Merge pull request #36 from GitHubSecurityLab/fix_source_regexps

Alvaro Muñoz · web-flow · commit 0da8f8d299ca · 2024-03-15T14:05:29.000+01:00
fix(fn): Apply json wrappers to source regexps
diff --git a/ql/lib/codeql/actions/Ast.qll b/ql/lib/codeql/actions/Ast.qll
@@ -9,6 +9,15 @@ module Utils {
           .regexpReplaceAll("\\[\"([a-zA-Z0-9_\\*\\-]+)\"\\]", ".$1")
           .regexpReplaceAll("\\s*\\.\\s*", ".")
   }
+
+  bindingset[regex]
+  string wrapRegexp(string regex) {
+    result =
+      [
+        "\\b" + regex + "\\b", "fromJSON\\(\\s*" + regex + "\\s*\\)",
+        "toJSON\\(\\s*" + regex + "\\s*\\)"
+      ]
+  }
 }
 
 class AstNode instanceof AstNodeImpl {
diff --git a/ql/lib/codeql/actions/ast/internal/Ast.qll b/ql/lib/codeql/actions/ast/internal/Ast.qll
@@ -813,28 +813,24 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl {
 }
 
 private string stepsCtxRegex() {
-  result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
+  result = Utils::wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
 }
 
 private string needsCtxRegex() {
-  result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
+  result = Utils::wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
 }
 
 private string jobsCtxRegex() {
-  result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
+  result = Utils::wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")
 }
 
-private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") }
+private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") }
 
-private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") }
+private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") }
 
 private string inputsCtxRegex() {
-  result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"])
-}
-
-bindingset[regex]
-private string wrapRegexp(string regex) {
-  result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"]
+  result =
+    Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"])
 }
 
 /**
diff --git a/ql/lib/codeql/actions/dataflow/FlowSources.qll b/ql/lib/codeql/actions/dataflow/FlowSources.qll
@@ -25,10 +25,8 @@ abstract class RemoteFlowSource extends SourceNode {
 
 bindingset[context]
 private predicate isExternalUserControlledIssue(string context) {
-  exists(string reg |
-    reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"]
-  |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+  exists(string reg | reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] |
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
@@ -37,38 +35,38 @@ private predicate isExternalUserControlledPullRequest(string context) {
   exists(string reg |
     reg =
       [
-        "\\bgithub\\.event\\.pull_request\\.title\\b", "\\bgithub\\.event\\.pull_request\\.body\\b",
-        "\\bgithub\\.event\\.pull_request\\.head\\.label\\b",
-        "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.default_branch\\b",
-        "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.description\\b",
-        "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.homepage\\b",
-        "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b"
+        "github\\.event\\.pull_request\\.title", "github\\.event\\.pull_request\\.body",
+        "github\\.event\\.pull_request\\.head\\.label",
+        "github\\.event\\.pull_request\\.head\\.repo\\.default_branch",
+        "github\\.event\\.pull_request\\.head\\.repo\\.description",
+        "github\\.event\\.pull_request\\.head\\.repo\\.homepage",
+        "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref"
       ]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
 private predicate isExternalUserControlledReview(string context) {
-  Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.review\\.body\\b")
+  Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.review\\.body"))
 }
 
 bindingset[context]
 private predicate isExternalUserControlledComment(string context) {
-  Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.comment\\.body\\b")
+  Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.comment\\.body"))
 }
 
