Update the ql queries to account for change in how we look for runner

aeisenberg · aeisenberg · commit 8ade7ba97f7e · 2021-05-28T13:43:02.000-07:00
Previously, we guarded blocks of code to be run by the runner or the
action using if statements like this:

```js
if (mode === "actions") ...
```

We are no longer doing this. And now, the `unguarded-action-lib.ql`
query is out of date. This query checks that runner code does not
unintentionally access actions-only methods in the libraries.

With these changes, we now ensure that code scanning is happy.
diff --git a/queries/unguarded-action-lib.ql b/queries/unguarded-action-lib.ql
@@ -90,17 +90,96 @@ class RunnerEntrypoint extends Function {
   }
 }
 
+/**
+ * A generic check to see if we are in actions or runner mode in a particular block of code.
+ */
+abstract class ActionsGuard extends IfStmt {
+
+  /**
+   * Get an expr that is only executed on actions
+   */
+  abstract Expr getAnActionsExpr();
+}
+
+/**
+ * A check of whether we are in actions mode or runner mode, based on
+ * the presense of a call to `isActions()` in the condition of an if statement.
+ */
+class IsActionsGuard extends ActionsGuard {
+  IsActionsGuard() {
+    getCondition().(CallExpr).getCalleeName() = "isActions"
+  }
+
+  /**
+   * Get the "then" block that is the "actions" path.
+   */
+  Stmt getActionsBlock() {
+    result = getThen()
+  }
+
+  /**
+   * Get an expr that is only executed on actions
+   */
+  override Expr getAnActionsExpr() {
+    getActionsBlock().getAChildStmt*().getAChildExpr*() = result
+  }
+}
+
+/**
+ * A check of whether we are in actions mode or runner mode, based on
+ * the presense of a call to `!isActions()` in the condition of an if statement.
+ */
+class NegatedIsActionsGuard extends ActionsGuard {
+  NegatedIsActionsGuard() {
+    getCondition().(LogNotExpr).getOperand().(CallExpr).getCalleeName() = "isActions"
+  }
+
+  /**
+   * Get the "else" block that is the "actions" path.
+   */
+  Stmt getActionsBlock() {
+    result = getElse()
+  }
+
+  /**
+   * Get an expr that is only executed on actions
+   */
+  override Expr getAnActionsExpr() {
+    getActionsBlock().getAChildStmt*().getAChildExpr*() = result
+  }
+}
+
+class ModeAccess extends PropAccess {
+  ModeAccess() {
+    (
+      // eg- Mode.actions
+      getBase().(Identifier).getName() = "Mode" or
+      // eg- actionUtil.Mode.actions
+      getBase().(PropAccess).getPropertyName() = "Mode"
+    ) and
+    (getPropertyName() = "actions" or getPropertyName() = "runner")
+  }
+
+  predicate isActions() {
+    getPropertyName() = "actions"
+  }
+
+  predicate isRunner() {
+    getPropertyName() = "runner"
+  }
+}
+
 /**
  * A check of whether we are in actions mode or runner mode.
  */
-class ModeGuard extends IfStmt {
+class ModeGuard extends ActionsGuard {
   ModeGuard() {
-    getCondition().(EqualityTest).getAnOperand().(StringLiteral).getValue() = "actions" or
-    getCondition().(EqualityTest).getAnOperand().(StringLiteral).getValue() = "runner"
+    getCondition().(EqualityTest).getAnOperand().(ModeAccess).isActions() or
+    getCondition().(EqualityTest).getAnOperand().(ModeAccess).isRunner()
   }
 
-  string getOperand() {
-    result = getCondition().(EqualityTest).getAnOperand().(StringLiteral).getValue()
+  ModeAccess getOperand() {
+    result = getCondition().(EqualityTest).getAnOperand()
   }
 
   predicate isPositive() {
@@ -111,19 +190,19 @@ class ModeGuard extends IfStmt {
    * Get the then or else block that is the "actions" path.
    */
   Stmt getActionsBlock() {
-    (getOperand() = "actions" and isPositive() and result = getThen())
+    (getOperand().isActions() and isPositive() and result = getThen())
     or
-    (getOperand() = "runner" and not isPositive() and result = getThen())
+    (getOperand().isRunner() and not isPositive() and result = getThen())
     or
-    (getOperand() = "actions" and not isPositive() and result = getElse())
+    (getOperand().isActions() and not isPositive() and result = getElse())
     or
-    (getOperand() = "runner" and isPositive() and result = getElse())
+    (getOperand().isRunner() and isPositive() and result = getElse())
   }
 
   /**
    * Get an expr that is only executed on actions
    */
-  Expr getAnActionsExpr() {
+  override Expr getAnActionsExpr() {
     getActionsBlock().getAChildStmt*().getAChildExpr*() = result
   }
 }
@@ -133,7 +212,7 @@ class ModeGuard extends IfStmt {
  * and is not only called on actions.
  */
 Expr getAFunctionChildExpr(Function f) {
-  not exists(ModeGuard guard | guard.getAnActionsExpr() = result) and
+  not exists(ActionsGuard guard | guard.getAnActionsExpr() = result) and
   result.getContainer() = f
 }
 
@@ -145,16 +224,16 @@ Function calledBy(Function f) {
   exists(InvokeExpr invokeExpr |
     invokeExpr = getAFunctionChildExpr(f) and
     invokeExpr.getResolvedCallee() = result and
-    not exists(ModeGuard guard | guard.getAnActionsExpr() = invokeExpr)
+    not exists(ActionsGuard guard | guard.getAnActionsExpr() = invokeExpr)
   )
   or
   // Assume outer function causes inner function to be called
   (result instanceof Expr and
   result.getEnclosingContainer() = f and
-  not exists(ModeGuard guard | guard.getAnActionsExpr() = result))
+  not exists(ActionsGuard guard | guard.getAnActionsExpr() = result))
 }
 
-from VarAccess v, ActionsLibImport actionsLib, RunnerEntrypoint runnerEntry 
+from VarAccess v, ActionsLibImport actionsLib, RunnerEntrypoint runnerEntry
 where actionsLib.getAProvidedVariable() = v.getVariable()
   and getAFunctionChildExpr(calledBy*(runnerEntry)) = v
   and not (isSafeActionLibWithActionsEnvVars(actionsLib.getName()) and runnerEntry.setsActionsEnvVars())
