minor updates

Author: Alvaro Muñoz

ql/lib/codeql/actions/security/PoisonableSteps.qll

@@ -5,7 +5,7 @@ abstract class PoisonableStep extends Step { }
 // source: https://github.com/boostsecurityio/poutine/blob/main/opa/rego/rules/untrusted_checkout_exec.rego#L16
 private string dangerousActions() {
   result =
-    ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby"]
+    ["pre-commit/action", "oxsecurity/megalinter", "bridgecrewio/checkov-action", "ruby/setup-ruby", "actions/jekyll-build-pages"]
 }
 
 class DangerousActionUsesStep extends PoisonableStep, UsesStep {

ql/lib/codeql/actions/security/UntrustedCheckoutQuery.qll

@@ -108,8 +108,8 @@ class ActionsMutableRefCheckout extends MutableRefCheckoutStep instanceof UsesSt
       exists(StepsExpression e |
         this.getArgumentExpr("ref") = e and
         (
-          e.getStepId().matches(["%ref%", "%branch%"]) or
-          e.getFieldName().matches(["%ref%", "%branch%"])
+          e.getStepId().matches(["%head%", "%pull_request%", "%_pr_%"]) or
+          e.getFieldName().matches(["%head%", "%pull_request%", "%_pr_%"])
         )
       )
     )

ql/test/query-tests/Security/CWE-349/.github/workflows/test17.yml

@@ -0,0 +1,27 @@
+name: Test
+
+on:
+  # Runs on pull requests targeting the default branch
+  pull_request_target:
+    branches: ["main"]
+
+jobs:
+  build:
+    # Limit permissions of the GITHUB_TOKEN for untrusted code
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+      - name: Build with Jekyll
+        uses: actions/jekyll-build-pages@v1
+        with:
+          source: ./
+          destination: ./_site
+