 bindingset[context]
 private predicate isExternalUserControlledGollum(string context) {
   exists(string reg |
     reg =
       [
-        "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.page_name\\b",
-        "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b"
+        "github\\.event\\.pages\\[[0-9]+\\]\\.page_name",
+        "github\\.event\\.pages\\[[0-9]+\\]\\.title"
       ]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
@@ -77,28 +75,27 @@ private predicate isExternalUserControlledCommit(string context) {
   exists(string reg |
     reg =
       [
-        "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.message\\b",
-        "\\bgithub\\.event\\.head_commit\\.message\\b",
-        "\\bgithub\\.event\\.head_commit\\.author\\.email\\b",
-        "\\bgithub\\.event\\.head_commit\\.author\\.name\\b",
-        "\\bgithub\\.event\\.head_commit\\.committer\\.email\\b",
-        "\\bgithub\\.event\\.head_commit\\.committer\\.name\\b",
-        "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.email\\b",
-        "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.name\\b",
-        "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email\\b",
-        "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b",
+        "github\\.event\\.commits\\[[0-9]+\\]\\.message", "github\\.event\\.head_commit\\.message",
+        "github\\.event\\.head_commit\\.author\\.email",
+        "github\\.event\\.head_commit\\.author\\.name",
+        "github\\.event\\.head_commit\\.committer\\.email",
+        "github\\.event\\.head_commit\\.committer\\.name",
+        "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email",
+        "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name",
+        "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email",
+        "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name",
       ]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
 bindingset[context]
 private predicate isExternalUserControlledDiscussion(string context) {
   exists(string reg |
-    reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"]
+    reg = ["github\\.event\\.discussion\\.title", "github\\.event\\.discussion\\.body"]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
@@ -107,18 +104,17 @@ private predicate isExternalUserControlledWorkflowRun(string context) {
   exists(string reg |
     reg =
       [
-        "\\bgithub\\.event\\.workflow\\.path\\b",
-        "\\bgithub\\.event\\.workflow_run\\.head_branch\\b",
-        "\\bgithub\\.event\\.workflow_run\\.display_title\\b",
-        "\\bgithub\\.event\\.workflow_run\\.head_repository\\.description\\b",
-        "\\bgithub\\.event\\.workflow_run\\.head_commit\\.message\\b",
-        "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.email\\b",
-        "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.name\\b",
-        "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.email\\b",
-        "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b",
+        "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch",
+        "github\\.event\\.workflow_run\\.display_title",
+        "github\\.event\\.workflow_run\\.head_repository\\.description",
+        "github\\.event\\.workflow_run\\.head_commit\\.message",
+        "github\\.event\\.workflow_run\\.head_commit\\.author\\.email",
+        "github\\.event\\.workflow_run\\.head_commit\\.author\\.name",
+        "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email",
+        "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name",
       ]
   |
-    Utils::normalizeExpr(context).regexpMatch(reg)
+    Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))
   )
 }
 
diff --git a/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml b/ql/test/query-tests/Security/CWE-094/.github/workflows/json_wrap.yml
@@ -0,0 +1,59 @@
+name: Issue Comment Created
+
+on:
+  issue_comment:
+    types:
+      - created
+
+jobs:
+  jira:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.comment.body == '/jira ticket' }}
+    steps:
