Skip to content

Limited data exfiltration in CodeQL CLI

Low
hmakholm published GHSA-gf8p-v3g3-3wph Feb 22, 2024

Package

CodeQL CLI

Affected versions

< 2.16.3

Patched versions

2.16.3

Description

I Al Istannen and Simon Gerst discovered that an XML parser used by the CodeQL CLI to read various auxiliary files was vulnerable to XXE.

Impact

If a vulnerable version of the CLI is used to process either a maliciously modified CodeQL database, or a specially prepared set of QL query sources, the CLI can be made to make an outgoing HTTP request to a URL that contains material read from a local file chosen by the attacker. This may result in exfiltration of secrets from the local file system.

Security researchers and QL authors who receive databases or QL source files from untrusted sources may be impacted.
A single untrusted .ql or .qll file cannot be affected, but a zip archive or tarball containing QL sources may unpack auxiliary files that will trigger an attack when CodeQL sees them in the file system.

The typical use case for customers of GitHub Advanced Security code scanning on github.com or GitHub Enterprise Server -- using CodeQL for routine analysis of source trees with a preselected set of trusted query packs -- is not affected. In particular, extracting XML files from a source tree into the CodeQL database is not vulnerable.

(Note that, independently of this security advisory, using CodeQL to analyze an untrusted source tree inherently involves running build commands provided in that source tree, so this should only ever be done in an appropriately locked-down and sandboxed environment. If the database produced during such an analysis is subsequently copied out of the sandbox for offline analysis, it should be treated as untrusted).

Patches

The problem is fixed in release 2.16.3 of the CodeQL CLI, published on 2024-02-22.

Security researchers and QL authors using the default settings of the CodeQL extension for Visual Studio will be automatically prompted to upgrade to the latest version of the CodeQL CLI. If using a specific local version of the CodeQL CLI, please update this local version to 2.16.3 or later.

Optional updates:

  • Customers using the default settings for code scanning on github.com do not need to take any action to upgrade to this version.
  • Customers using a specific tools version in code scanning advanced setup workflows on github.com may optionally choose to update this tools URL, or remove the field to use the latest version of CodeQL by default.
  • Customers on GitHub Enterprise Server may optionally choose to upgrade the version of CodeQL used in their code scanning Actions workflows using GitHub Connect or the CodeQL Action Sync Tool - see this documentation for more information.
  • Customers using the CodeQL CLI in a third-party CI system may optionally choose to update to the latest version of CodeQL.

Workarounds

Other than upgrading, workarounds include not accepting CodeQL databases or queries from untrusted sources, or only processing such material on a machine without an Internet connection.

GHAS customers who use older releases of CodeQL for security scanning in an automated CI system and cannot upgrade for compliance reasons can continue using that version. That use case is safe.

If such customers have a private query pack and use the codeql pack create command to precompile them before using them in the CI system, they should be using the production CodeQL release to run codeql pack create. That command is safe as long as the QL source it precompiles is trusted. We recommend that all other development of the query pack should use an upgraded CLI.

References

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXELocal.ql is a CodeQL query that would have found this vulnerability. It is usually disabled because a high risk of false positives. Java projects that know they will never need to parse XML that depends on document-provided DTDs may want to enable it in their own CodeQL analysis.

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

CVE ID

CVE-2024-25129

Weaknesses

Credits