Impact summary
CodeQL databases or logs produced by the CodeQL CLI may, in some circumstances, contain the environment variables from the time of database creation, including any secrets that were exposed as environment variables to the process. Users with access to these artifacts would be able to access these secrets.
For Kotlin, the complete environment is logged by default when the --keep-trap option is passed to the CodeQL CLI or CodeQL database creation fails to complete before finalization.
For Java, C/C++, and Swift, the complete environment is only logged when specific environment variables are set. These are not enabled by default or in debug mode on the CodeQL Action, and so impact is limited to advanced users manually enabling these options via the CLI.
This could be dangerous if you are storing secrets in environment variables and you are subsequently persisting the database or logs. In this case, you would be saving secrets to disk.
Impact details
The vulnerability only manifests under the following circumstances:
Kotlin
- Using CodeQL CLI versions >= 2.9.2 and <= 2.20.2.
- CodeQL configured to scan the Java/Kotlin languages (
java, kotlin, or java-kotlin), running in a repository containing Kotlin source code.
- The
--keep-trap option is passed to the CodeQL CLI OR CodeQL database creation fails to complete before finalization.
In CodeQL CLI versions >= 2.9.2 and <= 2.20.2, the CodeQL Kotlin extractor logs all environment variables into an intermediate file during the process of creating a CodeQL database for Kotlin code.
The intermediate file containing environment variables is deleted by default when finalizing the Kotlin database, so it is not included in a successfully created database.
However, a database that has not been finalized (for example, due to errors during database creation) will leave the intermediate files containing logged environment variables in the unfinalized database. Similarly, if the --keep-trap option is set during database creation, the intermediate files will not be deleted when the database is finalized.
Java
- Using CodeQL CLI versions <= 2.20.2.
- CodeQL configured to scan the Java/Kotlin languages (
java, kotlin, or java-kotlin), running in a repository containing Java or Kotlin source code.
- All variables are logged only if the environment variable
ODASA_JAVAC_VERBOSE is set to 1 or higher. This is not enabled by default or in debug mode on the CodeQL Action, and so impact is limited to advanced users manually enabling this option via the CLI. Without this setting, by default, only a limited subset of environment variables are logged: PATH, PWD, and variables with the prefixes ODASA_, SEMMLE_, JAVA_, or CODEQL_.
C/C++
- Using CodeQL CLI versions <= 2.20.2.
- CodeQL configured to scan the C/C++ languages (
c, cpp, or c-cpp), running in a repository containing C/C++ source code.
- All variables are logged only if the extractor option
cpp.log_verbosity, the environment variable CODEQL_EXTRACTOR_CPP_OPTION_LOG_VERBOSITY, or the direct extractor command-line flag --codeql-verbosity are set to 3. This is not enabled by default or in debug mode on the CodeQL Action, and so impact is limited to advanced users manually enabling this option via the CLI.
Swift
- Using CodeQL CLI versions <= 2.20.2.
- CodeQL configured to scan the Swift language (
swift), running in a repository containing Swift source code.
- All variables are logged only if the environment variable
CODEQL_EXTRACTOR_SWIFT_LOG_LEVELS is set to out:text:trace or out:text:debug. This is not enabled by default or in debug mode on the CodeQL Action, and so impact is limited to advanced users manually enabling this option via the CLI.
Mitigations
Update to CodeQL CLI version 2.20.3 or later.
While using CodeQL CLI <= 2.20.2, avoid uploading, archiving, or saving unfinalized CodeQL databases from Kotlin analysis to persistent storage. These should be considered sensitive information and should be purged as soon as the CodeQL job, workflow, pipeline, or script is finished. If you have saved these unfinalized databases, rotate any secrets that were present in the environment when the databases were created.
Patches
This vulnerability will be fixed in CodeQL CLI version 2.20.3, in which database creation no longer logs the complete environment by default for any language.
- For Java and Kotlin, by default, only a limited subset of environment variables are logged:
PATH, PWD, and internal variables with the prefixes ODASA_, SEMMLE_, JAVA_, or CODEQL_. Logging of the complete environment is disabled by default, and enabled only when the environment variable CODEQL_EXTRACTOR_JAVA_OPTION_LOG_FULL_ENVIRONMENT is set to true.