+      - run: echo ${{ github.event.comment.body }}
+
+      - name: Login
+        uses: atlassian/gajira-login@v3
+        env:
+          JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+          JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+
+      - name: SearchParam
+        run: echo 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}'
+
+      - name: Search
+        id: search
+        uses: tomhjp/gh-action-jira-search@v0.2.1
+        with:
+          jql: 'summary ~ ${{ toJSON(github.event.issue.title)}} AND project=${{ secrets.JIRA_PROJECT }}'
+
+      - name: Log
+        run: echo "Found issue ${{ steps.search.outputs.issue }}"
+
+      - name: Create
+        id: create
+        if: steps.search.outputs.issue == ''
+        uses: atlassian/gajira-create@v3
+        with:
+          project: ${{ secrets.JIRA_PROJECT }}
+          issuetype: Task
+          summary: '${{ github.event.repository.name }}: ${{ github.event.issue.title }}'
+          description: |
+            *Issue Link:* ${{ github.event.issue.html_url }}
+            
+            ${{ github.event.issue.body }}
+          fields: '{"customfield_10006": ${{ toJSON(secrets.JIRA_EPIC_TICKET) }}, "customfield_17401":{"value":${{ toJSON( secrets.JIRA_LAYER_CAKE )}}}}'
+
+      - name: Add Comment
+        if: steps.search.outputs.issue == '' && steps.create.outputs.issue != ''
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: '👋 Thanks, Jira [${{steps.create.outputs.issue}}] ticket created.'
+            })
diff --git a/ql/test/query-tests/Security/CWE-094/CodeInjection.expected b/ql/test/query-tests/Security/CWE-094/CodeInjection.expected
@@ -131,6 +131,8 @@ nodes
 | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env |
 | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env |
 | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
@@ -234,6 +236,8 @@ subpaths
 | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} |
 | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} |
 | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} |
+| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |
diff --git a/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected b/ql/test/query-tests/Security/CWE-094/PrivilegedCodeInjection.expected
@@ -131,6 +131,8 @@ nodes
 | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | semmle.label | env.job_env |
 | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | semmle.label | env.step_env |
 | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | semmle.label | github.event.issue.title |
+| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | semmle.label | github.event.comment.body |
+| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | semmle.label | toJSON(github.event.issue.title) |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
@@ -229,6 +231,8 @@ subpaths
 | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | .github/workflows/issues.yaml:4:16:4:46 | github.event.issue.title | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:15:19:15:39 | env.global_env | ${{ env.global_env }} |
 | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | .github/workflows/issues.yaml:10:17:10:47 | github.event.issue.title | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:17:19:17:36 | env.job_env | ${{ env.job_env }} |
 | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | .github/workflows/issues.yaml:20:20:20:50 | github.event.issue.title | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/issues.yaml:18:19:18:37 | env.step_env | ${{ env.step_env }} |
+| .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:13:20:13:51 | github.event.comment.body | ${{ github.event.comment.body }} |
+| .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/json_wrap.yml:23:31:23:68 | toJSON(github.event.issue.title) | ${{ toJSON(github.event.issue.title)}} |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | Potential privileged code injection in $@, which may be controlled by an external user. | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | ${{ github.event.pull_request.head.label }} |

