Exclude artifacts downloaded to runner temp.

AdnaneKhan · web-flow · commit 38f00775bd87 · 2025-04-25T14:49:01.000-04:00
diff --git a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -262,8 +262,9 @@ class ArtifactPoisoningSink extends DataFlow::Node {
 
   ArtifactPoisoningSink() {
     download.getAFollowingStep() = poisonable and
-    // excluding artifacts downloaded to /tmp
+    // excluding artifacts downloaded to /tmp and runner.tmp
     not download.getPath().regexpMatch("^/tmp.*") and
+    not download.getPath().regexpMatch("^\${{\s?runner.temp\s?}}.*") and
     (
       poisonable.(Run).getScript() = this.asExpr() and
       (

Original file line number	Diff line number	Diff line change
`@@ -262,8 +262,9 @@ class ArtifactPoisoningSink extends DataFlow::Node {`
`262`	`262`
`263`	`263`	`ArtifactPoisoningSink() {`
`264`	`264`	`download.getAFollowingStep() = poisonable and`
`265`		`- // excluding artifacts downloaded to /tmp`
	`265`	`+ // excluding artifacts downloaded to /tmp and runner.tmp`
`266`	`266`	`not download.getPath().regexpMatch("^/tmp.*") and`
	`267`	`+ not download.getPath().regexpMatch("^\${{\s?runner.temp\s?}}.*") and`
`267`	`268`	`(`
`268`	`269`	`poisonable.(Run).getScript() = this.asExpr() and`
`269`	`270`	`(`