exclude Simple refereces from GitHub context

Alvaro Muñoz · Alvaro Muñoz · commit b80d3d56a364 · 2024-12-09T21:47:09.000+01:00
diff --git a/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll b/ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll
@@ -245,7 +245,8 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
       |
         expr.(StepsExpression).getStepId() = value
         or
-        expr.(SimpleReferenceExpression).getFieldName() = value
+        expr.(SimpleReferenceExpression).getFieldName() = value and
+        not expr instanceof GitHubExpression
         or
         expr.(NeedsExpression).getNeededJobId() = value
         or
@@ -279,7 +280,8 @@ class ActionsSHACheckout extends SHACheckoutStep instanceof UsesStep {
       |
         expr.(StepsExpression).getStepId() = value
         or
-        expr.(SimpleReferenceExpression).getFieldName() = value
+        expr.(SimpleReferenceExpression).getFieldName() = value and
+        not expr instanceof GitHubExpression
         or
         expr.(NeedsExpression).getNeededJobId() = value
         or