- For Swift, when the environment variable
CODEQL_EXTRACTOR_SWIFT_LOG_LEVELS is set to out:text:trace or out:text:debug, only environment variables starting with CODEQL_ and SEMMLE_ are logged.
- For all other supported languages, logging of environment variables is disabled.
References
jstawinski Finder
Impact summary
CodeQL databases or logs produced by the CodeQL CLI may, in some circumstances, contain the environment variables from the time of database creation, including any secrets that were exposed as environment variables to the process. Users with access to these artifacts would be able to access these secrets.
For Kotlin, the complete environment is logged by default when the
--keep-trapoption is passed to the CodeQL CLI or CodeQL database creation fails to complete before finalization.For Java, C/C++, and Swift, the complete environment is only logged when specific environment variables are set. These are not enabled by default or in debug mode on the CodeQL Action, and so impact is limited to advanced users manually enabling these options via the CLI.
This could be dangerous if you are storing secrets in environment variables and you are subsequently persisting the database or logs. In this case, you would be saving secrets to disk.
Impact details
The vulnerability only manifests under the following circumstances:
Kotlin
java,kotlin, orjava-kotlin), running in a repository containing Kotlin source code.--keep-trapoption is passed to the CodeQL CLI OR CodeQL database creation fails to complete before finalization.In CodeQL CLI versions >= 2.9.2 and <= 2.20.2, the CodeQL Kotlin extractor logs all environment variables into an intermediate file during the process of creating a CodeQL database for Kotlin code.
The intermediate file containing environment variables is deleted by default when finalizing the Kotlin database, so it is not included in a successfully created database.
However, a database that has not been finalized (for example, due to errors during database creation) will leave the intermediate files containing logged environment variables in the unfinalized database. Similarly, if the
--keep-trapoption is set during database creation, the intermediate files will not be deleted when the database is finalized.Java
java,kotlin, orjava-kotlin), running in a repository containing Java or Kotlin source code.ODASA_JAVAC_VERBOSEis set to 1 or higher. This is not enabled by default or in debug mode on the CodeQL Action, and so impact is limited to advanced users manually enabling this option via the CLI. Without this setting, by default, only a limited subset of environment variables are logged:PATH,PWD, and variables with the prefixesODASA_,SEMMLE_,JAVA_, orCODEQL_.C/C++
c,cpp, orc-cpp), running in a repository containing C/C++ source code.cpp.log_verbosity, the environment variableCODEQL_EXTRACTOR_CPP_OPTION_LOG_VERBOSITY, or the direct extractor command-line flag--codeql-verbosityare set to 3. This is not enabled by default or in debug mode on the CodeQL Action, and so impact is limited to advanced users manually enabling this option via the CLI.Swift
swift), running in a repository containing Swift source code.CODEQL_EXTRACTOR_SWIFT_LOG_LEVELSis set toout:text:traceorout:text:debug. This is not enabled by default or in debug mode on the CodeQL Action, and so impact is limited to advanced users manually enabling this option via the CLI.Mitigations
Update to CodeQL CLI version 2.20.3 or later.
While using CodeQL CLI <= 2.20.2, avoid uploading, archiving, or saving unfinalized CodeQL databases from Kotlin analysis to persistent storage. These should be considered sensitive information and should be purged as soon as the CodeQL job, workflow, pipeline, or script is finished. If you have saved these unfinalized databases, rotate any secrets that were present in the environment when the databases were created.
Patches
This vulnerability will be fixed in CodeQL CLI version 2.20.3, in which database creation no longer logs the complete environment by default for any language.
PATH,PWD, and internal variables with the prefixesODASA_,SEMMLE_,JAVA_, orCODEQL_. Logging of the complete environment is disabled by default, and enabled only when the environment variableCODEQL_EXTRACTOR_JAVA_OPTION_LOG_FULL_ENVIRONMENTis set totrue.CODEQL_EXTRACTOR_SWIFT_LOG_LEVELSis set toout:text:traceorout:text:debug, only environment variables starting withCODEQL_andSEMMLE_are logged.References