Original file line number	Diff line number	Diff line change
`@@ -813,28 +813,24 @@ abstract class SimpleReferenceExpressionImpl extends ExpressionImpl {`
`813`	`813`	`}`
`814`	`814`
`815`	`815`	`private string stepsCtxRegex() {`
`816`		`- result = wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
	`816`	`+ result = Utils::wrapRegexp("steps\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
`817`	`817`	`}`
`818`	`818`
`819`	`819`	`private string needsCtxRegex() {`
`820`		`- result = wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
	`820`	`+ result = Utils::wrapRegexp("needs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
`821`	`821`	`}`
`822`	`822`
`823`	`823`	`private string jobsCtxRegex() {`
`824`		`- result = wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
	`824`	`+ result = Utils::wrapRegexp("jobs\\.([A-Za-z0-9_-]+)\\.outputs\\.([A-Za-z0-9_-]+)")`
`825`	`825`	`}`
`826`	`826`
`827`		`-private string envCtxRegex() { result = wrapRegexp("env\\.([A-Za-z0-9_-]+)") }`
	`827`	`+private string envCtxRegex() { result = Utils::wrapRegexp("env\\.([A-Za-z0-9_-]+)") }`
`828`	`828`
`829`		`-private string matrixCtxRegex() { result = wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") }`
	`829`	`+private string matrixCtxRegex() { result = Utils::wrapRegexp("matrix\\.([A-Za-z0-9_-]+)") }`
`830`	`830`
`831`	`831`	`private string inputsCtxRegex() {`
`832`		`- result = wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"])`
`833`		`-}`
`834`		`-`
`835`		`-bindingset[regex]`
`836`		`-private string wrapRegexp(string regex) {`
`837`		`- result = ["\\b" + regex + "\\b", "fromJSON\\(" + regex + "\\)", "toJSON\\(" + regex + "\\)"]`
	`832`	`+ result =`
	`833`	`+ Utils::wrapRegexp(["inputs\\.([A-Za-z0-9_-]+)", "github\\.event\\.inputs\\.([A-Za-z0-9_-]+)"])`
`838`	`834`	`}`
`839`	`835`
`840`	`836`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -25,10 +25,8 @@ abstract class RemoteFlowSource extends SourceNode {`
`25`	`25`
`26`	`26`	`bindingset[context]`
`27`	`27`	`private predicate isExternalUserControlledIssue(string context) {`
`28`		`- exists(string reg \|`
`29`		`- reg = ["\\bgithub\\.event\\.issue\\.title\\b", "\\bgithub\\.event\\.issue\\.body\\b"]`
`30`		`- \|`
`31`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`28`	`+ exists(string reg \| reg = ["github\\.event\\.issue\\.title", "github\\.event\\.issue\\.body"] \|`
	`29`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`32`	`30`	`)`
`33`	`31`	`}`
`34`	`32`
`@@ -37,38 +35,38 @@ private predicate isExternalUserControlledPullRequest(string context) {`
`37`	`35`	`exists(string reg \|`
`38`	`36`	`reg =`
`39`	`37`	`[`
`40`		`- "\\bgithub\\.event\\.pull_request\\.title\\b", "\\bgithub\\.event\\.pull_request\\.body\\b",`
`41`		`- "\\bgithub\\.event\\.pull_request\\.head\\.label\\b",`
`42`		`- "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.default_branch\\b",`
`43`		`- "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.description\\b",`
`44`		`- "\\bgithub\\.event\\.pull_request\\.head\\.repo\\.homepage\\b",`
`45`		`- "\\bgithub\\.event\\.pull_request\\.head\\.ref\\b", "\\bgithub\\.head_ref\\b"`
	`38`	`+ "github\\.event\\.pull_request\\.title", "github\\.event\\.pull_request\\.body",`
	`39`	`+ "github\\.event\\.pull_request\\.head\\.label",`
	`40`	`+ "github\\.event\\.pull_request\\.head\\.repo\\.default_branch",`
	`41`	`+ "github\\.event\\.pull_request\\.head\\.repo\\.description",`
	`42`	`+ "github\\.event\\.pull_request\\.head\\.repo\\.homepage",`
	`43`	`+ "github\\.event\\.pull_request\\.head\\.ref", "github\\.head_ref"`
`46`	`44`	`]`
`47`	`45`	`\|`
`48`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`46`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`49`	`47`	`)`
`50`	`48`	`}`
`51`	`49`
`52`	`50`	`bindingset[context]`
`53`	`51`	`private predicate isExternalUserControlledReview(string context) {`
`54`		`- Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.review\\.body\\b")`
	`52`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.review\\.body"))`
`55`	`53`	`}`
`56`	`54`
`57`	`55`	`bindingset[context]`
`58`	`56`	`private predicate isExternalUserControlledComment(string context) {`
`59`		`- Utils::normalizeExpr(context).regexpMatch("\\bgithub\\.event\\.comment\\.body\\b")`
	`57`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp("github\\.event\\.comment\\.body"))`
`60`	`58`	`}`
`61`	`59`
`62`	`60`	`bindingset[context]`
