Skip to content

Commit 612be64

Browse files
author
Alvaro Muñoz
committed
Consider actor and association checks as bypassable checks ONLY for issueOps
1 parent 558bea8 commit 612be64

File tree

2 files changed

+16
-4
lines changed

2 files changed

+16
-4
lines changed

ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,17 @@ import actions
1515
import codeql.actions.security.UntrustedCheckoutQuery
1616
import codeql.actions.security.PoisonableSteps
1717

18-
from LabelControlCheck check, MutableRefCheckoutStep checkout
18+
from ControlCheck check, MutableRefCheckoutStep checkout
1919
where
2020
// the mutable checkout step is protected by an access check
2121
check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
2222
// the checked-out code may lead to arbitrary code execution
23-
checkout.getAFollowingStep() instanceof PoisonableStep
23+
checkout.getAFollowingStep() instanceof PoisonableStep and
24+
(
25+
check instanceof LabelControlCheck
26+
or
27+
(check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and
28+
check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment")
29+
)
2430
select checkout, "The checked-out code can be changed after the authorization check o step $@.",
2531
check, check.toString()

ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,11 +15,17 @@ import actions
1515
import codeql.actions.security.UntrustedCheckoutQuery
1616
import codeql.actions.security.PoisonableSteps
1717

18-
from LabelControlCheck check, MutableRefCheckoutStep checkout
18+
from ControlCheck check, MutableRefCheckoutStep checkout
1919
where
2020
// the mutable checkout step is protected by an access check
2121
check = [checkout.getIf(), checkout.getEnclosingJob().getIf()] and
2222
// there are no evidences that the checked-out code can lead to arbitrary code execution
23-
not checkout.getAFollowingStep() instanceof PoisonableStep
23+
not checkout.getAFollowingStep() instanceof PoisonableStep and
24+
(
25+
check instanceof LabelControlCheck
26+
or
27+
(check instanceof AssociationControlCheck or check instanceof ActorControlCheck) and
28+
check.getEnclosingJob().getATriggerEvent().getName().matches("%_comment")
29+
)
2430
select checkout, "The checked-out code can be changed after the authorization check o step $@.",
2531
check, check.toString()

0 commit comments

Comments
 (0)