`	`+id: RQ-2`
`2`	`2`
`3`	`3`	`info:`
`4`		`- name: Checkout on new Issue`
	`4`	`+ name: Checkout On New Issue`
`5`	`5`	`severity: critical`
`6`	`6`	`description: workflows triggered by issue events where a job involves checking out code from a repository ("actions/checkout") on issue event.`
	`7`	`+ full-description:`
`7`	`8`	`references:`
`8`	`9`	`- https://github.com/CycodeLabs/raven/tree/main/docs/issue_injections`
`9`	`10`	`- https://cycode.com/blog/github-actions-vulnerabilities/`
`@@ -32,4 +33,4 @@ query: \|`
`32`	`33`	`)`
`33`	`34`	`)`
`34`	`35`	`}`
`35`		`- RETURN DISTINCT w.path`
	`36`	`+ RETURN DISTINCT w.url AS url;`