`63`	`61`	`private predicate isExternalUserControlledGollum(string context) {`
`64`	`62`	`exists(string reg \|`
`65`	`63`	`reg =`
`66`	`64`	`[`
`67`		`- "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.page_name\\b",`
`68`		`- "\\bgithub\\.event\\.pages\\[[0-9]+\\]\\.title\\b"`
	`65`	`+ "github\\.event\\.pages\\[[0-9]+\\]\\.page_name",`
	`66`	`+ "github\\.event\\.pages\\[[0-9]+\\]\\.title"`
`69`	`67`	`]`
`70`	`68`	`\|`
`71`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`69`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`72`	`70`	`)`
`73`	`71`	`}`
`74`	`72`
`@@ -77,28 +75,27 @@ private predicate isExternalUserControlledCommit(string context) {`
`77`	`75`	`exists(string reg \|`
`78`	`76`	`reg =`
`79`	`77`	`[`
`80`		`- "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.message\\b",`
`81`		`- "\\bgithub\\.event\\.head_commit\\.message\\b",`
`82`		`- "\\bgithub\\.event\\.head_commit\\.author\\.email\\b",`
`83`		`- "\\bgithub\\.event\\.head_commit\\.author\\.name\\b",`
`84`		`- "\\bgithub\\.event\\.head_commit\\.committer\\.email\\b",`
`85`		`- "\\bgithub\\.event\\.head_commit\\.committer\\.name\\b",`
`86`		`- "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.email\\b",`
`87`		`- "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.author\\.name\\b",`
`88`		`- "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email\\b",`
`89`		`- "\\bgithub\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name\\b",`
	`78`	`+ "github\\.event\\.commits\\[[0-9]+\\]\\.message", "github\\.event\\.head_commit\\.message",`
	`79`	`+ "github\\.event\\.head_commit\\.author\\.email",`
	`80`	`+ "github\\.event\\.head_commit\\.author\\.name",`
	`81`	`+ "github\\.event\\.head_commit\\.committer\\.email",`
	`82`	`+ "github\\.event\\.head_commit\\.committer\\.name",`
	`83`	`+ "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.email",`
	`84`	`+ "github\\.event\\.commits\\[[0-9]+\\]\\.author\\.name",`
	`85`	`+ "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.email",`
	`86`	`+ "github\\.event\\.commits\\[[0-9]+\\]\\.committer\\.name",`
`90`	`87`	`]`
`91`	`88`	`\|`
`92`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`89`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`93`	`90`	`)`
`94`	`91`	`}`
`95`	`92`
`96`	`93`	`bindingset[context]`
`97`	`94`	`private predicate isExternalUserControlledDiscussion(string context) {`
`98`	`95`	`exists(string reg \|`
`99`		`- reg = ["\\bgithub\\.event\\.discussion\\.title\\b", "\\bgithub\\.event\\.discussion\\.body\\b"]`
	`96`	`+ reg = ["github\\.event\\.discussion\\.title", "github\\.event\\.discussion\\.body"]`
`100`	`97`	`\|`
`101`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`98`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`102`	`99`	`)`
`103`	`100`	`}`
`104`	`101`
`@@ -107,18 +104,17 @@ private predicate isExternalUserControlledWorkflowRun(string context) {`
`107`	`104`	`exists(string reg \|`
`108`	`105`	`reg =`
`109`	`106`	`[`
`110`		`- "\\bgithub\\.event\\.workflow\\.path\\b",`
`111`		`- "\\bgithub\\.event\\.workflow_run\\.head_branch\\b",`
`112`		`- "\\bgithub\\.event\\.workflow_run\\.display_title\\b",`
`113`		`- "\\bgithub\\.event\\.workflow_run\\.head_repository\\.description\\b",`
`114`		`- "\\bgithub\\.event\\.workflow_run\\.head_commit\\.message\\b",`
`115`		`- "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.email\\b",`
`116`		`- "\\bgithub\\.event\\.workflow_run\\.head_commit\\.author\\.name\\b",`
`117`		`- "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.email\\b",`
`118`		`- "\\bgithub\\.event\\.workflow_run\\.head_commit\\.committer\\.name\\b",`
	`107`	`+ "github\\.event\\.workflow\\.path", "github\\.event\\.workflow_run\\.head_branch",`
	`108`	`+ "github\\.event\\.workflow_run\\.display_title",`
	`109`	`+ "github\\.event\\.workflow_run\\.head_repository\\.description",`
	`110`	`+ "github\\.event\\.workflow_run\\.head_commit\\.message",`
	`111`	`+ "github\\.event\\.workflow_run\\.head_commit\\.author\\.email",`
	`112`	`+ "github\\.event\\.workflow_run\\.head_commit\\.author\\.name",`
	`113`	`+ "github\\.event\\.workflow_run\\.head_commit\\.committer\\.email",`
	`114`	`+ "github\\.event\\.workflow_run\\.head_commit\\.committer\\.name",`
`119`	`115`	`]`
`120`	`116`	`\|`
`121`		`- Utils::normalizeExpr(context).regexpMatch(reg)`
	`117`	`+ Utils::normalizeExpr(context).regexpMatch(Utils::wrapRegexp(reg))`
`122`	`118`	`)`
`123`	`119`	`}`
`124`	`120`