Skip to content

Commit abb267d

Browse files
henrymercerhenrymercer
committed
Add query to identify env vars that may not work with default setup
1 parent 9953504 commit abb267d

File tree

1 file changed

+50
-0
lines changed

1 file changed

+50
-0
lines changed

queries/default-setup-environment-variables.ql

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
/**
2+
* @name Some environment variables may not exist in default setup workflows
3+
* @id javascript/codeql-action/default-setup-env-vars
4+
* @kind problem
5+
* @severity error
6+
*/
7+
8+
import javascript
9+
10+
bindingset[envVar]
11+
predicate isSafeForDefaultSetup(string envVar) {
12+
// Ignore internal Code Scanning environment variables
13+
envVar.matches("CODE_SCANNING_%") or
14+
envVar.matches("CODEQL_%") or
15+
envVar.matches("CODESCANNING_%") or
16+
envVar.matches("LGTM_%") or
17+
// The following environment variables are known to be safe for use with default setup
18+
envVar =
19+
[
20+
"GITHUB_ACTION_REF", "GITHUB_ACTION_REPOSITORY", "GITHUB_ACTOR", "GITHUB_API_URL",
21+
"GITHUB_BASE_REF", "GITHUB_EVENT_NAME", "GITHUB_JOB", "GITHUB_RUN_ATTEMPT", "GITHUB_RUN_ID",
22+
"GITHUB_SHA", "GITHUB_REPOSITORY", "GITHUB_SERVER_URL", "GITHUB_TOKEN", "GITHUB_WORKFLOW",
23+
"GITHUB_WORKSPACE", "GOFLAGS", "JAVA_TOOL_OPTIONS", "RUNNER_ARCH", "RUNNER_NAME", "RUNNER_OS",
24+
"RUNNER_TEMP", "RUNNER_TOOL_CACHE"
25+
]
26+
}
27+
28+
predicate envVarRead(DataFlow::Node node, string envVar) {
29+
node =
30+
any(DataFlow::PropRead read |
31+
read = NodeJSLib::process().getAPropertyRead("env").getAPropertyRead() and
32+
envVar = read.getPropertyName()
33+
) or
34+
node =
35+
any(DataFlow::CallNode call |
36+
call.getCalleeName().matches("get%EnvParam") and
37+
envVar = call.getArgument(0).getStringValue()
38+
)
39+
}
40+
41+
from DataFlow::Node read, string envVar
42+
where
43+
envVarRead(read, envVar) and
44+
not isSafeForDefaultSetup(envVar)
45+
select read,
46+
"The environment variable " + envVar +
47+
" may not exist in default setup workflows. If all uses are safe, add it to the list of " +
48+
"environment variables that are known to be safe in " +
49+
"'queries/default-setup-environment-variables.ql'. If this use is safe but others are not, " +
50+
"dismiss this alert as a false positive."

0 commit comments

Comments
 (0)