Skip to content

Commit 2359e2d

Browse files
author
Alvaro Muñoz
committed
Clean query
1 parent bb028e4 commit 2359e2d

File tree

2 files changed

+16
-17
lines changed

2 files changed

+16
-17
lines changed

ql/src/Security/CWE-349/CachePoisoning.ql

Lines changed: 13 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -15,22 +15,21 @@ import actions
1515
import codeql.actions.security.UntrustedCheckoutQuery
1616
import codeql.actions.security.CachePoisoningQuery
1717

18-
from Workflow w, PRHeadCheckoutStep checkout, LocalJob j
18+
from LocalJob j
1919
where
20+
// The workflow runs in the context of the default branch
2021
// TODO: (require to collect trigger types)
2122
// - add push to default branch?
2223
// - exclude pull_request_target when branches_ignore includes default branch or when branches does not include the default branch
23-
w.hasTriggerEvent([
24-
"check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork", "gollum",
25-
"issue_comment", "issues", "label", "milestone", "project", "project_card", "project_column",
26-
"public", "pull_request_comment", "pull_request_target", "repository_dispatch", "schedule",
27-
"watch", "workflow_run"
28-
]) and
29-
// Workflow is privileged
30-
w.isPrivileged() and
31-
// The workflow checkouts untrusted code from a pull request
32-
j = w.getAJob() and
33-
j.getAStep() = checkout and
34-
// The checkout step is followed by a cache writing step
24+
j.getEnclosingWorkflow()
25+
.hasTriggerEvent([
26+
"check_run", "check_suite", "delete", "discussion", "discussion_comment", "fork",
27+
"gollum", "issue_comment", "issues", "label", "milestone", "project", "project_card",
28+
"project_column", "public", "pull_request_comment", "pull_request_target",
29+
"repository_dispatch", "schedule", "watch", "workflow_run"
30+
]) and
31+
// The job checkouts untrusted code from a pull request
32+
j.getAStep() instanceof PRHeadCheckoutStep and
33+
// The job writes to the cache
3534
j.getAStep() instanceof CacheWritingStep
36-
select checkout, "Potential cache poisoning on privileged workflow."
35+
select j.getAStep().(CacheWritingStep), "Potential cache poisoning on privileged workflow."

ql/test/query-tests/Security/CWE-349/CachePoisoning.expected

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
1-
| .github/workflows/test1.yml:12:9:17:6 | Uses Step | Potential cache poisoning on privileged workflow. |
2-
| .github/workflows/test2.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
3-
| .github/workflows/test3.yml:9:9:12:6 | Uses Step | Potential cache poisoning on privileged workflow. |
1+
| .github/workflows/test1.yml:17:9:21:6 | Uses Step | Potential cache poisoning on privileged workflow. |
2+
| .github/workflows/test2.yml:12:9:16:6 | Uses Step | Potential cache poisoning on privileged workflow. |
3+
| .github/workflows/test3.yml:12:9:20:6 | Uses Step | Potential cache poisoning on privileged workflow. |

0 commit comments

Comments
 (0)