Skip to content

Commit 4d28d6a

Browse files
author
Alvaro Muñoz
committed
Improve toctou queries
1 parent e86fa97 commit 4d28d6a

File tree

3 files changed

+2
-3
lines changed

3 files changed

+2
-3
lines changed

ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ import codeql.actions.security.PoisonableSteps
1818
from ControlCheck check, MutableRefCheckoutStep checkout
1919
where
2020
// the job can be triggered by an external user
21-
check.getEnclosingJob().isExternallyTriggerable() and
21+
inPrivilegedExternallyTriggerableJob(check) and
2222
// the mutable checkout step is protected by an access check
2323
check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
2424
// the checked-out code may lead to arbitrary code execution

ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ import codeql.actions.security.PoisonableSteps
1818
from ControlCheck check, MutableRefCheckoutStep checkout
1919
where
2020
// the job can be triggered by an external user
21-
check.getEnclosingJob().isExternallyTriggerable() and
21+
inPrivilegedExternallyTriggerableJob(check) and
2222
// the mutable checkout step is protected by an access check
2323
check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
2424
// there are no evidences that the checked-out code can lead to arbitrary code execution

ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -233,7 +233,6 @@ nodes
233233
| .github/workflows/test3.yml:60:27:60:66 | needs.parse-issue.outputs.payload | semmle.label | needs.parse-issue.outputs.payload |
234234
| .github/workflows/test4.yml:15:21:15:55 | toJSON(github.event.comment) | semmle.label | toJSON(github.event.comment) |
235235
| .github/workflows/test4.yml:19:21:19:53 | toJSON(github.event.issue) | semmle.label | toJSON(github.event.issue) |
236-
| .github/workflows/test4.yml:23:21:23:41 | toJSON(github) | semmle.label | toJSON(github) |
237236
| .github/workflows/test4.yml:27:21:27:47 | toJSON(github.event) | semmle.label | toJSON(github.event) |
238237
| .github/workflows/test.yml:8:7:10:4 | Job outputs node [job_output] | semmle.label | Job outputs node [job_output] |
239238
| .github/workflows/test.yml:8:20:8:50 | steps.step5.outputs.MSG5 | semmle.label | steps.step5.outputs.MSG5 |

0 commit comments

Comments
 (0)